Administrators Fight Back Against Slammer

The impact of the Slammer worm subsided Monday as companies scrambled to patch systems and block the worm's ability to spread. Slammer is being touted as the worst attack on the Internet since the summer of 2001, when a worm called Code Red attacked hundreds of thousands of systems and brought the networks of many large companies to a halt.

This time around, however, many companies apparently have learned lessons from attacks such as Code Red and Nimda. Within 24 hours, most Internet service providers reportedly were able to block the worm, and throughout the early hours of Monday morning, infected companies were able to apply the six-month-old patch supplied by Microsoft and get their systems up and running.

Lloyd Hession, chief security officer for Radianz, which runs a network for financial-services firms, says while many companies were affected by the fast-spreading worm, over the weekend and throughout Monday morning they were able to put into place the proper filtering within their firewalls and routers and update their software applications to successfully defend against Slammer's spread.

"This certainly goes to show you that even over the weekend companies were able to put their incident response plans into play and effectively stop this quickly," Hession says.

An IT administrator at a consumer goods manufacturer on the East Coast says he began working on the problem at 3 a.m. Saturday. "We wanted to get this fixed ASAP; our priority was to make sure we didn't infect any of our customers or suppliers when they came to work Monday morning," he said Monday. "Everything seems to be normal now. I hope it stays that way."

At its peak, Slammer performed roughly 1 billion scans an hour looking for new Internet hosts to infect. All those scans were bits of traffic, and the Internet choked.

According to a statement posted online by Keynote Systems Inc., an Internet performance-monitoring company, "The typical Web user would certainly notice the impact of this worm." The performance of sites in Keynote's Business 40 index of 40 major U.S. sites was slowed by an average of about 50% between midnight and 1 p.m. EST Saturday. Availability also dropped about 10% within the United States. More normal performance was reappearing in the United States by 2 p.m. EST, and by 7 p.m., traffic had returned to normal, according to Keynote.

Slammer takes advantage of a well-known vulnerability in Microsoft's SQL Server 2000 database as well as the company's Desktop Engine 2000 software. The worm doesn't affect people's PCs. The Microsoft flaw was discovered last spring by database vulnerability research firm Next Generation Security Software Ltd.

Microsoft is urging SQL customers to patch their systems. More information about the patch can be found here .