[55871] in North American Network Operators' Group
Re: Symantec detected Slammer worm "hours" before
daemon@ATHENA.MIT.EDU (Krzysztof Adamski)
Thu Feb 13 23:21:37 2003
Date: Thu, 13 Feb 2003 23:21:01 -0500 (EST)
From: Krzysztof Adamski <k@adamski.org>
To: nanog@merit.edu
In-Reply-To: <20030213203418.GA16228@fugawi.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 13 Feb 2003, Martin Hannigan wrote:
>
> On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
> >
> >
> > Wow, Symantec is making an amazing claim. They were able to detect
> > the slammer worm "hours" before. Did anyone receive early alerts from
> > Symantec about the SQL slammer worm hours earlier? Academics have
> > estimated the worm spread world-wide, and reached its maximum scanning
> > rate in less than 10 minutes.
> >
> > I assume Symantec has some data to back up their claim.
> >
> > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
> > "For example, the DeepSight Threat Management System discovered the
> > Slammer worm hours before it began rapidly propagating. Symantec's
> > DeepSight Threat Management System then delivered timely alerts and
> > procedures, enabling administrators to protect against the attack
> > before their environment was compromised."
> >
>
>
> One way they could have known about it is that some of their
> customers got nailed _and called them_.
>
> The other is IDS signature. I'm not sure if there was one already
> out there that would have caught this, but if the customers were
> calling they would have been able to create one quickly, as
> people did.
>
> If there's no alarm, no event tripped, there is no correlation
> data.
An other possibility is that they wrote the slammer them self so they had
early knowledge of it :-)
K
