Hello, I don't have a MS-SQL-Server behind my Firewall and I already block this ports. My question is: How can I disable my nic's multicastmode so they do not longer listening for multicast trafic. I pay for this trafic and much trafic is much money :( Thank's Mario

-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: Wednesday, January 29, 2003 7:28 AM To: "Mario Neubert"; suse-security@suse.com Subject: RE: [suse-security] MSSQL-Attack: What can I do?

Hi Mario:

I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report http://www.internetpulse.net/ now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :((

*************

"Mario Neubert" wrote:

...

Hello List,

Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.

List, have anyone any idea? Many thanks....

Mario

PS:

tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376

I have inserted following rules to SuSEfirewall

DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/downl> oad.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here