Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

4701-MSSQL Control

My Internet sensor is now at S42 and picking up the MSSQL Control Overflow signatures, 4701.

I sniffed this traffic, and ethereal interprets it all as DCE RPC Pings with a Kerberos Authentication Verifier embedded.

What should a real Slammer attack look like? And is the above traffic normal for the Internet and this signature?

1 REPLY
New Member

Re: 4701-MSSQL Control

This traffic will be a part of the Internet for a very, very long time. Just like CodeRed and Nimda, which are still seen in scarily large numbers. Check the NANOG mailing lists and similar forums, and you will see an almost depressing level of resignation that the Internet will never be rid of this beast.

As to what a real attack looks like, Incidents.org and other security news sites have had worm deconstruction papers available since February. You can check your traces against those.

In my opinion, the major concern with this signature is seeing it fire with Internal sources. Those should be checked out immediately, and will appear in great numbers if you are truly infected.

108
Views
0
Helpful
1
Replies
CreatePlease to create content