The impact of last Saturday's "Slammer" DDoS worm, which temporarily crippled server bandwidth in the US, Korea and Europe appears to have died a relatively quick death upon arrival in Australia, with few visible victims despite a substantial spike in scanning, according to AusCERT.
AusCERT security analyst Jamie Gillespie, who was on duty at the time the worm struck locally, said that scanning activity had abated to "negligible background noise levels" by Monday afternoon, despite a mountain of hype from security vendors and media.
"This one seems to be subsiding quite nicely so far. A couple of ISPs in Australia were reporting three to four times normal traffic [during the peak] of the attack, with some people saying upwards of 100Megabits/sec on larger connections.
"It seems to be the thing that when you see an exploit patched up, a few months later you'll see the worm for it spread around."
Although the Microsoft SQL Server vulnerability was identified and patched as a hot fix in July 2002, affected users may have delayed patching in order to assess any adverse consequences of (MS SQL Server) Service Pack 3, released on January 12 2003, a fortnight before Slammer struck. Additionally, the release date may have seen many IT staff still on leave.
While most enterprise victims are traditionally silent about such exposure, Microsoft .Net Users Group Sydney president, Adam Cogan was offering a heartfelt confessional.
"It's got a lot of traction, it affected a lot of people. It brought down quite a few of our customers… it brought down our company, ssw.com.au (Superior Software for Windows), and members of our user group were affected," Cogan said.
"It shows the popularity of SQL Server these days that so many people were affected like this. It's important to treat security as a high priority. When a service pack comes out we now know we have to treat this seriously and do it as quickly as possible.
"Everybody knew about Service Pack 3. The people I have spoken to this morning felt like they were a bit slack about waiting too long to put the service pack on. Don't stuff around," Cogan mournfully continued.
Daniel Zatz, senior security consultant for Computer Associates, warned that SMEs were at particular risk. "You will probably find that a number of small business organisations will be running Microsoft Small Business Server in which the advanced edit installs MS SQL Server by default – whether you want it or not. The cost will be in labour and time."
Others are less forgiving. A well-placed source within a telco said, "Seriously, what the #%&* are these people doing? Which idiot puts MS SQL Server anywhere near the frontline? If you're a victim site, you have bigger issues to worry about -- sack your IT staff . . . now! (And don't worry about passwords, they're all probably 'password')."
Anthony Turco, Australia and New Zealand vice president of TruSecure Corporation, was more diplomatic. "You would have to have a really good business reason not to have that port -- 1434/UDP -- externally shut off and firewalled. People have to take this stuff seriously. That's the trade off with software that is feature rich."