Slashdot Mirror

← Back to Stories (view on slashdot.org)

10 Years After SQL Slammer

Posted by Soulskill on from the lesson-learned dept.

Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."

58 comments

  1. Also decided in favor of restrictive firewalls by xxxJonBoyxxx · · Score: 4, Funny

    Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today...

    1. Re:Also decided in favor of restrictive firewalls by h4rr4r · · Score: 3, Interesting

      There are still tons of them.

      I have heard such a setup suggesting in the past 12 months by a customer to make life easier for them. We did not do that.

    2. Re:Also decided in favor of restrictive firewalls by gstoddart · · Score: 3, Insightful

      My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

      I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

      You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

      Look at all the stories we've seen about SCADA devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

      --
      Lost at C:>. Found at C.
    3. Re:Also decided in favor of restrictive firewalls by Synerg1y · · Score: 1

      It's mostly done through injecting the pointer via a web application nowadays to create a SQL injection attack. Works especially well on retards who use dSQL, never have a seen a dumber implementation of SQL, or such a large compelling reason not to use it.

    4. Re:Also decided in favor of restrictive firewalls by JamesTRexx · · Score: 1

      The problem is that decent security is often too "costly" or "difficult" for the end user.
      I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).
      The only thing I don't like is IT companies setting up a customer with a shoddy network in the first place.

      --
      home
    5. Re:Also decided in favor of restrictive firewalls by khasim · · Score: 4, Insightful

      I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).

      That's the real problem. It will always be easier to NOT do something than it will be to do something.

      And NOT doing something will, 99%+ of the time, will be less expensive than doing something.

      It is only when that less-than-1%-of-the-time event hits that "something" gets done. And even then the 'something" is usually a panic reaction and NOT real security.

    6. Re:Also decided in favor of restrictive firewalls by Shoten · · Score: 1

      My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

      I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

      You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

      Look at all the stories we've seen about SCADA devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

      With the exception of the password storage using clear text, what you're describing has nothing to do with software insecurity but everything to do with architecture insecurity. SCADA devices, database servers, or any "back office" infrastructure that is exposed broadly to the Internet without a genuine business case for anyone and their dog to have direct access to it is a bad idea. It's not about the software, in that case, it's about how the infrastructure is designed to contain it (or not). And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    7. Re:Also decided in favor of restrictive firewalls by Anonymous Coward · · Score: 0

      "Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today..."

      True story.

      I work on a quite sensible environment. But since current SQL Server default installation means using dynamic port assignment, the security team solution is... completly open connections to the server, since it's not known which its port will be.

    8. Re:Also decided in favor of restrictive firewalls by DiegoBravo · · Score: 1

      > And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.

      No, it's usually WAY difficult to address this "architecture" insecurity as you put it. I really don't understand why you're even mentioning firewall costs at all.

      To correct that kind of "architecture" issues you often need to add layers/filters/equipment/barriers into the data flow, which introduces lots of issues and in the general case is expensive. Specialy when you have a legacy infraestructure where the Internet is a later addon.

    9. Re:Also decided in favor of restrictive firewalls by Anonymous Coward · · Score: 0

      Thats not what happened. People bringing laptops in to the LAN was the culprit. We had no where near the same technologies to protect from byod devices as now. These days my byod is a segregated enclave with no routing to the corporate LAN. This doesnt solve the problem of domain laptops being used at home. In short saying we were naive is naive because this could easily happen again.

  2. HTTP Slammer by rastakid · · Score: 4, Funny

    Slashdot does it again.

    --
    In need of reliable and affordable server monitoring?
  3. Every minute by zmooc · · Score: 1

    Can't get my head around this... why would you want to run MSSQL every minute? It's not that unstable.

    --
    0x or or snor perron?!
  4. Google Cache Version by Anonymous Coward · · Score: 5, Informative

    http://goo.gl/PCkGM

  5. Security priorities have changed by Cid+Highwind · · Score: 4, Insightful

    So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

    Times change indeed...

