University of Washington Computing & Communications
Recent Computer Security Incidents
Terry GrayDirector, Networks & Distributed Computing
03 October 2003
University of Washington Computing & Communications
Major Attacks• Dec 2000: Hospital records release• Jul 2001: Microsoft web server (Code Red)• Sep 2001: Microsoft web server (Nimda)• Mar 2002: SSH libraries (e.g. Slapper)• Jun 2002: DNS libraries• Aug 2002: The Great Spam Attack• Jan 2003: Microsoft SQL (Slammer)• Jul 2003: Microsoft RPC (Blaster, etc)• Aug 2003: SoBig.F virus
University of Washington Computing & Communications
January 2003: Microsoft SQL (Slammer)
• Allows system takeover
• Aggressive spread (unintended DOS?)
• Many vulnerable applications
• High impact on network routers
• Significant collateral damage to adjacent computers/subnets
• Simple port blocking damages legit traffic
University of Washington Computing & Communications
Slammer Impact on UW
• Older routers failed under load
• Hard to identify/shutoff source during attack
• Some critical subnets affected for many hours
• Older net infrastructure hampers defense– Accelerated phase-out of older routers– Hubs/Switches/wireplant still a problem
• Improved locate/isolate tools
University of Washington Computing & Communications
July 2003: Microsoft RPC (Blaster, etc.)
• Several variants (directed & worm attacks)
• Some attacks allow system takeover
• Windows vulnerability: all recent versions
• Two Microsoft patches (so far)
• Border blocking: – effective only temporarily– breaks popular applications– or forces deployment of VPNs
University of Washington Computing & Communications
RPC Impact on UW
• Windows infection rate: over 20% (6200)• Mean-Time-To-Infection: 2 minutes• > 12,000 msgs handled by SecOps in Sept• Lots of tools developed to detect/block/fix
– real-time auto-blocking– self-service unblocking– internal patch page
• CD campaign for returning students
University of Washington Computing & Communications
Security Trouble Ticket Trend
0
500
1000
1500
2000
2500
3000Ja
n-02
Mar
-02
May
-02
Jul-
02
Sep-
02
Nov
-02
Jan-
03
Mar
-03
May
-03
Jul-
03
Sep-
03
SecOpsNetOps
University of Washington Computing & Communications
RPC Impact Elsewhere
• UNC: med center - “total infection”
• Uchicago: $1000 reconnect fee?
• Evergreen: “virtually shutdown”
• Several: contracts w/students, fees to fix
• Everywhere: enormous costs
University of Washington Computing & Communications
SoBig.F Virus• Ultra aggressive
• Forged addresses, bogus auto-responses
• JUL: 17M messages in, 48K viruses
• AUG: 25M messages in, 6M viruses
• Believed to aid spammers
• Phase II attack thwarted
• Self-terminated on Sept 10
• “most widely e-mailed virus ever”
University of Washington Computing & Communications
Lessons• Huge strategic problem for UW
• Huge costs and risks ahead
• Only decision to make:– do we pay for prevention?, or
– do we pay for clean-up?
• Prevention requires paradigm shift– unmanaged PCs must be eliminated
– lots of network upgrades & tools needed
• 2003 is a turning point