Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Symantec detected Slammer worm "hours" before

  • From: Mike Lloyd
  • Date: Thu Feb 13 12:50:52 2003


Sean,

I agree that this claim is innately suspect - I've seen a few opportunistic press releases on this, at least some of which are clearly false.

Now at the Security BOF in Phoenix, Avi and I both showed some data with anomalies prior to the well-known onset time. Unfortunately, the anomalies don't match in "shape", but we were looking at different things (he looked at DNS servers; I looked at averages of many end to end traces); they did very roughly match in time.

Neither Avi nor I claimed that we had detected the worm early; what we appear to have are just suspicious anomalies. I can tell you that a measurement box of mine reacted several hours before the well-known onset time, and due to that reaction, was remarkably well positioned when the attack actually occurred. I'm ready to believe that I just got lucky on this one - that I reacted to some other serious signal which by good fortune got me out of the way. What I don't know yet is what exactly my device reacted to.

You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though.

Anyone got data points to share on, say, the 6-hour period before we got Slammed?

Mike

Sean Donelan wrote:
Wow, Symantec is making an amazing claim.  They were able to detect
the slammer worm "hours" before.  Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier?  Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.

I assume Symantec has some data to back up their claim.

http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
  "For example, the DeepSight Threat Management System discovered the
  Slammer worm hours before it began rapidly propagating. Symantec's
  DeepSight Threat Management System then delivered timely alerts and
  procedures, enabling administrators to protect against the attack
  before their environment was compromised."




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.