    --
    0 1 - just my two bits
    1. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      I'm assuming it was proof of concept code, which is very common when proving to large companies that problems exist in their product.

      captcha: extort

    2. Re:Security priorities have changed by eap · · Score: 5, Informative

      So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

      Times change indeed...

      The article mentions he was paid by a company in Germany to penetrate their heavily-fortified SQL Server installations. This is when he developed the exploit code. Presumably it's not illegal for a company to pay you to security test its systems.

      He also took the steps of communicating the exploit to Microsoft before releasing the code. He even asked their permission before divulging the code, and didn't do so until MS had released a fully corrective patch.

      You're right, however, he'd be in jail if it happened today.

    3. Re:Security priorities have changed by sycodon · · Score: 1

      One has to ask, why would he release the code?
      What was the point?
      What was the benefit?

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    4. Re:Security priorities have changed by gmuslera · · Score: 1

      Authorities weren't aware yet. Now he probably will be jailed till next century, along with Randall Munroe.

    5. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      Don't know about his motivations but:

      One positive aspect of Slammer was the effect it had on patching â" prior to Slammer Iâ(TM)d guesstimate, from the results of penetration tests and so on, that 9 out of 10 SQL Servers were unpatched. Immediately after Slammer this reversed leaving 1out of 10 unpatched. Patching was 100% effective in preventing reinfection and so, in its own ironic way, Slammer helped make the Internet that little bit more secure.

    6. Re:Security priorities have changed by sycodon · · Score: 1

      That's like saying having a spate of burglaries on your block convinced everyone to install alarm systems so now the neighborhood is a little bit more secure.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    7. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      One has to ask, why would he release the code?

      Are you kidding me? Not this again. I' so sick and tired of having to defend the public release of knowledge. But here I go again.

      "It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties."

      That is a quote by A. C. Hobbs, from a discussion about full disclosure in 1853. You can find it, and other interesting tidbits, in the history section of the Quotepedia page on full disclosure.

      What was the benefit?

      The benefit is knowledge. Perhaps someone reads the code and recognizes the mistake and realizes he made it himself and can rectify his code. Perhaps reading the code will prevent someone somewhere from making the same mistake. Perhaps it can be used for penetration testing kits to find unpatched servers on otherwise safe networks. Who knows what may or may not happen, but, in the end, acquaintance with real facts will be better for all parties.

    8. Re:Security priorities have changed by sycodon · · Score: 1, Flamebait

      Nice.

      An A.C. all lathered up about Full Disclosure.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    9. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      Ah yes, because my words would carry so much more weight if they were accompanied by a pseudonym and, preferably, a low uid.

    10. Re:Security priorities have changed by sycodon · · Score: 1

      It's more a case of do as I say, not as I do.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    11. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      We started at "why would he disclose exploit code with knowledge from the manufacturer after a patch was released" full disclosure, and now you want to equate that to "for your argument about full disclosure to be valid you have to supply me with a name" full disclosure.

      It's official, you are pathetic.

    12. Re:Security priorities have changed by sycodon · · Score: 1

      Do as I say, not as I do is pathetic.

      Don't lecture people about something you are not prepared to do yourself.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    13. Re:Security priorities have changed by Anonymous Coward · · Score: 0

      No it's not.

    14. Re:Security priorities have changed by sycodon · · Score: 1

      So that's a great big "Nuh Uhhh" from the AC eh?

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    15. Re:Security priorities have changed by Zontar+The+Mindless · · Score: 1

      Okay, so we'll all post our real names, addresses, and telephone numbers.

      Starting with you, of course.

      And once we've all done this... Guess what? Nothing will have changed: the AC will still be just as right, and you will be just as wrong.

      --
      Il n'y a pas de Planet B.
  6. Our article on the subject: by nweaver · · Score: 4, Informative

    We (David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and myself) did the analysis of how it spread, including showing how it infected all the vulnerable systems in 10 minutes, and detailing flaws in the random number generator.

    Our article eventually appeared in IEEE Security & Privacy.

