[dmoore@caida.org: Re: Symantec detected Slammer worm "hours" before]
[david not on nanog list so am forwarding for him] ----- Forwarded message from David Moore <dmoore@caida.org> ----- Date: Thu, 13 Feb 2003 10:42:18 -0800 From: David Moore <dmoore@caida.org> Subject: Re: Symantec detected Slammer worm "hours" before To: k claffy <kc@caida.org> Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu, David Moore <dmoore@caida.org>
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes.
So actually thinking about this a bit more, our numbers count from when single well connected or a set of less well connected hosts are infected. If a single (or small number) of infected machines were on slow links (dsl/cable modem/etc) it might take them up to about an hour to find the next vulnerable host (also depending on luck and which cycle of the RNG they are in). So there might be a longer startup period than we suggested if the worm was launched in a poor environment. However, at those rates, the scanning by the worm (small number of hosts with tiny total bandwidth) would be well below the noise of even "normal" port scanning activity. I find it difficult to believe that that _at the time_ it would have been flagged as suspicious. Perhaps going back through their logs after the growth was over would have yielded something. If it was running at a rate which on average took it an hour to find the next vulnerable host, then if they had effective monitoring of a /8, then they would have only seen 100-300 packets in that hour (fewer the more vulnerable hosts that were out there; slower scanning to not find one in an hour). It's a little hard for me to believe that symantec would have noticed this level of traffic, figured out that it was bad (although perhaps some simple x86 code detector might have helped) and have told people about it at this rate. In any case, if they did, then it's because the worm was launched from a poor bandwidth environment, presumably something that symantec can't control in the future. -- david ----- End forwarded message -----
David Moore <dmoore@caida.org> wrote:
So actually thinking about this a bit more, our numbers count from when single well connected or a set of less well connected hosts are infected. If a single (or small number) of infected machines were on slow links (dsl/cable modem/etc) it might take them up to about an hour to find the next vulnerable host (also depending on luck and which cycle of the RNG they are in). So there might be a longer startup period than we suggested if the worm was launched in a poor environment.
However, at those rates, the scanning by the worm (small number of hosts with tiny total bandwidth) would be well below the noise of even "normal" port scanning activity. I find it difficult to believe that that _at the time_ it would have been flagged as suspicious. Perhaps going back through their logs after the growth was over would have yielded something.
Signs of Slammer which could have been noticed early: * increased router load / NetFlow blow-out (if you monitor the rate of disk usage growth on your NetFlow server you will notice Slammer had a *massive* impact on the number of distinct flows -- even if you have half a dozen modem customers infected, the increase in NetFlow data volumes above normal is massive, while the network impact is not even a bump on a graph) * modem customers with congested links (although Slammer congested links for 100Mbps+ colo's, so all customers would have detected congested links equally) * colocation customers hitting service-policy "anti-DoS" limits (some colo SP's place limits on colo switches, and then monitor to see if these limits are hit, in which case the NOC can investigate and either increase the limit -- if traffic is legit -- or note an attack in progress and completely block the port[s] on which the attack is occurring) That said, IMO it's rather unlikely Symantec noticed Slammer early. If they did, of course, they should have posted to their mailing lists such as INCIDENTS and BUGTRAQ when they detected it. I don't remember seeing an early posting. David.
participants (2)
-
David Luyer
-
k claffy