Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

[dmoore@caida.org: Re: Symantec detected Slammer worm "hours" before]

  • From: k claffy
  • Date: Thu Feb 13 15:35:51 2003



[david not on nanog list so am forwarding for him]



----- Forwarded message from David Moore <dmoore@caida.org> -----

  Date: Thu, 13 Feb 2003 10:42:18 -0800
  From: David Moore <dmoore@caida.org>
  Subject: Re: Symantec detected Slammer worm "hours" before
  To: k claffy <kc@caida.org>
  Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu,
     David Moore <dmoore@caida.org>
  
  > On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
  >   Wow, Symantec is making an amazing claim.  They were able to detect
  >   the slammer worm "hours" before.  Did anyone receive early alerts from
  >   Symantec about the SQL slammer worm hours earlier?  Academics have
  >   estimated the worm spread world-wide, and reached its maximum scanning
  >   rate in less than 10 minutes.
  
  So actually thinking about this a bit more, our numbers count from
  when single well connected or a set of less well connected hosts
  are infected.  If a single (or small number) of infected machines
  were on slow links (dsl/cable modem/etc) it might take them up to
  about an hour to find the next vulnerable host (also depending on
  luck and which cycle of the RNG they are in).  So there might be
  a longer startup period than we suggested if the worm was launched
  in a poor environment.
  
  However, at those rates, the scanning by the worm (small number of
  hosts with tiny total bandwidth) would be well below the noise of
  even "normal" port scanning activity.  I find it difficult to
  believe that that _at the time_ it would have been flagged as
  suspicious.  Perhaps going back through their logs after the growth
  was over would have yielded something.
  
  If it was running at a rate which on average took it an hour to
  find the next vulnerable host, then if they had effective monitoring
  of a /8, then they would have only seen 100-300 packets in that hour
  (fewer the more vulnerable hosts that were out there; slower scanning
  to not find one in an hour).
  
  It's a little hard for me to believe that symantec would have noticed
  this level of traffic, figured out that it was bad (although perhaps
  some simple x86 code detector might have helped) and have told people
  about it at this rate.  In any case, if they did, then it's because
  the worm was launched from a poor bandwidth environment, presumably
  something that symantec can't control in the future.
  
  -- david

----- End forwarded message -----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.