Re: Symantec detected Slammer worm "hours" before
On Mon, Feb 24, 2003 at 05:07:33PM -, [EMAIL PROTECTED] said: [snip] > So they meant they got IDS "hits" hours before anyone posted a full > description of the attacks to bugtraq when they said they had detected > the worm hours before it spread? > That's a novel use of english :) One typically finds little else in marketing. :) -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: Symantec detected Slammer worm "hours" before
> http://www.theregister.co.uk/content/56/29406.html Interesting. So they meant they got IDS "hits" hours before anyone posted a full description of the attacks to bugtraq when they said they had detected the worm hours before it spread? That's a novel use of english :)
Re: Symantec detected Slammer worm "hours" before
Another anomaly detection product and its proactive/reactive response to the Slammer Worm. http://www.q1labs.com/qvision_slammer_white_paper.pdf Glen - Original Message - From: "Terry Baranski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, February 23, 2003 4:37 PM Subject: RE: Symantec detected Slammer worm "hours" before > > Apologies if this is old news. It's from Thursday, but I didn't see it > until today. > > Symantec comes clean Somewhat: > > http://www.theregister.co.uk/content/56/29406.html > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Sean Donelan > Sent: Thursday, February 13, 2003 12:00 PM > To: [EMAIL PROTECTED] > Subject: Symantec detected Slammer worm "hours" before > > > > > Wow, Symantec is making an amazing claim. They were able to detect the > slammer worm "hours" before. Did anyone receive early alerts from > Symantec about the SQL slammer worm hours earlier? Academics have > estimated the worm spread world-wide, and reached its maximum scanning > rate in less than 10 minutes. > > I assume Symantec has some data to back up their claim. > > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 > "For example, the DeepSight Threat Management System discovered the > Slammer worm hours before it began rapidly propagating. Symantec's > DeepSight Threat Management System then delivered timely alerts and > procedures, enabling administrators to protect against the attack > before their environment was compromised." >
RE: Symantec detected Slammer worm "hours" before
Apologies if this is old news. It's from Thursday, but I didn't see it until today. Symantec comes clean Somewhat: http://www.theregister.co.uk/content/56/29406.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Thursday, February 13, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: Symantec detected Slammer worm "hours" before Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
Re: The minutes seem like hours (was Re: Symantec detected Slammer worm "hours" before)
It's quite interesting, Mike and Sean, to note that on Symantec's "Expanded Security Response List" //securityresponse.symantec.com/avcenter/security/Advisories.html there is nothing (that's right, nothing) at all between January 21 and January 27, 2003. As I said the other day, this is an instance of an over-zealous marketeer going way out on a limb. Think of Coyote out-tricking himself. This has been supplied by the Acme Novelty Co. Peter
The minutes seem like hours (was Re: Symantec detected Slammer worm"hours" before)
According to Wired, Symantec is now saying they sent out an alert to their paying customers about 30 minutes (9pm PST) before the SQL slammer worm was detected by anyone else around 9:30pm PST. I have not seen a copy of the Symantec message. The first problem report on Nanog was 13 minutes after the worm was widely detected at 12:43amEST (9:43pm PST) concerning Level 3 issues. The first Nanog report about port 1434 was 1:28am EST. There was some discussion on some private mail lists earlier, but I have not seen any reports prior to 9:25pm PST (12:25am EST or 05:25 UTC). I suspect some of the early firewall logs were clock skew issues, so 05:30 UTC plus or minus 5 minutes.
Re: [dmoore@caida.org: Re: Symantec detected Slammer worm "hours" before]
David Moore <[EMAIL PROTECTED]> wrote: > So actually thinking about this a bit more, our numbers count from > when single well connected or a set of less well connected hosts > are infected. If a single (or small number) of infected machines > were on slow links (dsl/cable modem/etc) it might take them up to > about an hour to find the next vulnerable host (also depending on > luck and which cycle of the RNG they are in). So there might be > a longer startup period than we suggested if the worm was launched > in a poor environment. > > However, at those rates, the scanning by the worm (small number of > hosts with tiny total bandwidth) would be well below the noise of > even "normal" port scanning activity. I find it difficult to > believe that that _at the time_ it would have been flagged as > suspicious. Perhaps going back through their logs after the growth > was over would have yielded something. Signs of Slammer which could have been noticed early: * increased router load / NetFlow blow-out (if you monitor the rate of disk usage growth on your NetFlow server you will notice Slammer had a *massive* impact on the number of distinct flows -- even if you have half a dozen modem customers infected, the increase in NetFlow data volumes above normal is massive, while the network impact is not even a bump on a graph) * modem customers with congested links (although Slammer congested links for 100Mbps+ colo's, so all customers would have detected congested links equally) * colocation customers hitting service-policy "anti-DoS" limits (some colo SP's place limits on colo switches, and then monitor to see if these limits are hit, in which case the NOC can investigate and either increase the limit -- if traffic is legit -- or note an attack in progress and completely block the port[s] on which the attack is occurring) That said, IMO it's rather unlikely Symantec noticed Slammer early. If they did, of course, they should have posted to their mailing lists such as INCIDENTS and BUGTRAQ when they detected it. I don't remember seeing an early posting. David.
