The company hosts servers for about 30 customers, but is not always responsible for updating software patches, a key factor in the spread of this code.
"The team had noticed that routers were not as responsive as they should be and started checking with upstream ISPs and bulletin boards for news of a problem. Then the news media publicised Slammer as the culprit after the FBI identified the worm, so we first blocked access at port 1434 and set about isolating the SQL network.
"Then we identified the worm and set about getting the patch, installing it and bringing the servers back on one-by-one when we were certain they were secure. We were back up in a few hours.
"Those most affected will have been those not in at weekends, which means the knock-on slowing of the internet is prolonged."
- Ensure patching is up-to-date, though you must also ensure the patch itself does not contain harmful bugs
- When news breaks block access at the firewall
- Split your team: one team isolates affected machines, the other researches the virus and how it works
- Apply remedial action to affected machines
- Once you are entirely happy they are safe bring them back on.