[55858] in North American Network Operators' Group
Re: Symantec detected Slammer worm "hours" before
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Thu Feb 13 12:13:53 2003
Date: Thu, 13 Feb 2003 17:12:54 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0302131150230.17518-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
I saw this mentioned in an article a day or two after the attack.
Clearly they are wrong about this (lying or mistaken), for as you say the speed
of propogation means that a single infected host would have infected the whole
internet in minutes which means we all see the first packets at almost exactly
the same time.
From the context it is written below, this seems a cheap stunt to promote their
service.
Steve
On Thu, 13 Feb 2003, Sean Donelan wrote:
>
>
> Wow, Symantec is making an amazing claim. They were able to detect
> the slammer worm "hours" before. Did anyone receive early alerts from
> Symantec about the SQL slammer worm hours earlier? Academics have
> estimated the worm spread world-wide, and reached its maximum scanning
> rate in less than 10 minutes.
>
> I assume Symantec has some data to back up their claim.
>
> http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
> "For example, the DeepSight Threat Management System discovered the
> Slammer worm hours before it began rapidly propagating. Symantec's
> DeepSight Threat Management System then delivered timely alerts and
> procedures, enabling administrators to protect against the attack
> before their environment was compromised."
>
>
