""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Maybe this is a silly question considering where I work, but is it > common for huge banks to connect their ATMs to their data centers over > the Internet? We certainly don't do that, and wouldn't even consider > doing it, so I was surprised that BofA appears to be doing just that. > > Then again, they probably have twenty times more ATMs than we do, so > perhaps they have different issues to be considered.
Well, let's apply some logic and reason to what we know about the saphire work and the BOA situation. Saphire is launched from compromised Microsoft SQL servers. The attach consists of generating IP traffic using UDP port 1434. The traffic consists of the inquiries to what is described as "pseudo random" ip addresses, and the ICMP replies to the traffic inquiries. Knowing these things, we might guess that BOA, like many other businesses, has Microsoft SQL servers. 1) Could those servers have been compromised? sure 2) could those compromised servers have been involved in generting tons of traffic internal to BOA, even without the internet being involved? sure. 3) could routers on the internal BOA network, routers that carry IP trraffic, also be carrying other traffic such as would be carrying ATM transactions? sure. 4) recognizing that router overloads were happening everywhere as a result of saphire, is it reasonable to think that the BOA network routers could have been adversely effect, even if the internet were not involved? sure. 5) add to that what was happening on the internet. rogue SQL servers sending their attacks randomly, and some of that traffic hitting the BOA internet edge, and maybe being NAT'ed inside to add to traffic problems happening already. Look, when Nimda hit a year or so ago, some organizations just started turning things off in order to control what was happening. I seem to recall BOA did so, but to be frank, I am not certain of that. I don't think it is a good idea to jump to a lot of conclusions here. I highly doubt that even a stupid organization like Bank of America would be running their ATM's across the internet ( just kidding, pals of mine who work for BOA ) It is all too easy for corporate networks to come down in situations created by Nimda or saphire. in an earlier message, Ken spoke about his own network, where there are few if any Microsoft SQL servers. Yet their internet links were saturated because of the attacks, and internal network replies. The key to protecting networks is understanding the nature of the threat. BTW, there is a serious suggestion from someone on NANOG about denying any and all Microsoft well known ports across the internet backbone. good idea? I'm starting to think so. What I hope is that attacks based on ports 80 and / or 53 aren't developed. Thin how devastating those might be :-O > > John > > >>> "Priscilla Oppenheimer" 1/27/03 11:24:42 AM > >>> > Good points. How much bandwidth goes to some of the remote ATMs? > Probably > very little. They probably got crunched by the huge number of UDP > packets. > > Of course, better filtering would have prevented that. > > But there's no need to assume that BoA runs MS-SQL or to worry that > private > info was compromised, etc. DoS attacks usually have very little to do > with > privacy compromises. > > Not claiming to be a security expert, so just correct me if I'm way > off > base! :-) > > Prisiclla > > Amazing wrote: > > > > what's amazing are the assumptions that people are making--who > > says tht BoA > > servers or any BoA database were comprimised? who says they > > are even > > running MS-SQL? Read how the worm is spreading and you will > > understand > > that you dont have to be running anything that can be affected > > by the worm. > > my guess is that a company with LARGE blocks of routable > > addresses and > > probably very high speed connections to the Internet might have > > bigger > > problems with this worm which in effect becomes a denial of > > service attack > > on their edge devices even if they are filtering out udp 1494 > > at the edge. > > > > take a look at the post by Ken and observe what is happening to > > the CPU of > > one of his router blades..... > > > > i definitely agree with your comment about the security con > > artist > > comparison the y2k consultants > > > > ""l0stbyte"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > the "dumb butts" are allowing access to SQL from public > > networks. how > > > difficult is it to filter stuff out? SQL boxes should be on > > private > > > networks, no routes to public, second or third tier, etc. Y2K > > all > > > over... This time in security business. Bunch of con artists > > claiming to > > > be security experts. > > > > > > Cheers... > > > > > > P.S. There was a news clip that BofA networks were effected. > > this is > > scary. > > > > > > l0stbyte > > > Symon Thurlow wrote: > > > > Cheers, > > > > > > > > Symon > > > > > > > > -----Original Message----- > > > > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > > > > Sent: 26 January 2003 20:02 > > > > To: [EMAIL PROTECTED] > > > > Subject: UDP port 1434 [7:61891] > > > > > > > > > > > > d tran wrote: > > > > > > > >>You wouldn't have to fight the udp 1434 problem had you > > decided to > > > >>scrap the shitty MS SQL server, running on crappy Windows > > machine and > > > >>replace it > > > >>MySQL (freeware) or real commercial database products like > > > >>Oracle, running on > > > >>Linux platform. > > > >>Enjoy fighting udp1434. LOL > > > >>DT > > > > > > > > > > > > I don't think that's true. He could have been a victim of > > other people > > > > running Windows SQL Server 2000. From what I understand > > about the worm, > > > > it not only repicated itself to other unpatched systems, > > but it send > > > > gazillions of packets to random IP addresses to port 1434. > > Many ISPs and > > > > companies were affected by it, not just the dumb butts who > > don't patch > > > > their systems. > > > > > > > > Here, we didn't seem to be affected by it, though. Maybe > > because I > > > > didn't check until Saturday afternoon? But no complaints > > came in. > > > > > > > > Are others willing to share their experiences? It could be > > a good > > > > learning opportunity. > > > > > > > > Anyone have a link to a good technical document about the > > worm? > > > > > > > > Thanks, > > > > > > > > Priscilla > > > > ============================================= > > > > > > > > This email has been content filtered and > > > > subject to spam filtering. If you consider > > > > this email is unsolicited please forward > > > > the email to [EMAIL PROTECTED] and > > > > request that the sender's domain be > > > > blocked from sending any further emails. > > > > > > > > ============================================= Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62009&t=61891 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]