Computerworld - Upfront preparation helped my company ward off the SQL Slammer worm, which exploits a buffer overflow vulnerability in Microsoft SQL Server and creates a flood of packets, similar to a denial-of-service attack. But we still didn't totally avoid it.
Shortly after the worm appeared, we decided to run scans of our infrastructure to find and patch vulnerable systems. In the interim, we implemented Cisco Systems Inc.'s Network-Based Application Recognition (NBAR) feature on our core edge routers, configuring it to drop any packets that matched the signature of the SQL Slammer attack. The problem with NBAR is that routers are designed to route traffic, not inspect packet payloads. NBAR consumes a considerable amount of router resources and can lead to performance problems, so we didn't want to keep it in place any longer than necessary.
Notifying Users
Once the NBAR rules were set, we sent out a mass e-mail internally with a link to a Web page we had assembled. The page contained information on SQL Slammer, instructions on determining whether a particular system is vulnerable and a link to the patch, which mitigates the vulnerability. Only after we had completed our scans and were satisfied that our SQL servers and other impacted desktops were patched did we remove NBAR.
Ultimately, we were lucky, but we weren't 100% successful. A few stray servers were somehow infected. Even a week later, we still found an occasional system that had slipped through the cracks.
A few days after the initial SQL Slammer incident, I received a call from our network operations center reporting that our servers were under a denial-of-service attack. We have a limited capability to monitor bandwidth utilization on some edge network devices. Those utilization rates were extremely high, and network performance was suffering. So we pulled up data from our intrusion-detection system sensors, examined the packets and discovered an excessive amount of file transfer protocol traffic.
It turns out that our company had just released a new software download that was in excess of 40MB, and the traffic was overloading our network. Until we could make significant changes in our systems, we decided to outsource the downloads by using Cambridge, Mass.-based Akamai Technologies Inc.'s EdgeSuite service.
The implementation went without a hitch. With a few modifications in our server configurations and some redirection, we were ready to go.
Eventually, we will either upgrade our network to handle the load, outsource to a managed service provider or possibly stick with Akamai.
EDirectory Assistance
With that incident out of the way, I've
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
