[linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

Andrew akohlsmith-le@benshaw.com
Wed Jan 29 18:56:13 PST 2003


> I'm positing the latter.  I know that there roughly 400m-500m PCs in
> existence.  Presume somewhat more than half of those are Win(3x|9x|ME)
> systems.  That would put a 10-20% marketshare for Win2K server at
> between 5 and 10m units.  Hard data are hard to find -- Microsoft is
> very fond of talking in percent growth, rather than units, and desktop
> and server products are confounded.  Stories in the Jan-Mar 2000 period
> cite 1m units/mo (not distinguishing server and desktop).  Apparently 1m
> server units were shipped by  Feb 9, 2001.

I wasn't questioning the number you pulled from /dev/ass (I'll have to 
remember that particular device, it sounds handy) -- I was questioning how 
many of those 10 million units had SQL Server 2000 on them.

> If you read the link posted, you'll find a list of 18 product, (lord
> forgive me for yelling) NOT INCLUDING MS SQL SERVER include the MSDE.

You're wrong.  Number 8 (subitem 1 through three, sub-sub items one through 
three) is SQL Server 2000.

As for the other 17 products (yes I did read the link before replying), only 
Office XP and Visual Studio .NET would have any kind of significant 
deployment, but then again I don't think many of those Win2k deployments 
would be capable of receiving incoming port 1434 from the internet (I don't 
think, anyway).

Two of those 17 products aren't out of Beta yet (Enterprise Server 2003 and 
Windows Server 2003 RC1)

Of those 17 products, the link states that only three of them install SQL 
Server 2000 or the MSDE portions by default.

I think I have made my point as to your gross overestimation of the number of 
susceptable SQL Server 2000 (or MSDE portions thereof) installations.  I know 
that this is kind of anti-elitist but I would rather deal with more realistic 
numbers.

> Well, we know for a fact that the baseline count is the 16k systems
> Dartmouth logged.

Agreed.  But is that 16k/10M, or 16k/250k?  That's all I was asking.

> Again:  my point is that such small fractions and low numbers were
> sufficient to take out major portions of the Net, such that the only
> option to control the attack was to block port 1434 transmissions.
>
> Or as a friend noted:  what if the infected system had been IIS (or
> Apache for that matter).  Controlling _that_ mode of attach would
> require port 80 blocking.  Globally.  Care to contemplate _that_
> scenario?

Yeah... lots of low latency for my Jabber and IRC conversations, and speedier 
edonkey transfers.  :-)

> I've also pointed out that 99% compliance *is nowhere near good enough.
> Any increase in the amount of deployed systems increases the vulnerable
> population.  Any increase in the number of vulnerable systems indicates
> that 1% noncompliance is an optimistic estimate.  In either case, the
> point is merely emphasized:  existing protocols for retroactively
> securing deployed systems are inadequate to a highly aggressive attack.

While I would love to say that Microsoft products are this terrible and that 
even if 99% of the admins out there *do* know what they're doing the results 
can be this horriffic, I don't think that's accurate.  I also believe that 
taking a stand with numbers like that and getting caught grossly 
underestimating the quality of Microsoft's software, while in fashion right 
now, isn't very professional.

Regards,
Andrew



More information about the linux-elitists mailing list