KD, if you look at the traffic reports, it is affecting every backbone equally, not focused on just uunet. And its getting worse steadily.

A few good links on the current problem:
http://www.kb.cert.org/vuls/id/370308
http://average.matrix.net/Daily/markR.html

wheres that pic of john travolta, we need some cheering up

something tells me this is going to go on for a little bit of time... :(

surfers are going to be pissed!

nothing's gonna cheer me up now, fuck that.


someone fix the fucking plug!

Zebra: good catch. I was just searching for the cert advisory on this too :P

it is a worm. fucken mother fuckers!

KD

It isn't provider-specific. Check out Above/MFNX

http://west-boot.mfnx.net/traffic/iad/iad-nyc-oc48.html

(Their MRTG is configged for recent == left)

UUNet isn't the only one being hit - it's everywhere. I'm rejecting about 10 packets per minute on my cable modem. Oh joy, half the country's asleep, it'll likely only get worse as everyone wakes up, turns on their puters, and gets infected by whatever worm this is.

What a day this will be :)

I'm noticing a 60% drop in traffic since midnight EST... I think everyone here is underestimating the effect this is having on the internet rootservers! Not having any problems on my network to speak of, except that from different places in the country different routes seem to perhaps not be working.

Let's all cross our fingers.

Brad

:glugglug

Damn man, sux to be you guys i been smokin all day 300k down easily.. good connection to all hosts that i have hit so far.. Dunno *shurgs*..

wait til people wake up and hop on....

i've been seeing worse since just after midnight Florida time.

somoen said that SQL is effected, so does that mean SQL databased lost all data in them?

think its the [email protected] dude? :1orglaugh

Course I just have one little ole site to look at, but my traffic seems unphased so far.

Was having problems earlier getting to a few places, mostly seemed like Sprint out of Seattle for me. Better now, but still finding a few places I can't reach.

http://forums.military.com/1/OpenTop...m=455198241 6

*****************************************

MASSIVE DDOS ATTACKS ALL OVER U.S.
--------------------------------------------------------------------------------
We are monitoring massive Distributed Denial of Service attacks all over the U.S. tonight starting at around 11:30 PM CST. As many as 5 of the 13 root nameserver have been down, up to 10 with massive packet loss (xx%):

Internet Status to Root Name Servers
Date: Fri Jan 24 21:37:00 PST 2003

Place Address Packet Loss Time: Min/Avg/Max
Root b.root-servers.net 53% 25/40/48
Root c.root-servers.net 0% 82/82/82
Root e.root-servers.net 20% 16/29/33
Root f.root-servers.net 26% 17/27/32
Root h.root-servers.net 20% 91/101/108
Root i.root-servers.net 26% 190/199/205
Root j.root-servers.net 26% 81/91/96
Root k.root-servers.net 64% 172/188/201
Root l.root-servers.net 0% 5/5/6
Root m.root-servers.net 33% 160/171/205
GTLD b.gtld-servers.net 26% 52/63/67
GTLD c.gtld-servers.net 31% 85/93/95
GTLD d.gtld-servers.net 13% 88/100/103
GTLD f.gtld-servers.net 22% 38/50/57
GTLD i.gtld-servers.net 0% 198/200/203
GTLD k.gtld-servers.net 24% 90/100/105
GTLD l.gtld-servers.net 33% 128/138/171


All backbone providers are suffering major packet loss (XX%):

Place Address Packet Loss Time: Min/Avg/Max
AboveNet ns.above.net 28% 53/64/66
AGIS ns1.agis.net 26% 62/74/78
AlohaNet nuhou.aloha.net 35% 84/94/98
ANS ns.ans.net 26% 83/97/100
BBN-NearNet nic.near.net 28% 91/114/572
BBN-BARRnet ns1.barrnet.net 26% 16/26/32
Best ns.best.com 35% 79/89/95
Concentric nameserver.concentric.net 35% 18/31/56
CW ns.cw.net 28% 88/98/105
DIGEX ns.digex.net 31% 78/86/91
ENTER.NET dns.enter.net 28% 91/104/108
Epoch Internet ns1.hlc.net 33% 37/48/52
Flash net ns1.flash.net 17% 80/92/94
GetNet ns1.getnet.com 20% 40/52/56
GlobalCrossing name.roc.gblx.net 24% 85/97/104
GoodNet ns1.good.net 31% 83/92/97
GridNet grid.net 20% 80/92/101
IDT Net ns.idt.net 20% 91/104/121
Internex nic1.internex.net 26% 18/31/35
MCI ns.mci.net 22% 91/103/107
MindSpring itchy.mindspring.net 15% 75/88/106
NAP.NET ns2.nap.net 20% 73/85/94
PacBell ns1.pbi.net 0% 89/89/90
Primenet dns1.primenet.net 20% 31/41/45
PSI ns.psi.net 0% 82/84/160
RAINet ns.rain.net 31% 40/49/53
SAVVIS ns1.savvis.net 31% 88/99/102
SprintLink ns1.sprintlink.net 11% 15/27/35
UUNet,AlterNet auth00.ns.uu.net 26% 89/98/103
Verio-West ns0.verio.net 22% 31/42/47
Verio-East ns1.verio.net 22% 86/96/101
VISInet ceylon.visinet.ca 20% 102/116/188
MoonGlobal-ClubNET ns.clubnet.net 0% 0/1/2
MoonGlobal-Netway dns.nwc.net 4% 6/6/7
MoonGlobal-Netxactics verdi.netxactics.com 4% 6/6/7
InterWorld ns.interworld.net 0% 4/4/5


It's massive, no word on source yet. We are watching it closely.