Re: Symantec detected Slammer worm "hours" before
Sean Donelan wrote: > > Wow, Symantec is making an amazing claim. They were able to detect > the slammer worm "hours" before. Did anyone receive early alerts from > Symantec about the SQL slammer worm hours earlier? Academics have > estimated the worm spread world-wide, and reached its maximum scanning > rate in less than 10 minutes. I am still of the belief that it was released in direct reaction to the worldwide message from Bill Gates <[EMAIL PROTECTED]>, entitled "Security in a Connected World," and sent to all sorts of people who NEVER asked to be on his silly list (me, for example). My timestamp for the email says: Fri, 24 Jan 2003 11:06:50 (PST, give or take a few). H, how close in time to the appearance of the worm that is... I can just picture the annoyance of the worm author, who then said to himself "I'll show him security all righty." Perhaps it was something he'd been working on the night before. It wasn't that complex, after all, and really not destructive, if you don't count the annoyance factor. Just the same, I've had my excitement for the year, I don't really want to see another. Bill? If you're out there, don't send out any more unsolicited newsletters, ok? -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking.-- Larry Wall
Re: Symantec detected Slammer worm "hours" before
On Thu, 13 Feb 2003, Martin Hannigan wrote: > > On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: > > > > > > Wow, Symantec is making an amazing claim. They were able to detect > > the slammer worm "hours" before. Did anyone receive early alerts from > > Symantec about the SQL slammer worm hours earlier? Academics have > > estimated the worm spread world-wide, and reached its maximum scanning > > rate in less than 10 minutes. > > > > I assume Symantec has some data to back up their claim. > > > > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 > > "For example, the DeepSight Threat Management System discovered the > > Slammer worm hours before it began rapidly propagating. Symantec's > > DeepSight Threat Management System then delivered timely alerts and > > procedures, enabling administrators to protect against the attack > > before their environment was compromised." > > > > > One way they could have known about it is that some of their > customers got nailed _and called them_. > > The other is IDS signature. I'm not sure if there was one already > out there that would have caught this, but if the customers were > calling they would have been able to create one quickly, as > people did. > > If there's no alarm, no event tripped, there is no correlation > data. An other possibility is that they wrote the slammer them self so they had early knowledge of it :-) K
Re: Symantec detected Slammer worm "hours" before
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: > > > Wow, Symantec is making an amazing claim. They were able to detect > the slammer worm "hours" before. Did anyone receive early alerts from > Symantec about the SQL slammer worm hours earlier? Academics have > estimated the worm spread world-wide, and reached its maximum scanning > rate in less than 10 minutes. > > I assume Symantec has some data to back up their claim. > > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 > "For example, the DeepSight Threat Management System discovered the > Slammer worm hours before it began rapidly propagating. Symantec's > DeepSight Threat Management System then delivered timely alerts and > procedures, enabling administrators to protect against the attack > before their environment was compromised." > One way they could have known about it is that some of their customers got nailed _and called them_. The other is IDS signature. I'm not sure if there was one already out there that would have caught this, but if the customers were calling they would have been able to create one quickly, as people did. If there's no alarm, no event tripped, there is no correlation data. YMMV.
[dmoore@caida.org: Re: Symantec detected Slammer worm "hours" before]
[david not on nanog list so am forwarding for him] - Forwarded message from David Moore <[EMAIL PROTECTED]> - Date: Thu, 13 Feb 2003 10:42:18 -0800 From: David Moore <[EMAIL PROTECTED]> Subject: Re: Symantec detected Slammer worm "hours" before To: k claffy <[EMAIL PROTECTED]> Cc: Sean Donelan <[EMAIL PROTECTED]>, [EMAIL PROTECTED], David Moore <[EMAIL PROTECTED]> > On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: > Wow, Symantec is making an amazing claim. They were able to detect > the slammer worm "hours" before. Did anyone receive early alerts from > Symantec about the SQL slammer worm hours earlier? Academics have > estimated the worm spread world-wide, and reached its maximum scanning > rate in less than 10 minutes. So actually thinking about this a bit more, our numbers count from when single well connected or a set of less well connected hosts are infected. If a single (or small number) of infected machines were on slow links (dsl/cable modem/etc) it might take them up to about an hour to find the next vulnerable host (also depending on luck and which cycle of the RNG they are in). So there might be a longer startup period than we suggested if the worm was launched in a poor environment. However, at those rates, the scanning by the worm (small number of hosts with tiny total bandwidth) would be well below the noise of even "normal" port scanning activity. I find it difficult to believe that that _at the time_ it would have been flagged as suspicious. Perhaps going back through their logs after the growth was over would have yielded something. If it was running at a rate which on average took it an hour to find the next vulnerable host, then if they had effective monitoring of a /8, then they would have only seen 100-300 packets in that hour (fewer the more vulnerable hosts that were out there; slower scanning to not find one in an hour). It's a little hard for me to believe that symantec would have noticed this level of traffic, figured out that it was bad (although perhaps some simple x86 code detector might have helped) and have told people about it at this rate. In any case, if they did, then it's because the worm was launched from a poor bandwidth environment, presumably something that symantec can't control in the future. -- david - End forwarded message -
