1 / 6

Incident Overview of SQL Slammer Worm in Japan: Impact and Response

On January 25, 2023, the SQL Slammer worm was observed in Japan, impacting various ISPs and infrastructure, but fortunately with a manageable effect. The first detection occurred in a Tokyo SOC around noon, with subsequent observations in multiple OP centers. By 6 PM, it was confirmed as SQL Slammer. Some ISPs implemented filtering measures, which caused initial issues that were resolved quickly. Alerts and bulletins from NPA, IPA, and JPCERT/CC emphasized the importance of rapid updates and preparedness to mitigate future threats.

altessa
Télécharger la présentation

Incident Overview of SQL Slammer Worm in Japan: Impact and Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1.25 worm incident: JP situation Suguru Yamaguchi JPCERT/CC

  2. Overview (1) • Pandemic, but not severe impact to our infrastructure in Japan • 1.25 around noon, first observation in SOC at a company in Tokyo • 1.25 1400-1430, first observation in OP center in many ISP’s and backbone holders • 1.25 around 1800 officially announced this was done by SQL slammer by one of SOC in JP • 2 or 3 ISP’s installed filter to international link GW. • “too simple” filtering made some troubles, but immediately fixed • Simple filter out for 1434/UDP is not good. • Bound for 1434/UDP, except from 53/UDP (DNS)

  3. Overview (2) • 1.26, NPA and IPA released out alert. • About SQL slammer • 1.27, JPCERT/CC released out technical bulletin for fixing the security hole, again.

  4. Technical Aspect (1) • 1Mbps generated by a single worm • 1434/UDP • Faster than other worms • Random IP address selection for attack, so IP packet forwarding cache at router made bad influences on its performance. • Completely same to CodeRed, Nimda cases. • Many backbone holders have its “walk-around” techniques to keep its performance.

  5. Technical Aspect (2) • DNS trouble? • Korean specific problem, at the beginning. • Not directly, but made some influences on the DNS lookups, because of saturated link.

  6. Lessons • Update your software properly. • Prepare for the case, as we did so far. • Quick response • Traffic/incident observations on the backbone

More Related