thwart SQL worm
BY Rutrell Yasin
Jan. 27, 2003
federal agencies were able to stave off a fast-moving Internet worm
that wreaked havoc on networks worldwide over the weekend.
as the SQL Slammer, the worm caused high central processing unit
usages on servers, either slowing or shutting down servers by exploiting
vulnerabilities in this case are in Microsoft Corp.'s SQL Server
2000 database software and were discovered in July 2002. Microsoft
issued a patch to plug the security flaws in October.
the worm doesn't carry a malicious payload that wipes out files,
SQL Slammer is a self-propagating worm that exhausts network bandwidth,
causing performance degradation across the Internet.
Slammer took a few hours to spread across Asia, Europe and North
America on Jan. 25 as spikes in network traffic affected businesses
and government agencies, interrupting the performance of airline
travel systems and blocking access to automated teller machines.
"the attack was over and done with in a matter of hours,"
said Vincent Weafer, senior director of Symantec Corp.'s security
response center. It took about five to eight hours for the attack
to spread. This illustrates the critical need for agencies and businesses
to have a pre-defined plan to deal with fast-spreading worms, Weafer
preparation paid off for the Department of Veteran Affairs. "Our
new security operations center (SOC), a 24-by-7-by-365 activity
under the VA Central Incident Response Capability was on top of
it from the beginning," according to Bruce Brody, chief security
officer for the VA.
said that throughout the course of the incident, the VA was in constant
contact with the Federal Computer Incident Response Center, the
focal point for computer security issues impacting civilian agencies.
first released an advisory concerning the SQL Slammer worm on July
29, 2002. FedCIRC reissued the advisory as an informational notice
on its Web site (www.fedcirc.gov) Jan. 25, shortly after 8 a.m,
according to a General Services Administration spokesperson.
VA SOC orchestrated a number of activities throughout the weekend,
including several teleconferences with all of the VA regions and
put out the necessary patches and tools," Brody said.
telecommunications provider assisted by closing the ports that the
worm used to enter and exit the enterprise. While remediation activities
and cleanup continue, we believe we withstood the brunt of incident
with minimal disruption to our enterprise."
Defense Department network deployed throughout North America and
Asia was also able to thwart disruption of network services by having
the right configuration management and control tools in place, said
Carl Wright, vice president of federal operations at Securify Inc.,
a developer of configuration management software.
traffic on the network tripled as the worm utilized bandwidth, no
machines were infected because DOD was able to take a proactive
stance by having the information it needed to ensure that all firewalls
and virtual private networks are properly configured, Wright added.
tools that help automate the process of ensuring that systems are
properly configured in addition to keeping up to date with patches
can help thwart the majority of such attacks, experts said.
about one to 2 percent of attacks are unknown; 98 percent are due
to problems that we are already aware of," said Marcus Sachs,
director of communication infrastructure protection in the White
House Office of Cyberspace Security, during a SANS Institute Webcast.
worm affected a few computers at the National Oceanic and Atmospheric
Administration, said Thomas Pyke Jr., the chief information officer
at the Commerce Department. He has asked the department's operating
units to certify that their systems have the appropriate software
patches installed and to make sure that the firewalls at the edges
of the network are configured to prevent incoming attacks and keep
the worm from going outside.
is eager to use the GSA patch dissemination system, Pyke said, adding
that the department also takes advantage of services provided by
O'Hara and Judi Hasson contributed to this report.