Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

10 Years After SQL Slammer

Soulskill posted about a year and a half ago | from the lesson-learned dept.

Security 58

Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."

cancel ×

58 comments

Sorry! There are no comments related to the filter you selected.

Also decided in favor of restrictive firewalls (4, Funny)

xxxJonBoyxxx (565205) | about a year and a half ago | (#42694879)

Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today...

Re:Also decided in favor of restrictive firewalls (3, Interesting)

h4rr4r (612664) | about a year and a half ago | (#42694955)

There are still tons of them.

I have heard such a setup suggesting in the past 12 months by a customer to make life easier for them. We did not do that.

Re:Also decided in favor of restrictive firewalls (3, Insightful)

gstoddart (321705) | about a year and a half ago | (#42695295)

My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

Look at all the stories we've seen about SCADA [slashdot.org] devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

Re:Also decided in favor of restrictive firewalls (1)

JamesTRexx (675890) | about a year and a half ago | (#42695647)

The problem is that decent security is often too "costly" or "difficult" for the end user.
I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).
The only thing I don't like is IT companies setting up a customer with a shoddy network in the first place.

Re:Also decided in favor of restrictive firewalls (4, Insightful)

khasim (1285) | about a year and a half ago | (#42695721)

I'd love to implement great security for every customer we have but it's always up to them and how much "trouble" they want to get through using their network (even if it isn't really).

That's the real problem. It will always be easier to NOT do something than it will be to do something.

And NOT doing something will, 99%+ of the time, will be less expensive than doing something.

It is only when that less-than-1%-of-the-time event hits that "something" gets done. And even then the 'something" is usually a panic reaction and NOT real security.

Re:Also decided in favor of restrictive firewalls (1)

Shoten (260439) | about a year and a half ago | (#42696073)

My guess is it's far more common than you'd think. A lot of software is really awful when it comes to security, and a lot of places don't do much better.

I ran into a piece of software about 3-4 years back which lived in the DMZ to provide access to internal servers. The software in question stored passwords in plain text in the registry -- we're talking the admin password for the production database. I screamed bloody murder at how big of a risk that was, but eventually got told to STFU. Thankfully, it was a short contract and I wasn't around much longer.

You might be shocked to find out how often security is secondary to cost and convenience. I'm betting loads of people here on Slashdot have encountered things like this.

Look at all the stories we've seen about SCADA [slashdot.org] devices being on the internet -- people are regularly putting mission critical stuff directly onto the internet with no good security.

With the exception of the password storage using clear text, what you're describing has nothing to do with software insecurity but everything to do with architecture insecurity. SCADA devices, database servers, or any "back office" infrastructure that is exposed broadly to the Internet without a genuine business case for anyone and their dog to have direct access to it is a bad idea. It's not about the software, in that case, it's about how the infrastructure is designed to contain it (or not). And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.

Re:Also decided in favor of restrictive firewalls (1)

DiegoBravo (324012) | about a year and a half ago | (#42698243)

> And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.

No, it's usually WAY difficult to address this "architecture" insecurity as you put it. I really don't understand why you're even mentioning firewall costs at all.

To correct that kind of "architecture" issues you often need to add layers/filters/equipment/barriers into the data flow, which introduces lots of issues and in the general case is expensive. Specialy when you have a legacy infraestructure where the Internet is a later addon.

How "Expensive" ? (0)

Anonymous Coward | about a year and a half ago | (#42699475)

To lock down a system of questionable security behind a Linux or BSD based IPSEC tunnel, all you need is

A) 2 rather old, surplus PCs running Linux or BSD. Cost: $0

B) A competent Linux or BSD consultant setting up the IPSEC tunnel in one day. Cost: $500.

If you need more than a link between two points, it gets insignificantly more expensive, because the consultant has to set up a few more system.

So, I guess you are a Windows, Cisco or Checkpoint Retard.

Re:How "Expensive" ? (1)

DiegoBravo (324012) | about a year and a half ago | (#42704085)

Oh yeah, you have a critical non encrypted database with some proprietary applications running in the same internet web server box, and you fix everything by adding a Linux PC with iptables and one IP tunnel. You're a total genius.

Concur (0)

Anonymous Coward | about a year and a half ago | (#42699455)

I am working for a major, multi-billion dollar corporation, a leader in its field. I have access to hundreds of Gigabyte of customer-related data, which is pathetically secured. Every kiddie who knows a bit about Windows and is inside the corpo network could download ALL of that data. It's in plaintext. The "security" depends on some shitty client checking access permissions on the client side (!).

