nanog mailing list archives

Re: Symantec detected Slammer worm "hours" before

From: Mike Lloyd <drmike () routescience com>
Date: Thu, 13 Feb 2003 09:46:10 -0800


Sean,

I agree that this claim is innately suspect - I've seen a fewopportunistic press releases on this, at least some of which are clearlyfalse.

Now at the Security BOF in Phoenix, Avi and I both showed some data withanomalies prior to the well-known onset time. Unfortunately, theanomalies don't match in "shape", but we were looking at differentthings (he looked at DNS servers; I looked at averages of many end toend traces); they did very roughly match in time.

Neither Avi nor I claimed that we had detected the worm early; what weappear to have are just suspicious anomalies. I can tell you that ameasurement box of mine reacted several hours before the well-knownonset time, and due to that reaction, was remarkably well positionedwhen the attack actually occurred. I'm ready to believe that I just gotlucky on this one - that I reacted to some other serious signal which bygood fortune got me out of the way. What I don't know yet is whatexactly my device reacted to.

You added comment on a fiber cut in that time period - can you offermore detail? Barry mentioned another roughly simultaneous attack inKorea. One other theory, of course, would be trial runs of the worm,perhaps with restricted PRNG to localize attack. I've seen no directevidence that this happened, though.

Anyone got data points to share on, say, the 6-hour period before we gotSlammed?


Mike

Sean Donelan wrote:


Wow, Symantec is making an amazing claim.  They were able to detect
the slammer worm "hours" before.  Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier?  Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.

I assume Symantec has some data to back up their claim.

http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
  "For example, the DeepSight Threat Management System discovered the
  Slammer worm hours before it began rapidly propagating. Symantec's
  DeepSight Threat Management System then delivered timely alerts and
  procedures, enabling administrators to protect against the attack
  before their environment was compromised."

Current thread:

Symantec detected Slammer worm "hours" before Sean Donelan (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Stephen J. Wilcox (Feb 13)
  - Re: Symantec detected Slammer worm "hours" before William Warren (Feb 13)
    - RE: Symantec detected Slammer worm "hours" before Al Rowland (Feb 13)
  - Re: Symantec detected Slammer worm "hours" before Peter Salus (Feb 13)
- Re: Symantec detected Slammer worm "hours" before k claffy (Feb 13)
  - Re: Symantec detected Slammer worm "hours" before David Lesher (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Mike Lloyd (Feb 13)
  - Re: Symantec detected Slammer worm "hours" before Jack Bates (Feb 13)
  - Bumps on the Net (was Re: Symantec detected Slammer worm "hours") Sean Donelan (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Martin Hannigan (Feb 13)
  - Re: Symantec detected Slammer worm "hours" before Krzysztof Adamski (Feb 13)
- Re: Symantec detected Slammer worm "hours" before Etaoin Shrdlu (Feb 13)
  - The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Sean Donelan (Feb 14)
    - Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Mike Lewinski (Feb 15)
    - Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) Peter Salus (Feb 15)
    - Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before) William Warren (Feb 15)
- RE: Symantec detected Slammer worm "hours" before Terry Baranski (Feb 23)

(Thread continues...)