utv br0ke?

eth0_

Can't get onto any of their sites here from work, ping requests time out, can't get my mail....

Couldn't browse the web or get my mail at home this morning....anyone else getting this?

Mark_irl

Same here very bad,

eth0_

It's not UTV, it's the internet at large, was attacked around 5am so a lot of sites are down.

Mark_irl

So I just read, sad cases

Supercell

Where did you read that?, any links?

Chris_533976

Worldcom are in bits this morning. I've heard just about their entire American East Cost network is down, which handles 45% of all American traffic.

eth0_

Originally posted by Longfield
Where did you read that?, any links?

http://average.matrix.net/Daily/markR.html

m33p!

The Cigarette Smoking Man

More info on it here:

http://www.webhostingtalk.com/showthread.php?threadid=107128

Apparently 5 of the 13 root DNS servers were down at one point. Wonder if it has anything to do with the current US foreign policy decisions....

Looks like Cogents network in the US was down for four hours last night, but that's hardly suprising.

More news here:
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.html

Tom Dunne

I've been called into work - they say it's some kind of worm. It is having a devestating effect on the whole company, both here and our all our sites in the US.

Anybody have any specific info - I can't get to those web sites listed above.

The Cigarette Smoking Man

What ISP is your company using?

Here's the text of the CNN article:

WASHINGTON (AP) -- Traffic on the many parts of the Internet slowed dramatically for hours early Saturday, the apparent effects of a fast-spreading, virus-like infection that overwhelmed the world's digital pipelines and interfered with Web browsing and delivery of e-mail.

Sites monitoring the health of the Internet reported significant slowdowns globally. Experts said the electronic attack bore remarkable similarities to the "Code Red" virus during the summer of 2001 which also ground traffic to a halt on much of the Internet.

"It's not debilitating," said Howard Schmidt, President Bush's No. 2 cyber-security adviser. "Everybody seems to be getting it under control." Schmidt said the FBI's National Infrastructure Protection Center and private experts at the CERT Coordination Center were monitoring the attacks.

The virus-like attack, which began about 12:30 a.m. EST, sought out vulnerable computers on the Internet to infect using a known flaw in popular database software from Microsoft Corp., called "SQL Server 2000." But the attacking software code was scanning for victim computers so randomly and so aggressively -- sending out thousands of probes each second -- that it overwhelmed many Internet data pipelines.

"This is like Code Red all over again," said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. "The sheer number of attacks is eating up so much bandwidth that normal operations can't take place."

"The impact of this worm was huge," agreed Ben Koshy of W3 International Media Ltd., which operates thousands of Web sites from its computers in Vancouver. "It's a very significant attack."

Koshy added that, about six hours after the attack, commercial Web sites that had been overwhelmed were starting to come back online as engineers began effectively blocking the malicious data traffic.

"People are recovering from it," Koshy said.

Symantec Corp., an antivirus vendor, estimated that at least 22,000 systems were affected worldwide.

"Traffic itself seems to have leveled off a little bit, so likely only so many systems are exposed out there," said Oliver Friedrichs, senior manager with Symantec Security Response. The attacking software, technically known as a worm, was overwhelming Internet traffic-directing devices known as routers.

"The Internet is still usable, but we're definitely receiving reports from some of our customers who have had it affect their routers specifically," Friedrichs said.

The attack sought to take advantage of a software flaw discovered by researchers in July 2002 that permits hackers to seize control of corporate database servers. Microsoft deemed the problem "critical" and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.

"People need to do a better job about fixing vulnerabilities," Schmidt said.

The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed. Some Internet industry executives and lawyers said they would raise serious civil liberties concerns if the U.S. government, not an industry consortium, operated such a powerful monitoring center.

eth0_

It's using UDP port 1434, http://average.matrix.net/Daily/markR.html

Seems to be recovering a little

Nuphor

3 domain's of mine have gone down. Mail servers, ftp servers the whole freaking lot. This is one hellova a DOS attack.

For the love of jesus, anyone with hosting here get their admins to download SP3 for MS SQL Server.

http://winxp.bink.nu/

The Cigarette Smoking Man

UUNet/Worldcom are still experiencing problems:

http://www.internetpulse.net/

Nuphor

Maybe CS 1.6 is out? Heh. Things are still not working. I can't call hostroute either. God damnit.

BigEejit

Heh .. this thread was the first I heard of it ... I was cursing twinhead for their web****e ... it looked like it was being served from a 286 or something ... I'll have a go again next week for those sound drivers...

Nuphor

Update: All 3 domains have come on back again. Looks like hostroute got my mail. DNS server issue.

I'm happy again.

The Cigarette Smoking Man

Here's a good summary of what's up (taken from the Webhosting talk site):

At approximately 2130hrs (PST) or 0530hrs (GMT) an
apparent worm (still being analyzed for payload content)
began distributing itself across the Internet via port
1434/UDP (Microsoft-SQL-Monitor). It apparently is
making effective use of the buffer overrun security issue
as outlined in http://www.intelenet.net/news/mssql-udp.txt

So far several of the major backbone providers have gone
down due to the nature of how this system propigates.
Since it is using UDP across a blanket of IPs (no
specific target), routers, switches, and other network
devices are being flooded with the UDP port openings.
Most router CPUs were maxing at 100% and began dropping
ASN advertisements causing huge segments of the Internet
to "flap" in place.

All major backbone providers are rapidly installing port
1434/UDP filters at all borders and within colocation
spaces to attempt to isolate this as fast as possible.

Current speculation is that stopping and restarting the
SQL process will clear the worm until another hit is
made. Suggest not only patching your SQL server
(assuming that there is a patch for this) as well as
installing any firewall rules that you can to filter out
BOTH inbound and outbound port 1434/UDP.

steve-hosting36

Bit more here, we were effected also:

http://hosting365.ie/phpBB2/viewtopic.php?t=126

mneylon

It looks like we've all been affected:
http://www.blacknightsolutions.com/mrtg

quite scary!

The Cigarette Smoking Man

Looks like you had a busy morning

Are there any graphs of all of the traffic in DEG (like Rackshacks)?

flamegrill

You could say we were kinda busy since about 9am

well over 150GB of data fired at our boxes today.

Its crasy.

Paul

steve-hosting36

Nope, DEG do not make their transit figures public, but I can tell you that our chunk (the bit boards is also on) was hit with 100mbps this morning, which we have throttled to about 20Mbps atm.