    --
    Test your net with Netalyzr
    1. Re:Our article on the subject: by cusco · · Score: 1

      I remember that being a very busy week for my boss and myself. Take the machine off the network, back up the database, remove MSDE, whack everything referring to SQL in the registry and all the folders since MSDE didn't clean up after itself very well, reboot, reinstall MSDE, apply patch, restore database, plug back into the network, leave our list of security recommendations to the customer, go to the next site. Wash, rinse, repeat.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    2. Re:Our article on the subject: by Anonymous Coward · · Score: 1

      It'll cost me 31 dollars to read that article. I think I'll pass.

    3. Re:Our article on the subject: by yuhong · · Score: 1

      Why would removal and reinstallation of MSDE be required?

    4. Re:Our article on the subject: by Anonymous Coward · · Score: 0

      You have the audacity to place your work behind a pay-wall, the kind of thing people die over, and then advertise it here. Disgusting.

    5. Re:Our article on the subject: by Zontar+The+Mindless · · Score: 1

      "The kind of thing people die over"? Isn't that a bit, shall we say, dramatic?

      --
      Il n'y a pas de Planet B.
    6. Re:Our article on the subject: by cusco · · Score: 1

      We tried just rebuilding MSDE a couple of times and it didn't get rid of it consistently. Brute force worked every time, so better to spend the extra time on five customers than have to go back and re-do your work on one or two of them. There were some situations where we couldn't, and my boss took care of those to make sure that it was done correctly and Slammer was gone.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  7. American Express got burned by Anonymous Coward · · Score: 0

    Amex didn't believe in installing Microsoft patches in a timely fashion, having been burned by bad NT patches.

    The SQL worm was rampant inside the network, requirement a massive internal shutdown.

  8. Re:Researches by Golddess · · Score: 2

    Sure it does. The guy can be both a researcher and know how to code. Sort of like how someone can be a driver but also know how to rebuild an engine.

    --
    "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
  9. Check your firewall logs. by khasim · · Score: 2

    You'll see all kinds of ancient exploits still being tried by machines around the world.

    At one place I worked, the contractors who came in to install the VoIP system also connected one of the Win2K3 servers directly to the Internet so that they could manage the VoIP system "easier". And that was back around 2010.

    Never underestimate the power of laziness and stupidity.

    1. Re:Check your firewall logs. by dbIII · · Score: 1

      2012 and I had one clown that wanted us to forward the telnet port in from the internet to the phone system he was installing and keep it open forever so he could configure it remotely. Of course there was no password, and of course the username was something obvious. I wonder how many places are giving script kiddies free phone calls thanks to that clown.
      It was almost his last install and last day breathing. He took a can of drink into the server room and had it sitting on a large UPS of quite a few kW when I came in. Earth leakage circuits do nothing to stop batteries discharging. If he'd spilled that drink he would have been a crispy dead critter and the ignition point of a large fire.

  10. You can't beat clueless by A+Friendly+Troll · · Score: 3, Insightful

    Letting a DB server out on the internet is moronic by itself, but not having installed a patch that was available 6 months before the worm started spreading, well, that's even worse.

    The worst thing of all, however, is that Microsoft *itself* had unpatched instances of SQL Server out on the net and they themselves got pwned.

    1. Re:You can't beat clueless by yuhong · · Score: 1

      Yea, at that time Windows Update and SUS did not cover anything other than Windows itself. In fact, at that time SQL Server hotfixes and updates did not even have an installer. You had to use manual file copy to install them, and this included manual version checking if you installed more than one of them. Needless to say, when WSUS and Microsoft Update was created in mid-2005, SQL Server was included.

    2. Re:You can't beat clueless by yuhong · · Score: 1

      And of course not only does post SQL Server 2000 SP3 hotfixes have an installer, but the original patch was repackaged with it too.

    3. Re:You can't beat clueless by ByronHope · · Score: 1

      That's a little harsh. At the time of slammer, I was feeling superior as I had rolled that patch out when it was released. It was then that I discovered the horror of MSDE installed, unpatched on user PCs and various application servers.

