LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Don't ignore network level filtering

Don't ignore network level filtering

Posted Jan 30, 2003 0:14 UTC (Thu) by jneves (guest, #2859)
Parent article: A look at the MS-SQL worm

That is, Microsoft users were attaining a 99% patch and/or secure rate of systems publicly visible to the worm. This is a pretty good compliance rate.

This number is ignoring the way a lot of the machines were protected. For instance, in Portugal, I know for a fact that the second biggest ISP refused all traffic to port 1434. This allowed several thousands of companies and vulnerable machines to avoid the attack.

I believe this to be a direct result of Code Red, nimda and others. ISPs developed ways of reacting to worms and distributed attacks. I've seen how well it worked here (by "well" I mean that damage was averted) and I think that a lot more ISPs and some big companies did the same: filtered the attack at the network level.

This means that, if only 1% of the potential machines were affected, it has as much to do with Microsoft and its users as to how network administrators deal with distributed and/or worm attacks.

(Log in to post comments)

Don't ignore network level filtering

Posted Jan 30, 2003 10:05 UTC (Thu) by beejaybee (guest, #1581) [Link]

Yeah. Nessus has been identifying the expolit for ages; despite at least three rounds of warnings, there were still some systems at my employer's site which weren't patched. I would estimate around 50% of the (not very many) hosts running MS-SQL-S were patched.

We had the foresight to filter incoming UDP on almost all ports at our site router and therefore were not directly hit by the outbreak.

Another point here - it's obvious that a high proportion of the sysadmins of the hosts running MS-SQL-S were not even aware that the service was running. Disabling services that aren't essential is as much a part of securing a system as keeping up to date with patches. This applies to _all_ operating systems; many out-of-the-box linux systems are also running services they don't need to; Solaris systems seem to be totally infested with a huge raft of RPC services, many of which are a complete mystery to almost everyone!

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds