Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
I saw this mentioned in an article a day or two after the attack. Clearly they are wrong about this (lying or mistaken), for as you say the speed of propogation means that a single infected host would have infected the whole internet in minutes which means we all see the first packets at almost exactly the same time.
From the context it is written below, this seems a cheap stunt to promote their service.
Steve On Thu, 13 Feb 2003, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
really? wow then according to their press release none of their Deepsight customers were compromised because of this early warning? I bet that can be debunked fairly quickly. Let's se what falls out of the busy once it is shaken a bit. Stephen J. Wilcox wrote:
I saw this mentioned in an article a day or two after the attack.
Clearly they are wrong about this (lying or mistaken), for as you say the speed of propogation means that a single infected host would have infected the whole internet in minutes which means we all see the first packets at almost exactly the same time.
From the context it is written below, this seems a cheap stunt to promote their service.
Steve
On Thu, 13 Feb 2003, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
-- May God Bless you and everything you touch. My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Not to mention that most firewalls and IDSs that DeepSight relies on didn't flag on 1434 before Slammer. Best regards, ______________________________ Al Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of William Warren Sent: Thursday, February 13, 2003 9:17 AM To: nanog@merit.edu Subject: Re: Symantec detected Slammer worm "hours" before
really? wow then according to their press release none of their Deepsight customers were compromised because of this early warning? I bet that can be debunked fairly quickly. Let's se what falls out of the busy once it is shaken a bit.
Stephen J. Wilcox wrote:
I saw this mentioned in an article a day or two after the attack.
Clearly they are wrong about this (lying or mistaken), for
as you say
the speed of propogation means that a single infected host would have infected the whole internet in minutes which means we all see the first packets at almost exactly the same time.
From the context it is written below, this seems a cheap stunt to promote their service.
Steve
On Thu, 13 Feb 2003, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early
Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid =1985&EID= 0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and
alerts from procedures, enabling administrators to protect against the attack before their environment was compromised."
-- May God Bless you and everything you touch. My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
I attribute this to over-zealous marketing. As I mentioned at the NANOG BoF, there is, indeed, a decrease in latency about 6 hours prior to the actual mass attack. Mike Lloyd (RouteScience) saw this, too. There's also a decrease about 16 hours out. Sean suggested that they might be attributed to cable cuts, but I don't have the data to attempt correlation. If Semantec's ouija board brought them news "hours" earlier, they are behaving reprehensibly not to have alerted the community. Peter
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: davidmoore certainly thought it was cute when he saw it last nite: david is impressed that deepsight was tracking the worm "hours before it began propagating". david says, "What, did the worm author call them up and tell them, "hey, I'm letting it go in an hour!"" host -N, cool trick about time someone overcame that inconvenient speed of light thing. tap tap k Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
If the author had any sense of irony at all; I bet we'd find Patient Zero was in Redmond. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Sean, I agree that this claim is innately suspect - I've seen a few opportunistic press releases on this, at least some of which are clearly false. Now at the Security BOF in Phoenix, Avi and I both showed some data with anomalies prior to the well-known onset time. Unfortunately, the anomalies don't match in "shape", but we were looking at different things (he looked at DNS servers; I looked at averages of many end to end traces); they did very roughly match in time. Neither Avi nor I claimed that we had detected the worm early; what we appear to have are just suspicious anomalies. I can tell you that a measurement box of mine reacted several hours before the well-known onset time, and due to that reaction, was remarkably well positioned when the attack actually occurred. I'm ready to believe that I just got lucky on this one - that I reacted to some other serious signal which by good fortune got me out of the way. What I don't know yet is what exactly my device reacted to. You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though. Anyone got data points to share on, say, the 6-hour period before we got Slammed? Mike Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
From: "Mike Lloyd"
You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though.
It wouldn't be the first time that someone kicked off some code, found that it was running too slowly, removed the sleep timers and tried again. However, if this were the case, trying to find and localize the initial "slow worm" compared to the later release would be difficult to say the least. Jack Bates BrightNet Oklahoma
On Thu, 13 Feb 2003, Mike Lloyd wrote:
You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though.
There are bumps all the time on the net. Most of the time they are ignored. Tracking down their cause or their effect is an inexact science. For example, on July 19 2001 we had both the Code Red worm and the Baltimore train tunnel fire. The Internet had problems, but which caused what problems? Eventually, after staring at a lot of data sources and squinting really, really hard, the tunnel fire was probably responsible for most of the slowdown on July 19. On January 24 2003, Friday afternoon there was a cable cut affecting several providers. Friday night/Saturday morning, the slammer worm was spreading across the Net around 12:30am EST. This time I think the worm was probably responsible for most of the slowdowns. Several folks with data sets saw a bump around 6-6:30pm EST Friday night. Was it a worm test/slow worm propagation, manual patching around the earlier fiber cut, or something completely different? I don't know. Any network engineers willing to admit futzing with the Net earlier that night?
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
One way they could have known about it is that some of their customers got nailed _and called them_. The other is IDS signature. I'm not sure if there was one already out there that would have caught this, but if the customers were calling they would have been able to create one quickly, as people did. If there's no alarm, no event tripped, there is no correlation data. YMMV.
On Thu, 13 Feb 2003, Martin Hannigan wrote:
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
One way they could have known about it is that some of their customers got nailed _and called them_.
The other is IDS signature. I'm not sure if there was one already out there that would have caught this, but if the customers were calling they would have been able to create one quickly, as people did.
