RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out."
Internet health Report http://www.internetpulse.net/
now shows a number of US backbone providers including At&T going critical
(in the red zone - ) so you are not alone.
SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules.
You didn't say if you have a SQL Server inside your firewall.
Do you?
If so you might look at SQLsecurity.com
Sorry I can't be more helpfull :((
*************
"Mario Neubert"
Hello List,
Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376
I have inserted following rules to SuSEfirewall
DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
Please have a look: http://kaspersky.com/news.html?id=970395 -- Boris Kimel N. D. Zelinsky Institute of Organic Chemistry 47 Leninsky Prospekt, Moscow, Russia Phone1: +7 095 135-89-41 Phone2: +7 095 938-35-10 Phone3: (inside IOC) 9-80 auto secretary, please use! Fax: +7 095 135-53-28 Email: kimel@1303.ru
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 29 января 2003 г. 9:28 To: "Mario Neubert"; suse-security@suse.com Subject: RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report http://www.internetpulse.net/ now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :((
*************
"Mario Neubert"
wrote: Hello List,
Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376
I have inserted following rules to SuSEfirewall
DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.js> p
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello, I don't have a MS-SQL-Server behind my Firewall and I already block this ports. My question is: How can I disable my nic's multicastmode so they do not longer listening for multicast trafic. I pay for this trafic and much trafic is much money :( Thank's Mario
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: Wednesday, January 29, 2003 7:28 AM To: "Mario Neubert"; suse-security@suse.com Subject: RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report http://www.internetpulse.net/ now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :((
*************
"Mario Neubert"
wrote: Hello List,
Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376
I have inserted following rules to SuSEfirewall
DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/downl> oad.jsp
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Mario Neubert wrote:
Hello,
I don't have a MS-SQL-Server behind my Firewall and I already block this ports. My question is: How can I disable my nic's multicastmode so they do not longer listening for multicast trafic. I pay for this trafic and much trafic is much money :(
Your upstream ISP *MUST* block this, otherwise you cannot stop the traffic because you can only filter behind the pipe you have to pay for. So ask them to add filters for the ports. (We did that for our customers on sat. ;) Regards
On Wednesday 29 January 2003 7:30, Sven 'Darkman' Michels wrote:
Mario Neubert wrote:
Hello,
I don't have a MS-SQL-Server behind my Firewall and I already block this ports. My question is: How can I disable my nic's multicastmode so they do not longer listening for multicast trafic. I pay for this trafic and much trafic is much money :(
Your upstream ISP *MUST* block this, otherwise you cannot stop the traffic because you can only filter behind the pipe you have to pay for. So ask them to add filters for the ports. (We did that for our customers on sat. ;)
Regards
I do not understand the response to this question evidently. You can disable multicast with the adv.routing tools that should be standard now. ip link set eth? multicast off
Tech Support wrote:
I do not understand the response to this question evidently. You can disable multicast with the adv.routing tools that should be standard now. ip link set eth? multicast off
The traffic is still comming thru the line and you have to pay for it, so what ever he filter, the traffic will keep is pipe under traffic, or? :)
On Wednesday 29 January 2003 12:55, Sven 'Darkman' Michels wrote:
Tech Support wrote:
I do not understand the response to this question evidently. You can disable multicast with the adv.routing tools that should be standard now. ip link set eth? multicast off
The traffic is still comming thru the line and you have to pay for it, so what ever he filter, the traffic will keep is pipe under traffic, or? :)
If his pipe is being filled with this traffic, then yes, I agree the only cure is to look for help upstream. In my neck of the woods ISP's don't filter for anybody...
participants (5)
-
bobk
-
GarUlbricht7@netscape.net
-
Mario Neubert
-
Sven 'Darkman' Michels
-
Tech Support