A large-scale denial-of-service attack hit the Internet Saturday, causing varying degrees of trouble to computer users and server operators around the world, according to security experts.
The problems began at around 5:30 am GMT (12:30 am EST), and initial reports suggest the cause was a worm that exploits a vulnerability in Microsoft Corp.’s SQL Server.
One of the countries worst affected was South Korea, where most of the nation’s fixed-line and mobile Internet users were unable to access Web sites for nearly half of the day.
“The networks of Internet service providers in South Korea were partially down from about 2:30 p.m. today,” said Lee Kin Tae, a technical assistant at the Korean Computer Emergency Response Team (CERT) in Seoul. “From around that time, most people in South Korea cannot use the Internet.”
From initial technical details, the problems appear to have centered around a vulnerability in Microsoft’s SQL Server and its server resolution service, Lee added. The server resolution service provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance, according to Microsoft.
Other reports also point to this vulnerability as the root of the problems. Antivirus software vendor Symantec Corp. said it noticed a significant increase in scans related to the server resolution service at the same time as problems began hitting the Internet in South Korea.
Microsoft identified three problems in its SQL server product in late July 2002 and issued a patch to repair all of them. One concerned a vulnerability to denial-of-service attacks in the server resolution service, according to a security bulletin posted on the software company’s Web site.
When a data packet is sent to port 1434, the port used by the service, it replies with a return data packet. A malicious user could change the address on the incoming packet so that it appeared to come from another SQL Server. The return packet would thus be sent to another server, which would in turn send a return packet back, setting up a never-ending loop, said Microsoft. This loop would suck up a large amount of the available resources of the server, making it difficult for legitimate users to access the server.
Symantec said the vulnerability could also be exploited by sending large numbers of packets with random fake addresses to the server, which would in effect create a denial-of-service attack on the server.
The antivirus company identified the worm that exploits this weakness as W32.SQLExp.Worm, DDOS_SQLP1434.A or W32/SQLSlammer.worm. Symantec recommended system administrators using SQL Server immediately check their machines to ensure the relevant patch has been applied and to also consider blocking traffic on port 1434 from unknown machines.
A representative of the U.S. National Infrastructure Protection Center (NIPC) confirmed the center was investigating the problems. The NIPC has not posted any alerts on its Web site concerning the worm or vulnerability since Microsoft first identified the weakness in July 2002.
A spokesman for the U.S. Federal Bureau of Investigation declined to comment in detail on the Internet problems, but said, “The bureau is aware a worm was attacking the Internet overnight and we are monitoring it.”
The worm hit a day after South Korea’s Ministry of Information and Communication (MIC) issued an emergency alert on the possibility of denial-of-service attacks, according to local media. The MIC received reports that South Korean computers were to be used as a springboard for attacks, said the country’s Yonhap News Agency.