I told management only to be dismissed. Because I need this job and because I am a pragmatic guy, I stopped mentioning it.

When companies are pwned by hackers (from China or not), it is ENTIRELY THEIR OWN FAULT.

And no, doing proper security would be affordable for a corpo making 7 billion Euros in profit per year.

Check your firewall logs. (2)

khasim (1285) | about a year and a half ago | (#42695419)

You'll see all kinds of ancient exploits still being tried by machines around the world.

At one place I worked, the contractors who came in to install the VoIP system also connected one of the Win2K3 servers directly to the Internet so that they could manage the VoIP system "easier". And that was back around 2010.

Never underestimate the power of laziness and stupidity.

Re:Check your firewall logs. (1)

dbIII (701233) | about a year and a half ago | (#42699477)

2012 and I had one clown that wanted us to forward the telnet port in from the internet to the phone system he was installing and keep it open forever so he could configure it remotely. Of course there was no password, and of course the username was something obvious. I wonder how many places are giving script kiddies free phone calls thanks to that clown.
It was almost his last install and last day breathing. He took a can of drink into the server room and had it sitting on a large UPS of quite a few kW when I came in. Earth leakage circuits do nothing to stop batteries discharging. If he'd spilled that drink he would have been a crispy dead critter and the ignition point of a large fire.

Re:Also decided in favor of restrictive firewalls (1)

Synerg1y (2169962) | about a year and a half ago | (#42695477)

It's mostly done through injecting the pointer via a web application nowadays to create a SQL injection attack. Works especially well on retards who use dSQL, never have a seen a dumber implementation of SQL, or such a large compelling reason not to use it.

Re:Also decided in favor of restrictive firewalls (0)

Anonymous Coward | about a year and a half ago | (#42697731)

"Kind of hard to believe that ten years ago it was quite common for people to still have their SQL Servers hooked up the Internet with no firewall or firewall rules that permitted direct connections to the control port. Good luck finding that configuration today..."

True story.

I work on a quite sensible environment. But since current SQL Server default installation means using dynamic port assignment, the security team solution is... completly open connections to the server, since it's not known which its port will be.

Re:Also decided in favor of restrictive firewalls (0)

Anonymous Coward | about a year and a half ago | (#42699267)

Thats not what happened. People bringing laptops in to the LAN was the culprit. We had no where near the same technologies to protect from byod devices as now. These days my byod is a segregated enclave with no routing to the corporate LAN. This doesnt solve the problem of domain laptops being used at home. In short saying we were naive is naive because this could easily happen again.

The "Intranet" Fallacy (0)

Anonymous Coward | about a year and a half ago | (#42699489)

Boy, if you really think a database server should open its ports to the "trusted" machines "behind the firewall" you need to be educated. This is a big-time risk because you can never be 100% sure about the "intranet" machines being under your control. So proper (as in "German") security engineering is to lock down the Oracle, SQL Server and so on crapola with a firewall (Linux or BSD based is good enough in most cases). Only the machines which "need" to access the crapola servers are given access.

Never, ever think of your "intranet" as a "secure zone" or something like that. You need much smaller collectives of trust, if you want to have just a minor amount of security.

First post (-1)

Anonymous Coward | about a year and a half ago | (#42694899)

Yeah!

HTTP Slammer (4, Funny)

rastakid (648791) | about a year and a half ago | (#42694915)

Slashdot does it again.

Every minute (1)

zmooc (33175) | about a year and a half ago | (#42694953)

Can't get my head around this... why would you want to run MSSQL every minute? It's not that unstable.

Google Cache Version (5, Informative)

Anonymous Coward | about a year and a half ago | (#42695061)

Researches (-1)

sycodon (149926) | about a year and a half ago | (#42695069)

David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."

"Researcher"

  I don't think that word means what they want it to mean.

Re:Researches (2)

Golddess (1361003) | about a year and a half ago | (#42695265)

Sure it does. The guy can be both a researcher and know how to code. Sort of like how someone can be a driver but also know how to rebuild an engine.

Security priorities have changed (4, Insightful)

Cid Highwind (9258) | about a year and a half ago | (#42695081)

So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

Times change indeed...

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42695155)

I'm assuming it was proof of concept code, which is very common when proving to large companies that problems exist in their product.

captcha: extort

Re:Security priorities have changed (5, Informative)

eap (91469) | about a year and a half ago | (#42695271)

So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?

Times change indeed...

The article mentions he was paid by a company in Germany to penetrate their heavily-fortified SQL Server installations. This is when he developed the exploit code. Presumably it's not illegal for a company to pay you to security test its systems.

He also took the steps of communicating the exploit to Microsoft before releasing the code. He even asked their permission before divulging the code, and didn't do so until MS had released a fully corrective patch.

You're right, however, he'd be in jail if it happened today.

Re:Security priorities have changed (1)

sycodon (149926) | about a year and a half ago | (#42695475)

One has to ask, why would he release the code?
What was the point?
What was the benefit?

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42695999)

Don't know about his motivations but:

One positive aspect of Slammer was the effect it had on patching â" prior to Slammer Iâ(TM)d guesstimate, from the results of penetration tests and so on, that 9 out of 10 SQL Servers were unpatched. Immediately after Slammer this reversed leaving 1out of 10 unpatched. Patching was 100% effective in preventing reinfection and so, in its own ironic way, Slammer helped make the Internet that little bit more secure.

Re:Security priorities have changed (1)

sycodon (149926) | about a year and a half ago | (#42696127)

That's like saying having a spate of burglaries on your block convinced everyone to install alarm systems so now the neighborhood is a little bit more secure.

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42697553)

No it's not.

Re:Security priorities have changed (1)

sycodon (149926) | about a year and a half ago | (#42697573)

So that's a great big "Nuh Uhhh" from the AC eh?

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42696887)

One has to ask, why would he release the code?

Are you kidding me? Not this again. I' so sick and tired of having to defend the public release of knowledge. But here I go again.

"It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties."

That is a quote by A. C. Hobbs, from a discussion about full disclosure in 1853. You can find it, and other interesting tidbits, in the history section of the Quotepedia page on full disclosure [wikipedia.org] .

What was the benefit?

The benefit is knowledge. Perhaps someone reads the code and recognizes the mistake and realizes he made it himself and can rectify his code. Perhaps reading the code will prevent someone somewhere from making the same mistake. Perhaps it can be used for penetration testing kits to find unpatched servers on otherwise safe networks. Who knows what may or may not happen, but, in the end, acquaintance with real facts will be better for all parties.

Re:Security priorities have changed (1, Flamebait)

sycodon (149926) | about a year and a half ago | (#42697209)

Nice.

An A.C. all lathered up about Full Disclosure.

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42697297)

Ah yes, because my words would carry so much more weight if they were accompanied by a pseudonym and, preferably, a low uid.

Re:Security priorities have changed (1)

sycodon (149926) | about a year and a half ago | (#42697365)

It's more a case of do as I say, not as I do.

Re:Security priorities have changed (0)

Anonymous Coward | about a year and a half ago | (#42697411)

We started at "why would he disclose exploit code with knowledge from the manufacturer after a patch was released" full disclosure, and now you want to equate that to "for your argument about full disclosure to be valid you have to supply me with a name" full disclosure.

It's official, you are pathetic.

Re:Security priorities have changed (1)

sycodon (149926) | about a year and a half ago | (#42697441)

Do as I say, not as I do is pathetic.

Don't lecture people about something you are not prepared to do yourself.

Re:Security priorities have changed (1)

Zontar The Mindless (9002) | about a year and a half ago | (#42699773)

Okay, so we'll all post our real names, addresses, and telephone numbers.

Starting with you, of course.

And once we've all done this... Guess what? Nothing will have changed: the AC will still be just as right, and you will be just as wrong.

NOT (0)

Anonymous Coward | about a year and a half ago | (#42699505)

OK, we slashdotters like to paint dystopias, but there still exists some amount of "freedom of speech". I would classify the publishing of exploits under that category. If you build a virus with the exploit and release it, that would be a crime. Can you see the difference ??

Re:Security priorities have changed (1)

gmuslera (3436) | about a year and a half ago | (#42695839)

Authorities weren't aware yet. Now he probably will be jailed till next century, along with Randall Munroe [xkcd.com] .

Our article on the subject: (4, Informative)

nweaver (113078) | about a year and a half ago | (#42695139)

We (David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and myself) did the analysis of how it spread, including showing how it infected all the vulnerable systems in 10 minutes, and detailing flaws in the random number generator.

Our article eventually appeared in IEEE Security & Privacy [ieee.org] .

Re:Our article on the subject: (1)

cusco (717999) | about a year and a half ago | (#42696839)

I remember that being a very busy week for my boss and myself. Take the machine off the network, back up the database, remove MSDE, whack everything referring to SQL in the registry and all the folders since MSDE didn't clean up after itself very well, reboot, reinstall MSDE, apply patch, restore database, plug back into the network, leave our list of security recommendations to the customer, go to the next site. Wash, rinse, repeat.

Re:Our article on the subject: (1)

yuhong (1378501) | about a year and a half ago | (#42697873)

Why would removal and reinstallation of MSDE be required?

Re:Our article on the subject: (1)

cusco (717999) | about a year and a half ago | (#42701117)

We tried just rebuilding MSDE a couple of times and it didn't get rid of it consistently. Brute force worked every time, so better to spend the extra time on five customers than have to go back and re-do your work on one or two of them. There were some situations where we couldn't, and my boss took care of those to make sure that it was done correctly and Slammer was gone.

Re:Our article on the subject: (1)

Anonymous Coward | about a year and a half ago | (#42697057)

It'll cost me 31 dollars to read that article. I think I'll pass.

Re:Our article on the subject: (0)

Anonymous Coward | about a year and a half ago | (#42699399)

You have the audacity to place your work behind a pay-wall, the kind of thing people die over, and then advertise it here. Disgusting.

Re:Our article on the subject: (1)

Zontar The Mindless (9002) | about a year and a half ago | (#42699799)

"The kind of thing people die over"? Isn't that a bit, shall we say, dramatic?

Apologies for the paywall... (1)

nweaver (113078) | about a year and a half ago | (#42700621)

I didn't know. So here's a Non paywalled copy [berkeley.edu] .

Re:Apologies for the paywall... (1)

Dagger2 (1177377) | about a year and a half ago | (#42701963)

Thank you.

This also saves me the effort of working out what it means when it asks me for "US£31.00".

American Express got burned (0)

Anonymous Coward | about a year and a half ago | (#42695221)

Amex didn't believe in installing Microsoft patches in a timely fashion, having been burned by bad NT patches.

The SQL worm was rampant inside the network, requirement a massive internal shutdown.

You can't beat clueless (3, Insightful)

A Friendly Troll (1017492) | about a year and a half ago | (#42695513)

Letting a DB server out on the internet is moronic by itself, but not having installed a patch [microsoft.com] that was available 6 months before the worm started spreading, well, that's even worse.

The worst thing of all, however, is that Microsoft *itself* had unpatched instances of SQL Server out on the net and they themselves got pwned.

Re:You can't beat clueless (1)

yuhong (1378501) | about a year and a half ago | (#42695739)

Yea, at that time Windows Update and SUS did not cover anything other than Windows itself. In fact, at that time SQL Server hotfixes and updates did not even have an installer. You had to use manual file copy to install them, and this included manual version checking if you installed more than one of them. Needless to say, when WSUS and Microsoft Update was created in mid-2005, SQL Server was included.

Re:You can't beat clueless (1)

yuhong (1378501) | about a year and a half ago | (#42695789)

And of course not only does post SQL Server 2000 SP3 hotfixes have an installer, but the original patch was repackaged with it too.

Re:You can't beat clueless (1)

ByronHope (2669333) | about a year and a half ago | (#42697473)

That's a little harsh. At the time of slammer, I was feeling superior as I had rolled that patch out when it was released. It was then that I discovered the horror of MSDE installed, unpatched on user PCs and various application servers.

REMOVE THE S FROM HTTPS IN THE URL (0)

Anonymous Coward | about a year and a half ago | (#42695529)

The standard site is fine but the secure site has been slammed. Do the host a favor and stop unnecessarily accessing this site securely. You don't even need to bother with the Google cache.

PAY NO ATTENTION TO THE MAN IN THE MIDDLE (0)

Anonymous Coward | about a year and a half ago | (#42699811)

(Reposting to correct subject.)

Okay, so... (0)

UltraZelda64 (2309504) | about a year and a half ago | (#42698775)

Ten years down the line, does it run on Linux yet?

The good old days (1)

john_uy (187459) | about a year and a half ago | (#42701173)

I can remember back then when the campus network was put to a halt when a single laptop overloaded the poor Cisco router connected to the internet with too much requests. It took us quite some time to isolate the problem when we were using hubs and unmanaged switches. It was quite dramatic when I stormed the room in a middle of a presentation and pulled the UTP plug out of the computer! :)

I can also remember the Nimda worm back then when it infected a part of the network. Good thing we were using higher end switches and was able to isolate it pretty fast. We just got curious back then why all the network switch ports were blinking non-stop.

Share those interesting experiences. :)

John

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?