Brad G
American Intelligence
www.americanintelligence.us

Not sure yet. It's the MS-SQL port that's being targeted, so presumably the worm affects MS-SQL servers. There's no telling (yet) what exactly the worm does once it infects a host - that is, aside from sending out UDP floods like a motherfucker.

MySQL runs on port 3306. I'm not noticing any unusual traffic there, I think it's safe to say that this is yet another Microsoft-only w3rm.

you getting 150+ emails from him daily too? :1orglaugh

Dood, wtf i got like.. 5 emails from that mofo... Werid... Im pretty sure it's some kind of worm but i wasn't sure who was sending it to me.. humph..

Yall know what?

The only thing that makes me sleep well during a crisis like this is the fact that I am NOT the one losing millions of $ when the shit hits the fan. :thumbsup

I use to till I started rejecting his mail at the server level...

fuck that guy

holy fucking shit its incredible, he must be on a OC48

I might have mis-reported the traffic drop I'm seeing on my SinHost, it looks like I've possibly got a bad port reading for the MRTG. I guess the important thing is that I haven't had any problems reaching my network at all. <phew>

Brad

The [email protected] emails are from the Sobig worm.

http://vil.nai.com/vil/content/v_99950.htm

Looks like yer report got in first at slashdot bul, prepare for the effect....

:1orglaugh :1orglaugh

This is some major shit...

Looks Better now
http://www.internetpulse.com/

Just a Little...:BangBang:

I have just received word that SpeakEasy DSL's security team has blocked all inbound UDP 1434. So at least there's a large batch of folks who will not be getting infected. Let's hope other ISPs follow suit, tout de suite...

Ok here's the deal

finally something conclusive!!

One of my own servers running SQL seemed to be affected. I terminal service'd in and it was at 100% cpu utilization. From MRTG I could see that there was a problem because the system that normally averages 30kb/s out was at 2700kb/s out... evident of some type of outgoing attack.

I was unable to just stop the SQL service so I set it to 'disable" and rebooted the fucker. Also, I disabled the RPC service. Then I rebooted. Everything looks ok, system is at 1% CPU utilization as usual and there is no more outgoing traffic... looks like I'll just wait till morning on this one to try and figure out how I can safely start the SQL service back up.

This system WAS patched with the microsoft critical update just the other day. Not sure what's going on but I'm sure we'll see a definitive http://www.cert.org update shortly.

Best of Luck

Brad

Brad simply ask your host to block UDP at port 1434 at the routers

I wish! They haven't posted it but they didn't reject it either. And there's no effect, I submitted anon cause I figured they'd reject it if it looked like I was tryin to promote something... :P

If /. goes with the story from "Slowdown" then ya heard it here first... heh heh

lol

i bet $50 it wasn't a terrorist thang

I am my own host.. Verio, my upstream, is blocking that already, apparently. What I have just figured out is that my one Windows MS SQL server was flooding every other server inside my network with inbound packets. Since I fixed that one server, problem solved.

Brad

I don't think so. It's up and down, but not better yet.

it will keep fluctuating as users get frustrated and log off and new ones log on. Then in the morning when everyone wakes up, assuming their providers havent blocked all this shit by then, we will see a huge spike.

providers or not, some providers & hosts (especially foreign) will bust a fucking bandwidth nut in the morning

you better believe that shit :thumbsup

No kidding! Wonder if the major peers will write it off, or if they'll actually charge each other for all this shit. My guess is most NAPs are sending as much out as they're getting in, if I were them I'd put a moratorium on charges for today and call it even, heh.

Couple choice quotes from IRC reflecting the monstrosity of this...

[02:10] [dba****] heh my tampa pop is moving 35 Megabits outbound. :)
[02:10] [RyJ****] what's normal?
[02:10] [dba****] at 3am EST? maybe half a megabit

--

[03:20] [swi****] 5 minute output rate 6734000 bits/sec, 1937 packets/sec

--

My cable conn is still averaging about 10 probes/minute:

00001 1720 694880 deny log udp from any to any 1434

All I can say is "yikes." Talk about a fucking waste of bandwidth... This is only gonna get worse throughout the day :/

nothing works fine for me :-(

It seems NGSS alerted M$ to this vulnerability on MAY 17, 2002. and there has been an available fix since July 24th ... :eek7

http://www.microsoft.com/technet/tre...n/MS02-039.asp :arcadefre

The patch for MySQL 2000 servers and MDSE 2000 servers can be downloaded from here

http://www.microsoft.com/Downloads/R...eleaseID=40602

In a post earlier in this thread Sintalk says one of his servers was patched and it still had the problem.

so who all ended up going down, host wise?

So I figure I lost about $800 in revenue from this incident - the sales are coming in steady again now after about 8 hours of on-again-off-again disruption.

How much did you all lose out of this?

My Linux server was not directly touched by this worm, but by virtue of being near some Windows servers, I got hit hard by this incident.

It's time that the world's governments started taking cyberterrorism (hacking and virus writing) seriously. Some serious fucking jail time would be appropriate for these clowns.

MafiaBoy got what, 4 months in reform school, for his games? Our elected representatives need to do better at protecting the internet economy.

hehe :thumbsup

:thumbsup

:ak47: :ak47: Hackers

what is the bottom line here?

what is going down? all the big domain registrar seem to be down too...

hackers attack from Iraq ?