- A few days after the Slammer attack, the consensus seems to be that good technology and prompt reaction to the emerging attack prevented more widespread disruption in New Zealand and worldwide.
New Zealand's largest ISP Xtra started filtering Slammer worm, which hit the internet at the weekend, pretty soon after its first impact, says marketing director Chris Thompson.
Impact on users was minimal, Thompson says, except for their not being able to access sites which had not been patched.
He says Xtra was prepared for Slammer, having been warned by Telecom’s international division.
The impact of the attack was “pretty similar to Code Red”, Thompson says.
“Two or three thousand sites [New Zealand installations] were affected then and it looks to be about the same with this one.
Matthew Sollis, of Iconz, says the ISP went offline for 30 minutes, “but technically we didn’t go down, we just clogged up".
Huge volumes of traffic were coming back from users, but unlike TelstraClear, Iconz did not disconnect any users, he says, “we just phoned them up and told them what to do with their servers [offered advice on clearing the worm and fixing the vulnerability].”
All available support staff were brought in to stem the tide in this way, and the situation was under control within 30 minues, but traces of the worm were still there yesterday, from people who had not yet put in the right patches.
"The lesson is, you’ve got to keep these upgrades up-to-date.”
Worldwide, stories abound of network slowdowns in the hours following the first appearance of the worm on Saturday evening (New Zealand time).
Beth Israel Deaconess Medical Center (BIDMC) in Boston experienced slowdowns for approximately six hours as a result of Slammer, according to John Halamka, MD, CIO of the CareGroup Health System.
Blocking ports 1433 and 1434 on affected machines eventually brought Slammer under control, Halamka says.
Physician Craig Gordon arrived at 7.30am Saturday (Boston time) to find many of the computer systems that the hospital uses to track clinical data and enter patient orders were not working and that access to the internet was gone.
Gordon and the rest of the staff at BIDMC fell back on lessons learned from previous virus outbreaks and computer outages, using teamwork and an older paper-based system to manage their patients until the clinical systems came back online a couple hours later.
"People just figured out what was up, what was down and what we could do to make the day go on. It was actually pretty extraordinary. Everybody did their job and helped each other out. It was really about as normal as it could be," Gordon says.
At Northeastern University in Boston, IT staff was notified of the mounting attack by monitoring systems and were on hand at just after midnight Saturday (Boston time) to address infection on some of the University's 13 Microsoft SQL Server hosts, according to Leo Hill, director of technology research and integration at Northeastern.
The IT staff worked to locate the source of the problem and stem the flow of traffic produced by Slammer. By 7.30am (Boston time), Northeastern's staff had Slammer under control, with little or no disruption to students, employees or faculty, according to Hill.
The cleanup at Northeastern was hastened by the fact that most of the institution's SQL servers had Microsoft's SQL Server Service Pack 2 or Service Pack 3 already installed. Those service packs patched the software vulnerability that was exploited by Slammer, according to Hill.
IT staff at the place where former Northeastern student Shawn Fanning wrote the original Napster application were also armed with a variety of firewalls and traffic shapers that helped spot and thwart the Slammer outbreak, according to Hill.
"Our students are very creative these days. We figure if we can't defend against one of these (worms) we definitely can't protect ourselves against our students," Hill says.
Halamka also says that monitoring tools and up-to-date network hardware from Cisco Systems helped to blunt the impact of Slammer at BIDMC.
Although BIDMC had patched its SQL Server machines using Service Pack 3 in July, however, IT staff didn't anticipate the worm spreading through the vulnerable Microsoft Data Engine 2000 (MSDE) component, which was also affected by the SQL vulnerability and was installed on personal computers running Microsoft Office XP in the hospital's research area and in private offices, Halamka says.
Those nonserver machines caused the slowdowns on BIDMC's network, according to Halamka.
Such lapses are common given the large number of software security bulletins and patches released by companies such as Microsoft each year, according to Vincent Gullotto, vice president of the McAfee AVERT (Anti-Virus Emergency Response Team) division.
"The difficulty for organisations is to know which patches to apply and which not to apply," Gullotto says.
Organisations should consider working with security consulting companies or speaking directly with software vendors to determine the possible impact of security vulnerabilities.
"Administrators need to look at each bulletin and determine how bad the vulnerability is and whether it affects them. When the vulnerability is on a popular platform that you are using, some action is required because the more popular the platform, the more valuable a target it is for a hacker," Gullotto says.
In addition to scrutinising each patch announcement, organisations should consider deploying vulnerability assessment tools for their network and increasing the frequency with which they roll out software updates to user desktops, Gullotto says.