  11. REMOVE THE S FROM HTTPS IN THE URL by Anonymous Coward · · Score: 0

    The standard site is fine but the secure site has been slammed. Do the host a favor and stop unnecessarily accessing this site securely. You don't even need to bother with the Google cache.

  12. Okay, so... by UltraZelda64 · · Score: 0

    Ten years down the line, does it run on Linux yet?

  13. Concur by Anonymous Coward · · Score: 0

    I am working for a major, multi-billion dollar corporation, a leader in its field. I have access to hundreds of Gigabyte of customer-related data, which is pathetically secured. Every kiddie who knows a bit about Windows and is inside the corpo network could download ALL of that data. It's in plaintext. The "security" depends on some shitty client checking access permissions on the client side (!).

    I told management only to be dismissed. Because I need this job and because I am a pragmatic guy, I stopped mentioning it.

    When companies are pwned by hackers (from China or not), it is ENTIRELY THEIR OWN FAULT.

    And no, doing proper security would be affordable for a corpo making 7 billion Euros in profit per year.

  14. How "Expensive" ? by Anonymous Coward · · Score: 0

    To lock down a system of questionable security behind a Linux or BSD based IPSEC tunnel, all you need is

    A) 2 rather old, surplus PCs running Linux or BSD. Cost: $0

    B) A competent Linux or BSD consultant setting up the IPSEC tunnel in one day. Cost: $500.

    If you need more than a link between two points, it gets insignificantly more expensive, because the consultant has to set up a few more system.

    So, I guess you are a Windows, Cisco or Checkpoint Retard.

    1. Re:How "Expensive" ? by DiegoBravo · · Score: 1

      Oh yeah, you have a critical non encrypted database with some proprietary applications running in the same internet web server box, and you fix everything by adding a Linux PC with iptables and one IP tunnel. You're a total genius.

  15. The "Intranet" Fallacy by Anonymous Coward · · Score: 0

    Boy, if you really think a database server should open its ports to the "trusted" machines "behind the firewall" you need to be educated. This is a big-time risk because you can never be 100% sure about the "intranet" machines being under your control. So proper (as in "German") security engineering is to lock down the Oracle, SQL Server and so on crapola with a firewall (Linux or BSD based is good enough in most cases). Only the machines which "need" to access the crapola servers are given access.

    Never, ever think of your "intranet" as a "secure zone" or something like that. You need much smaller collectives of trust, if you want to have just a minor amount of security.

  16. NOT by Anonymous Coward · · Score: 0

    OK, we slashdotters like to paint dystopias, but there still exists some amount of "freedom of speech". I would classify the publishing of exploits under that category. If you build a virus with the exploit and release it, that would be a crime. Can you see the difference ??

  17. PAY NO ATTENTION TO THE MAN IN THE MIDDLE by Anonymous Coward · · Score: 0

    (Reposting to correct subject.)

  18. Apologies for the paywall... by nweaver · · Score: 1

    I didn't know. So here's a Non paywalled copy.

    --
    Test your net with Netalyzr
    1. Re:Apologies for the paywall... by Dagger2 · · Score: 1

      Thank you.

      This also saves me the effort of working out what it means when it asks me for "US£31.00".

  19. Slammer Worm and the Blackout by dgharmon · · Score: 1

    Slammer worm crashed Ohio nuke plant net

    Slammer Worm Hit FirstEnergy

    Slammer worm crashed Ohio nuke plant network

    US blackout was computer related

    --
    AccountKiller
  20. The good old days by john_uy · · Score: 1

    I can remember back then when the campus network was put to a halt when a single laptop overloaded the poor Cisco router connected to the internet with too much requests. It took us quite some time to isolate the problem when we were using hubs and unmanaged switches. It was quite dramatic when I stormed the room in a middle of a presentation and pulled the UTP plug out of the computer! :)

    I can also remember the Nimda worm back then when it infected a part of the network. Good thing we were using higher end switches and was able to isolate it pretty fast. We just got curious back then why all the network switch ports were blinking non-stop.

    Share those interesting experiences. :)

    John

    --
    Live your life each day as if it was your last.