If there's no alarm, no event tripped, there is no correlation data.
An other possibility is that they wrote the slammer them self so they had early knowledge of it :-) K
Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I am still of the belief that it was released in direct reaction to the worldwide message from Bill Gates <BillGates@chairman.microsoft.com>, entitled "Security in a Connected World," and sent to all sorts of people who NEVER asked to be on his silly list (me, for example). My timestamp for the email says: Fri, 24 Jan 2003 11:06:50 (PST, give or take a few). Hmmmm, how close in time to the appearance of the worm that is... I can just picture the annoyance of the worm author, who then said to himself "I'll show him security all righty." Perhaps it was something he'd been working on the night before. It wasn't that complex, after all, and really not destructive, if you don't count the annoyance factor. Just the same, I've had my excitement for the year, I don't really want to see another. Bill? If you're out there, don't send out any more unsolicited newsletters, ok? -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
According to Wired, Symantec is now saying they sent out an alert to their paying customers about 30 minutes (9pm PST) before the SQL slammer worm was detected by anyone else around 9:30pm PST. I have not seen a copy of the Symantec message. The first problem report on Nanog was 13 minutes after the worm was widely detected at 12:43amEST (9:43pm PST) concerning Level 3 issues. The first Nanog report about port 1434 was 1:28am EST. There was some discussion on some private mail lists earlier, but I have not seen any reports prior to 9:25pm PST (12:25am EST or 05:25 UTC). I suspect some of the early firewall logs were clock skew issues, so 05:30 UTC plus or minus 5 minutes.
Sean Donelan wrote:
According to Wired, Symantec is now saying they sent out an alert to their paying customers about 30 minutes (9pm PST) before the SQL slammer worm was detected by anyone else around 9:30pm PST.
I have not seen a copy of the Symantec message.
OK, if there really was a private alert... one would expect that after news hit NANOG, BUGTRAQ et al, a public advisory would have been released by Symantec as well. There was no information about Slammer available on Symantec's public web site for more than four hours after it reached criticality (3AM MST). I kept a close eye on Symantec, McAffee, dshield.org, incidents.org and other usual suspects, none of them had information available until the next morning. Mike
It's quite interesting, Mike and Sean, to note that on Symantec's "Expanded Security Response List" //securityresponse.symantec.com/avcenter/security/Advisories.html there is nothing (that's right, nothing) at all between January 21 and January 27, 2003. As I said the other day, this is an instance of an over-zealous marketeer going way out on a limb. Think of Coyote out-tricking himself. This has been supplied by the Acme Novelty Co. Peter
Give it time..i bet Symantec will get some serious egg on its face...either they are really stretching the truth or the are outright lying. Sean Donelan wrote:
According to Wired, Symantec is now saying they sent out an alert to their paying customers about 30 minutes (9pm PST) before the SQL slammer worm was detected by anyone else around 9:30pm PST.
I have not seen a copy of the Symantec message.
The first problem report on Nanog was 13 minutes after the worm was widely detected at 12:43amEST (9:43pm PST) concerning Level 3 issues. The first Nanog report about port 1434 was 1:28am EST. There was some discussion on some private mail lists earlier, but I have not seen any reports prior to 9:25pm PST (12:25am EST or 05:25 UTC). I suspect some of the early firewall logs were clock skew issues, so 05:30 UTC plus or minus 5 minutes.
-- May God Bless you and everything you touch. My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Apologies if this is old news. It's from Thursday, but I didn't see it until today. Symantec comes clean.... Somewhat: http://www.theregister.co.uk/content/56/29406.html -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: Thursday, February 13, 2003 12:00 PM To: nanog@merit.edu Subject: Symantec detected Slammer worm "hours" before Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
Another anomaly detection product and its proactive/reactive response to the Slammer Worm. http://www.q1labs.com/qvision_slammer_white_paper.pdf Glen ----- Original Message ----- From: "Terry Baranski" <terry@eurocompton.net> To: <nanog@merit.edu> Sent: Sunday, February 23, 2003 4:37 PM Subject: RE: Symantec detected Slammer worm "hours" before
Apologies if this is old news. It's from Thursday, but I didn't see it until today.
Symantec comes clean.... Somewhat:
http://www.theregister.co.uk/content/56/29406.html
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: Thursday, February 13, 2003 12:00 PM To: nanog@merit.edu Subject: Symantec detected Slammer worm "hours" before
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
http://www.theregister.co.uk/content/56/29406.html Interesting. So they meant they got IDS "hits" hours before anyone posted a full description of the attacks to bugtraq when they said they had detected
the worm hours before it spread? That's a novel use of english :)
On Mon, Feb 24, 2003 at 05:07:33PM -0000, DaveHowe@gmx.co.uk said: [snip]
So they meant they got IDS "hits" hours before anyone posted a full description of the attacks to bugtraq when they said they had detected the worm hours before it spread? That's a novel use of english :)
One typically finds little else in marketing. :) -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui
participants (17)
-
Al Rowland -
David Howe -
David Lesher -
Etaoin Shrdlu -
Glen Fillmore -
Jack Bates -
k claffy -
Krzysztof Adamski -
Martin Hannigan -
Mike Lewinski -
Mike Lloyd -
Peter Salus -
Scott Francis -
Sean Donelan -
Stephen J. Wilcox -
Terry Baranski -
William Warren