Viggly Vorm
Jan. 27th, 2003 11:58 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
addersljWe probably all know about the worm that ate the Internet now. The technical details are simple enough for even me to grasp. It's a worm which copies itself into the memory of unprotected SQL servers and proceeds to create enough Internet traffic that it swamps the network.
So far, so good. The thing I fail to comprehend is, if there has been a patch available for this vulnerability for the last six months, why have so few people got round to installing it? I realise that the majority of the people who read this are likely to around 3000% more tecchie than me, so can you explain this to me? It seems self-evident that these sorts of security patches should be a first priority for anybody operating a server.
But what do I know? I'm only a hack.
So far, so good. The thing I fail to comprehend is, if there has been a patch available for this vulnerability for the last six months, why have so few people got round to installing it? I realise that the majority of the people who read this are likely to around 3000% more tecchie than me, so can you explain this to me? It seems self-evident that these sorts of security patches should be a first priority for anybody operating a server.
But what do I know? I'm only a hack.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2003-01-28 03:40 am (UTC)http://www.nextgenss.com/advisories/mssql-udp.txt
Please note the section:
Network Based Denial of Service
*************************************
When an SQL Server receives a single byte packet, 0x0A, on UDP port 1434 it
will reply to the sender with 0x0A. A problem arises as SQL Server will
respond, sending a 'ping' response to the source IP address and source port.
This 'ping' is a single byte UDP packet - 0x0A. By spoofing a packet from
one SQL Server, setting the UDP port to 1434, and sending it the a second
SQL Server, the second will respond to the first's UDP port 1434. The first
will then reply to the second's UDP port 1434 and so on. This causes a storm
of single byte pings between the two servers. Only when one of the servers
is disconnected from the network or its SQL service is stopped will the
storm stop. This is a simple newtork based DoS, reminiscent of the echo and
chargen DoSes discussed back in 1996
(http://www.cert.org/advisories/CA-1996-01.html). When in this state, the
load on each SQL Server is raised to c. 40 - 60 % CPU time.
There is no excuse for not patching your server when something like this is at stake. Yes, even we in the Unix world let a few things go unpatched, but after we've considered the potential ramifications vs the immediate problems. I help maintain the security on approximately 300 customized servers which have next to no way to standardly patch when issues come up, but we make sure to get things patched when either the network or the server is at risk as quickly as possible. Even if that means rebuilding and retuning Apache and all of its dependent packages for each customized server on our network.
Yes, it's a lot of work when we have other projects we need to get done, but it's also prevented a lot of major catastrophes here. Such is the life of a sysadmin, if we couldn't hack it this way, we wouldn't be in this job.
I can accept that if something requires a lot of reworking (as I'm told this patch really did require), it might take a bit longer than "yesterday" to get applied. However, six months is just ridiculous and horrible work on any administrator's part.
Gwendolyn R. Schmidt, SysAdmin, SAGE member.