I don't think anyone could have missed the Slammer worm that recently dealt a devastating blow to the Internet.
It attacked Microsoft SQL Server installations, and apparently the embedded DBE in other office apps like Visio if you listen to some people. A patch for the vulnerability was released a good 6 months ago, which means the vulnerability was even older. Some good coverage at ZDNet has some more details.
But I have a burning question...
How on earth did it really happen?
We know that the worm propagated itself by sending UDP packets as fast as it could to random IP addresses.
Does anyone else think it is strange that there are thousands and thousands of database servers that are open and exposed to the outside internet???
Pick any decent network security book and they will describe how public-facing servers should be in a DMZ, while db servers and other important boxen should be behind an internal firewall.
If these servers were really firewalled off properly, they wouldn't be listening on a real public IP address. The firewalls wouldn't be allowing outgoing traffic on ports that should only be permitted internally.
This should never have happened!
Of course, that is terribly easy to say... but honestly, everyone has been yelling about keeping up with patches. What about security in depth? If we rely solely on keeping patches up to date, there will always be a window of vulnerability where Murphy can strike. If people followed some basic security guidelines (such as the principle of least privilege) then this outbreak would have been contained.
If people had firewalled incoming traffic, it should not be able to propagate in to someone's network - after all, it was a UDP packet on an unsual port. And it egress filtering was in place, it should not have propagated out. The damange should have been limited to within a network, and been much easier to contain.
So why were there so many MS SQL servers sitting, listening on public IP addresses? Some people never learn...