Computerworld - Our intrusion-detection system consists mostly of PCs that act as network sensors by running Snort open-source software. The IDS worked very well in giving us an early warning of an impending SQL Slammer attack a few weeks ago. But communication between my group and the operations group broke down, turning what should have been a minor issue into a major problem. Now management is talking about merging remediation responsibilities into my small group -- something we're not prepared to handle.
We have more than 25 IDS sensors across our network worldwide, and we can see about 90% of the company's internal network traffic. The remaining 10% comes from our engineering labs and remote sales offices, which we plan to monitor as soon as we can get the resources.
Our IDS gives us a unique view into our network. We're the only IT organization in the company that can see all traffic as it enters and leaves the network and examine it at the packet level. With this comprehensive view, it's not surprising that we were the first to observe initial SQL Slammer activity.
The Slammer worm entered our network via an unpatched server in one of our engineering labs. The person monitoring the IDS noticed outbound traffic consistent with SQL Slammer at about 7:30 one morning and traced it back to a lab server. The staffer sent an e-mail that included details on the suspected traffic and followed up with a phone call and a voice-mail message.
The operations group gets so many e-mails that if you don't let it know you've sent something important, the message might get missed. That's exactly what happened this time. The e-mail alert wasn't read, and our voice message wasn't retrieved in time to block the attack. A few hours later, we found ourselves dealing with a massive number of reports of network and server problems.
The Repercussions
Although the SQL Slammer worm was initially released in January 2003, variations of it continue to float around the Internet. Meanwhile, people at my company are still deploying new servers, especially in lab environments, without the proper patches and service packs installed. That leaves us vulnerable to Slammer and many other exploits.
The consequences have been costly. During this latest incident, we had to configure access-control lists on key routers in order to mitigate the attack, which required the services of 15 to 20 people for many hours. If the machines had been patched, there might not have been an incident at all.
But even with
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
