Strange Slammer experience.

Pete Hickey pete at shadows.uottawa.ca
Wed Apr 23 21:50:41 GMT 2003


We had something interesting occur on campus today.

We have a lab that is working with an outside company.
The researchers use our lab, but VPN (IPSec) into the company's
internal net.  They just use us for a pipe.

Today, one of the machines became infected with the Slammer.
It seems that the slammer puts packets together that have
the *real* source address (not the VPN address), but they are
sent out through the VPN (no, I don't know which workstation
VPN software they are using.) The packets were then (somehow)
sent out from the company's net

We only saw the replies, but not the traffic going out.  
ALthough we monitor for port 1434 outbound, we never saw it
because it was encrypted.

Ovbiously the company (a pretty big one at that) does not
monitor, and more importantly, they allow  traffic out with
a source IP address which is not part of their net.

Anyway, I found this to be a somewhat interesting variation on
the Slammer.




More information about the unisog mailing list