Symantec detected Slammer worm "hours" before

• Previous message (by thread): Symantec detected Slammer worm "hours" before
• Next message (by thread): Symantec detected Slammer worm "hours" before
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean,

I agree that this claim is innately suspect - I've seen a few 
opportunistic press releases on this, at least some of which are clearly 
false.

Now at the Security BOF in Phoenix, Avi and I both showed some data with 
anomalies prior to the well-known onset time.  Unfortunately, the 
anomalies don't match in "shape", but we were looking at different 
things (he looked at DNS servers; I looked at averages of many end to 
end traces); they did very roughly match in time.

Neither Avi nor I claimed that we had detected the worm early; what we 
appear to have are just suspicious anomalies.  I can tell you that a 
measurement box of mine reacted several hours before the well-known 
onset time, and due to that reaction, was remarkably well positioned 
when the attack actually occurred.  I'm ready to believe that I just got 
lucky on this one - that I reacted to some other serious signal which by 
good fortune got me out of the way.  What I don't know yet is what 
exactly my device reacted to.

You added comment on a fiber cut in that time period - can you offer 
more detail?  Barry mentioned another roughly simultaneous attack in 
Korea.  One other theory, of course, would be trial runs of the worm, 
perhaps with restricted PRNG to localize attack.  I've seen no direct 
evidence that this happened, though.

Anyone got data points to share on, say, the 6-hour period before we got 
Slammed?

Mike

Sean Donelan wrote:
> 
> Wow, Symantec is making an amazing claim.  They were able to detect
> the slammer worm "hours" before.  Did anyone receive early alerts from
> Symantec about the SQL slammer worm hours earlier?  Academics have
> estimated the worm spread world-wide, and reached its maximum scanning
> rate in less than 10 minutes.
> 
> I assume Symantec has some data to back up their claim.
> 
> http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
>   "For example, the DeepSight Threat Management System discovered the
>   Slammer worm hours before it began rapidly propagating. Symantec's
>   DeepSight Threat Management System then delivered timely alerts and
>   procedures, enabling administrators to protect against the attack
>   before their environment was compromised."

• Previous message (by thread): Symantec detected Slammer worm "hours" before
• Next message (by thread): Symantec detected Slammer worm "hours" before
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]