W32/SQLSlammer
Analysis
- Threat is comprised of a 376 byte UPD packet which
travels across TCP port 1434
- Threat exploits a vulnerability in MS SQL Server
2000 Server Resolution Service (SSRS); the vulnerability
exists in SQL service pack 2 and prior - recommendation
to all systems is to upgrade to SP3
- MS SQL Server 2000 SSRS listens on port 1434 and
replies to ping messages sent from other SQL Server
systems as a means to acknowledge the other server
across a network; a vulnerability exists if a hacker
creates a forged ping message that is directed at
one SQL Server which appears to originate from another
SQL Server - the result is both Servers acknowledging
each other until one or both Servers incur inactive
status or locked
- When the threat attacks an SQL Server, the initial
part of the packet contains a buffer overflow which
induces the initiation of the code that follows the
buffer overflow
- Threat then runs memory resident on that system,
until the system is restarted, and continuously attacks
random IP addresses, flooding UPD packets on TCP port
1434
Recommended Action
- FortiGate units detect this attack if using a minimum
IDS attack defintion 2.01 - the attack may be reported
in the Attack log
- Customers not implementing SQL communication with
other sites may choose to disable inbound access to
TCP/UDP ports 1433 and 1434 (EXT -> INT)
- Customers are urged to update Windows servers to
a minimum
patch update, or if possible SP3 for MSDE/SQL
server systems
- For additional information, also see details on our website