RE: SQL Slammer Variant?

From: Rob Shein <shoten(at)starpower.net>
Date: Wed Apr 02 2003 - 10:24:13 EST

Look at the MAC address on the packets, and RARP them to find the proper IP. If it matches that of a router, go to the net(s) on the other side of that router and sniff there, doing the same thing.

-----Original Message-----

From: Wilson, Aaron J. [mailto:AARON.J.WILSON@saic.com] Sent: Saturday, March 29, 2003 1:31 PM
To: 'incidents@securityfocus.com'
Subject: SQL Slammer Variant?

I am witnessing SQL Slammer IDS events on an internal sensor that aren't coming from one particular source. In fact, every packet sent has a unique and random source IP as well as a unique and random destination IP. The data in the packet matches the one shown at http://isc.incidents.org/analysis.html?id=180. We have UDP 1434 blocked around the perimeter and believe this traffic to be originating from a system within the internal network.

The rate of packets at around 2-6 packets per minute isn't as high as the original SQL Slammer traffic I have been seeing (at thousands of packets per minute). But this is going to be difficult to track down on a large network. If it spreads, 2-6 packets per minute per infected host with thousands of internal systems...

The first spell was between 03/27/2003 1023 and 1100 PST. It picked up again at 1431 PST on 3/28/2003 and hasn't stopped yet.

Thoughts? Similar experiences? Note to coworkers - if this is a practical joke on me it's a good one.

-Aaron

---

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1

---

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents Received on Wed Apr 2 23:03:12 2003