News

Worm tangled UH networks, IT says

By Matt Dulin
The Daily Cougar

A pseudo-virus that struck Internet data pipelines over the weekend managed to take control of 20 systems within the University network and disrupt Internet connectivity, cutting traffic by 94 percent Friday night, Information Technology department officials said.

Full network services had been restored by Monday evening.

"Now that doesnit seem like a whole lot. We have roughly 1,000 systems on campus," said Charles Chambers, manager of network planning and development.

The breach was totally preventable, systems analyst Gary Shlett said.

"So many people leave their computers running and logged in and everything -- itis like driving home in your car and getting out, but leaving the keys inside with the motor running," Shlett said.

"Plain and simple, this couldive been prevented if people were conscientious about their computers and took the time to upgrade and patch Windows," he said, mentioning the Microsoft patch released in July that corrected the software vulnerability the worm took advantage of.

"Thereis no one person at fault for not getting the upgrades to all the systems," Chambers said. He also said the critical elements to these situations are having the right tools to both prevent and react to new problems.

Despite the relatively small number of systems actually affected, the worm was extremely effective -- it was able to use the various redundant connections to those systems to bring campus-wide network communications to a near standstill, Chambers said.

"The network was completely saturated with traffic," he said. "There was so much, we couldnit get to our traffic flow monitors to isolate the problem."

Once isolated -- sometime in the wee hours of Saturday, Chambers said -- the worm, named "W32/SQL Slammer," was much easier to handle.

"By about 5 or 6 a.m. (Saturday) we had brought back some stability to the network. We worked all night, and a second shift, so to speak, came on Saturday morning to start the clean-up," Chambers said. Clean-up involved rebooting many systems and installing patches.

The isolation process in the Universityis network core was beleaguered by what Chambers likened to sandbagging a house surrounded by floodwaters.

"Once we covered one problem spot, the worm just found another way in. It really slowed us down," Chambers said.

The core was especially vulnerable because of dozens of redundant connections that are meant to increase network reliability and performance. In this case, "it worked against us," he said.

"As of (Monday evening) it is very stable. Iim very happy with it," Chambers said.

Shlett said they were able to isolate the local source of the worm -- that is, where the worm entered the UH network. Cutting off that system helped isolate the worm, he said.

"That computer wouldnit have introduced the worm to the UH network if it had been patched," Shlett said. 

To Shlett, this is just one more example of why network users should be careful and should take measures to prevent future strikes, such as keeping software up-to-date and installing anti-virus software.

"In the long term, there are even more vulnerabilities that need to be addressed, such as incoming SPAM to UH e-mail accounts and peer-to-peer file sharing programs, like Kazaa, that open up new venues for attack," Shlett said.

In all, IT officials generally agree UH missed the worst of the worm, in part because it happened over the weekend when UH was less dependent on network reliability.

 Send comments to dcnews@mail.uh.edu