Slammer lessons remain valid a year later

This weekend marks the one-year anniversary of the debut of the SQL Slammer worm, an infamous time in information-security annals. Experts remind administrators that the lessons learned a year ago remain relevant today.

This weekend marks the one-year anniversary of the SQL Slammer worm outbreak that brought down critical applications and services, including ATMs, emergency services, networks and even some airline services. Slammer broke shortly after midnight Jan. 25, 2003, exploiting a security flaw in Microsoft's SQL Server software and clogging networks as it searched for more systems to infect via UDP port 1434.

While organizations have since recovered from Slammer's damage, the outbreak gave many a cold, hard dose of reality about how vulnerable and connected networks and systems really are.

Despite the destruction Slammer caused, it taught enterprise administrators valuable lessons. Though hardly groundbreaking, those lessons reinforce good habits and basic security practices, experts said.

  • Keep your systems patched. Patching is a basic tenet of network security, but lax patching practices were never more obvious than during the Slammer outbreak. The worm exploited a buffer overflow vulnerability in SQL Server's Resolution Service, which Microsoft had patched six months earlier. Thousands of enterprises were exposed, either because they had not kept up with patching or because they didn't realize they needed the SQL Server patch.

    Ed Skoudis, a SearchSecurity.com expert and a consultant with International Network Services, said that keeping up to date on patches also enables administrators to keep a handle on their inventory -- helping ensure that they're aware of all the software installed on their networks.

    "Patch even when you don't even think you have to patch," Skoudis said.

    However, the patching process for this particular SQL Server vulnerability wasn't as straightforward as other Windows patches, said Chip Andrews, an independent, Gainesville, Ga.-based developer who runs a labor-of-love site called SQLSecurity.com.

    "It's not really easy to find patches for it. You can't just fire it up and click a button on Windows Web Update and have it pull down updates, and update itself," Andrews said. "It doesn't work like that. You have to identify what it is and get the exact patch version that you need for the exact MSDE version [Microsoft Desktop Engine] that was placed on your machine, and then install it yourself manually."

    MSDE is a data engine based on core SQL Server technology, according to Microsoft. It is a storage engine and query processor for desktop extensions of enterprise applications. Users interact with MSDE through the application in which it is embedded.

    In order to automate the SQL Server patching process, organizations will need to go through a third party, because Microsoft doesn't include SQL Server or Exchange patches with its Software Update Services, Andrews said.

  • SQL Server software and MSDE are everywhere. One of the biggest surprises about the Slammer worm is that it attacked so many applications, showing just how widely SQL Server and MSDE are used.

    Some applications install SQL Server automatically, Skoudis said: "For example, [the] Microsoft Enterprise version of Visio comes with a built-in version of SQL Server. You don't even know it -- it just installs it."

  • Keep telecommuters up to date with security. Because of the widespread use of SQL Server and MSDE, organizations were also infected via telecommuters, who logged on to VPNs using infected computers, Skoudis said.

    "[Slammer] really hammered home the point that your telecommuters with VPNs are essentially a side door to your network. Therefore, [telecommuters] have to be thoroughly secured. You've got to apply antivirus solutions, harden their browsers, and you have to keep those telecommuter systems patched," Skoudis said.

    Skoudis also recommends thorough filtering of telecommuter access and creating separate DMZ for the VPN.

  • UDP worms are lethal. This fact was known already, but the Slammer outbreak drove home the reality of how fast and vicious a UDP (User Datagram Protocol) worm can be. Slammer was incredibly small, which allowed it to spread very quickly and made it hard to trace.

    However, unlike previous worms, "it's attacking ports and services that haven't really been covered by traditional antivirus solutions," said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security LLC.

    In the end, Slammer's efficiency was part of its downfall, according to Skoudis, because it "saturated some long-haul backbones on the Internet, which slowed its spread."

FEEDBACK: What was the most valuable lesson you learned from the Slammer outbreak?
Send your feedback to the SearchSecurity.com news team.

Dig deeper on Database Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close