Slashdot Mirror

← Back to Stories (view on slashdot.org)

10 Years After SQL Slammer

Posted by Soulskill on from the lesson-learned dept.

Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."

12 of 58 comments (clear)

  1. Also decided in favor of restrictive firewalls by xxxJonBoyxxx · · Score: 4, Funny

    Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today...

    1. Re:Also decided in favor of restrictive firewalls by h4rr4r · · Score: 3, Interesting

      There are still tons of them.

      I have heard such a setup suggesting in the past 12 months by a customer to make life easier for them. We did not do that.

    2. Re:Also decided in favor of restrictive firewalls by gstoddart · · Score: 3, Insightful

      My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

      I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

      You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

      Look at all the stories we've seen about SCADA devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

      --
      Lost at C:>. Found at C.
    3. Re:Also decided in favor of restrictive firewalls by khasim · · Score: 4, Insightful

      I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).

      That's the real problem. It will always be easier to NOT do something than it will be to do something.

      And NOT doing something will, 99%+ of the time, will be less expensive than doing something.

      It is only when that less-than-1%-of-the-time event hits that "something" gets done. And even then the 'something" is usually a panic reaction and NOT real security.

  2. HTTP Slammer by rastakid · · Score: 4, Funny

    Slashdot does it again.

    --
    In need of reliable and affordable server monitoring?
  3. Google Cache Version by Anonymous Coward · · Score: 5, Informative

    http://goo.gl/PCkGM

  4. Security priorities have changed by Cid+Highwind · · Score: 4, Insightful

    So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

    Times change indeed...

    --
    0 1 - just my two bits
    1. Re:Security priorities have changed by eap · · Score: 5, Informative

      So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

      Times change indeed...

      The article mentions he was paid by a company in Germany to penetrate their heavily-fortified SQL Server installations. This is when he developed the exploit code. Presumably it's not illegal for a company to pay you to security test its systems.

      He also took the steps of communicating the exploit to Microsoft before releasing the code. He even asked their permission before divulging the code, and didn't do so until MS had released a fully corrective patch.

      You're right, however, he'd be in jail if it happened today.

  5. Our article on the subject: by nweaver · · Score: 4, Informative

    We (David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and myself) did the analysis of how it spread, including showing how it infected all the vulnerable systems in 10 minutes, and detailing flaws in the random number generator.

    Our article eventually appeared in IEEE Security & Privacy.

    --
    Test your net with Netalyzr
  6. Re:Researches by Golddess · · Score: 2

    Sure it does. The guy can be both a researcher and know how to code. Sort of like how someone can be a driver but also know how to rebuild an engine.

    --
    "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
  7. Check your firewall logs. by khasim · · Score: 2

    You'll see all kinds of ancient exploits still being tried by machines around the world.

    At one place I worked, the contractors who came in to install the VoIP system also connected one of the Win2K3 servers directly to the Internet so that they could manage the VoIP system "easier". And that was back around 2010.

    Never underestimate the power of laziness and stupidity.

  8. You can't beat clueless by A+Friendly+Troll · · Score: 3, Insightful

    Letting a DB server out on the internet is moronic by itself, but not having installed a patch that was available 6 months before the worm started spreading, well, that's even worse.

    The worst thing of all, however, is that Microsoft *itself* had unpatched instances of SQL Server out on the net and they themselves got pwned.