We do have machines running flavors of MS-SQL on our network both in
production and in classrooms/labs. These are the stats from about 8
A.M. on Saturday to 3:08 P.M. on Sunday for several of our access-lists.
Keep in mind this is only from the two RSMs in one core 5500 and it's
only internal traffic:
deny udp any any eq 1434 (590511831 matches)
deny udp any any eq 1434 (124971 matches)
deny udp any any eq 1434 (43 matches)
deny udp any any eq 1434 (18025943 matches)
deny udp any any eq 1434 (642748443 matches)
1 RSM:
Mercury-RSM4>sh proc cpu
CPU utilization for five seconds: 87%/64%; one minute: 84%; five
minutes: 84%
I put up a web page with graphs for those interested:
http://www.csupomona.edu/~ken/website/sqlworm.html
Almost all our backbone links are 100FX and most workstations connected
at 10Mb/Half duplex. I wonder how bad it would be if they were GigE
backbone links and 100TX workstation links.
>>> "Amazing" 01/26/03 01:20PM >>>
Amen!
We are not running any Windows SQL and are only running MySQL on
Linux.
Here is what we turned away at the front door in the past 12 hours on
one
20MB connection:
deny udp any any eq 1434 (205647 matches)
Here is Cisco's link:
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml
CERT and SANS also have info.
""Priscilla Oppenheimer"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> d tran wrote:
> > You wouldn't have to fight the udp 1434 problem had you decided
> > to scrap the
> > shitty MS SQL server, running on crappy Windows machine and
> > replace it
> > MySQL (freeware) or real commercial database products like
> > Oracle, running on
> > Linux platform.
> > Enjoy fighting udp1434. LOL
> > DT
>
> I don't think that's true. He could have been a victim of other
people
> running Windows SQL Server 2000. From what I understand about the
worm, it
> not only repicated itself to other unpatched systems, but it send
gazillions
> of packets to random IP addresses to port 1434. Many ISPs and
companies
were
> affected by it, not just the dumb butts who don't patch their
systems.
>
> Here, we didn't seem to be affected by it, though. Maybe because I
didn't
> check until Saturday afternoon? But no complaints came in.
>
> Are others willing to share their experiences? It could be a good
learning
> opportunity.
>
> Anyone have a link to a good technical document about the worm?
>
> Thanks,
>
> Priscilla
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61930&t=61891
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
