Well, I didn’t get slammed— I run SQL 2000 on my laptop (for my RDF Triples Database), but Ihad already installedSP3 (and I run a recent build of SQL 2003 on my server).
Many geeks like to point out “sysadmins who haven’t updated their patches for six months” as the cause of worm outbreaks like this. If everyone had updated their patches within the last six months, this worm would not have spread; but I think that misses the point. Sysadmins don’t keep up with patches; just as the sun rises in the east. Blaming sysadmins does nothing to solve the problem.
Pleasantly, the industry this time seems to be responding much less neurotically than in the past. Within hours, most of the large network carriers had begun to block infected packets from crossing their routers. This actionlocalized the infection to broad segments of network, and then response teams at various sites started sniffing out infected subnets and quarantining them. The response didn’t succeed in preventing some serious outages, but things could have been much worse. And it’s the first time I have ever seen such a pragmatic and broad-based response to a network attack like this. The cooperation between different disciplines inspires hope in me.
Blocking traffic at routers was largely a manual job this time, but there is no doubt that NSPs will be working to improve their ability to coordinate and automate such “immune system” responses in the future. And site teams who went through the drill this time of hunting and quarantining infected segments will now have the experience and the incentive to put in place well-oiled response plans, training, and tools.
Incidents such as this have, in the past, involved a lot of finger-pointing and “not my problem” attitudes. It seems with this attackthat the industry is finally growing up a bit and working together to solve the problems. I hope thatthis translates into more work on proactive cooperation between software vendors, network vendors, and service providers.