[Gllug] Net outages caused by worm possibly

[Pete Ryland]

On Mon, Jan 27, 2003 at 11:33:53AM +0000, Jason Clifford wrote:
> On Mon, 27 Jan 2003, Tethys wrote:
> > >What about replication when done across different sites?
> > 
> > Use a VPN (either via IPsec, or just an ssh tunnel).
> 
> A VPN is not going to protect you from a worm such as the MS-SQL users 
> experienced over the weekend.

Yes it would have.  Well, depending on a lot of factors, but it doesn't
sound likely that one end is going to be more vulnerable than the other, and
in any case, *anything* is better than having both ends wide open!

And given that the worm spread by hitting random IPs, only publicly
accessible IPs would have been vulnerable.

> While a VPN will allow you to control traffic on your network you will 
> have drastically reduced your security as you are unlikely to control it 
> at the other site(s).
> 
> The worm that his at the weekend was particularly nasty as it seems to 
> have been designed with a view to causing severe network congestion and 
> thus crippling switches, routers, etc. Not only did it cause problems for 
> SQL services but it also denied access to entire networks.

As a matter of opinion, the worm was designed with no malicious intent.  It
is generally taken that it was simply a bug that it tried to replicate so
rapidly.  There was even some guy on Bugtraq (jasonc at science.org iirc) who
suggested it was probably released by some government to force people to fix
this known problem before it could be attacked by a real threat.

> If it entered a network via a VPN it is likely that it would have cross 
> infected other local MS-SQL servers and caused disruption within the 
> company network.

Not if I understand how it replicated, no, not likely.  Perhaps I'm mistaken
though - I don't exactly have the source handy. :)

Pete
-- 
Pete Ryland
http://pdr.cx/

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug