Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, September 21, 2011

SQL Slammer worm as seen by router graphs

It occurs to me that some out there probably have not seen what it looks like when a network is totally overwhelmed by something like the SQL Slammer worm of 2003.

First, we got our service through another educational institution. This is what their pipe looked like after this had been going on for a few hours:

uplink

That's a 20 Mbps (or thereabouts) pipe being totally saturated by garbage leaving them for the outside world. This graph was taken from their uplink, so "In" on this graph is what they were generating.

So then, closer to home, this is what it looked like on my poor little firewall's port:

firewall

This shows some host throwing about 55 Mbps of traffic at me from the inside. Yep, some host behind my firewall was infected and proceeded to blast the outside world. We only had a 1.5 Mbps pipe, so there was tons of packet dropping happening there.

If it was behind a firewall, how did it get infected? Oh, that one is easy. This box was going to have something called Success Maker installed on it by the Windows "network engineers". I knew it had been freshly installed with whatever Windows build was out back then and needed its patches applied. I said I'd give it access once those had been applied.

A week or so later, they said, oh okay, open it up, we did our thing, so I did. A few days after that, this happened.

I'm pretty sure the hole it exploited had been long since patched by Microsoft (bulletin MS02-061 is from October of 2002), so if they had done their jobs, it wouldn't have happened to us.

Thanks guys. Lies are wonderful.