University of Washington Computing & Communications

Recent Computer Security Incidents

Terry GrayDirector, Networks & Distributed Computing

03 October 2003

University of Washington Computing & Communications

Major Attacks• Dec 2000: Hospital records release• Jul 2001: Microsoft web server (Code Red)• Sep 2001: Microsoft web server (Nimda)• Mar 2002: SSH libraries (e.g. Slapper)• Jun 2002: DNS libraries• Aug 2002: The Great Spam Attack• Jan 2003: Microsoft SQL (Slammer)• Jul 2003: Microsoft RPC (Blaster, etc)• Aug 2003: SoBig.F virus

University of Washington Computing & Communications

January 2003: Microsoft SQL (Slammer)

• Allows system takeover

• Aggressive spread (unintended DOS?)

• Many vulnerable applications

• High impact on network routers

• Significant collateral damage to adjacent computers/subnets

• Simple port blocking damages legit traffic

University of Washington Computing & Communications

Slammer Impact on UW

• Older routers failed under load

• Hard to identify/shutoff source during attack

• Some critical subnets affected for many hours

• Older net infrastructure hampers defense– Accelerated phase-out of older routers– Hubs/Switches/wireplant still a problem

• Improved locate/isolate tools

University of Washington Computing & Communications

July 2003: Microsoft RPC (Blaster, etc.)

• Several variants (directed & worm attacks)

• Some attacks allow system takeover

• Windows vulnerability: all recent versions

• Two Microsoft patches (so far)

• Border blocking: – effective only temporarily– breaks popular applications– or forces deployment of VPNs

University of Washington Computing & Communications

RPC Impact on UW

• Windows infection rate: over 20% (6200)• Mean-Time-To-Infection: 2 minutes• > 12,000 msgs handled by SecOps in Sept• Lots of tools developed to detect/block/fix

– real-time auto-blocking– self-service unblocking– internal patch page

• CD campaign for returning students

University of Washington Computing & Communications

Security Trouble Ticket Trend

0

500

1000

1500

2000

2500

3000Ja

n-02

Mar

-02

May

-02

Jul-

02

Sep-

02

Nov

-02

Jan-

03

Mar

-03

May

-03

Jul-

03

Sep-

03

SecOpsNetOps

University of Washington Computing & Communications

RPC Impact Elsewhere

• UNC: med center - “total infection”

• Uchicago: $1000 reconnect fee?

• Evergreen: “virtually shutdown”

• Several: contracts w/students, fees to fix

• Everywhere: enormous costs

University of Washington Computing & Communications

SoBig.F Virus• Ultra aggressive

• Forged addresses, bogus auto-responses

• JUL: 17M messages in, 48K viruses

• AUG: 25M messages in, 6M viruses

• Believed to aid spammers

• Phase II attack thwarted

• Self-terminated on Sept 10

• “most widely e-mailed virus ever”

University of Washington Computing & Communications

Lessons• Huge strategic problem for UW

• Huge costs and risks ahead

• Only decision to make:– do we pay for prevention?, or

– do we pay for clean-up?

• Prevention requires paradigm shift– unmanaged PCs must be eliminated

– lots of network upgrades & tools needed

• 2003 is a turning point