Hello, I don't have a MS-SQL-Server behind my Firewall and I already block this ports. My question is: How can I disable my nic's multicastmode so they do not longer listening for multicast trafic. I pay for this trafic and much trafic is much money :( Thank's Mario
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: Wednesday, January 29, 2003 7:28 AM To: "Mario Neubert"; suse-security@suse.com Subject: RE: [suse-security] MSSQL-Attack: What can I do?
Hi Mario:
I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report http://www.internetpulse.net/ now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :((
*************
"Mario Neubert"
wrote: Hello List,
Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress.
List, have anyone any idea? Many thanks....
Mario
PS:
tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376
I have inserted following rules to SuSEfirewall
DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/downl> oad.jsp
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here