Re: Symantec detected Slammer worm "hours" before
From: "Mike Lloyd" > You added comment on a fiber cut in that time period - can you offer > more detail? Barry mentioned another roughly simultaneous attack in > Korea. One other theory, of course, would be trial runs of the worm, > perhaps with restricted PRNG to localize attack. I've seen no direct > evidence that this happened, though. > It wouldn't be the first time that someone kicked off some code, found that it was running too slowly, removed the sleep timers and tried again. However, if this were the case, trying to find and localize the initial "slow worm" compared to the later release would be difficult to say the least. Jack Bates BrightNet Oklahoma
Re: Symantec detected Slammer worm "hours" before
DeepSight is SecurityFocus. Their claim may have some truth in it. But, so does the 19000+ partners. They mean customersbut not necessarily customers/ subscribers to DeepSight. (they may have 'accidentally' included all their SecurityFocus lists' subscribers in that number as well :). Though I do appreciate the SF team, I haste to add that this revelation smells seriously commercially tainted. All of the major networks would see such anomaly pretty fast, and at virtually the same time. This is however the right moment to underscore 'corporate fears', and bring attention to their relatively new service/product. cheers Bert director research nso/ft. myers
Re: Symantec detected Slammer worm "hours" before
Sean, I agree that this claim is innately suspect - I've seen a few opportunistic press releases on this, at least some of which are clearly false. Now at the Security BOF in Phoenix, Avi and I both showed some data with anomalies prior to the well-known onset time. Unfortunately, the anomalies don't match in "shape", but we were looking at different things (he looked at DNS servers; I looked at averages of many end to end traces); they did very roughly match in time. Neither Avi nor I claimed that we had detected the worm early; what we appear to have are just suspicious anomalies. I can tell you that a measurement box of mine reacted several hours before the well-known onset time, and due to that reaction, was remarkably well positioned when the attack actually occurred. I'm ready to believe that I just got lucky on this one - that I reacted to some other serious signal which by good fortune got me out of the way. What I don't know yet is what exactly my device reacted to. You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though. Anyone got data points to share on, say, the 6-hour period before we got Slammed? Mike Sean Donelan wrote: Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
Re: Symantec detected Slammer worm "hours" before
If the author had any sense of irony at all; I bet we'd find Patient Zero was in Redmond. -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Symantec detected Slammer worm "hours" before
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote: davidmoore certainly thought it was cute when he saw it last nite: david is impressed that deepsight was tracking the worm "hours before it began propagating". david says, "What, did the worm author call them up and tell them, "hey, I'm letting it go in an hour!"" host -N, cool trick about time someone overcame that inconvenient speed of light thing. tap tap k Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."
Re: Symantec detected Slammer worm "hours" before
I attribute this to over-zealous marketing. As I mentioned at the NANOG BoF, there is, indeed, a decrease in latency about 6 hours prior to the actual mass attack. Mike Lloyd (RouteScience) saw this, too. There's also a decrease about 16 hours out. Sean suggested that they might be attributed to cable cuts, but I don't have the data to attempt correlation. If Semantec's ouija board brought them news "hours" earlier, they are behaving reprehensibly not to have alerted the community. Peter
RE: Symantec detected Slammer worm "hours" before
Not to mention that most firewalls and IDSs that DeepSight relies on didn't flag on 1434 before Slammer. Best regards, __ Al Rowland > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of William Warren > Sent: Thursday, February 13, 2003 9:17 AM > To: [EMAIL PROTECTED] > Subject: Re: Symantec detected Slammer worm "hours" before > > > > really? wow then according to their press release none of their > Deepsight customers were compromised because of this early > warning? I > bet that can be debunked fairly quickly. Let's se what falls > out of the > busy once it is shaken a bit. > > > Stephen J. Wilcox wrote: > > > > I saw this mentioned in an article a day or two after the attack. > > > > > > Clearly they are wrong about this (lying or mistaken), for > as you say > > the speed of propogation means that a single infected host > would have > > infected the whole internet in minutes which means we all see the > > first packets at almost exactly the same time. > > > >>From the context it is written below, this seems a cheap stunt to > >>promote their > > service. > > > > Steve > > > > On Thu, 13 Feb 2003, Sean Donelan wrote: > > > > > >> > >>Wow, Symantec is making an amazing claim. They were able to detect > >>the slammer worm "hours" before. Did anyone receive early > alerts from > >>Symantec about the SQL slammer worm hours earlier? Academics have > >>estimated the worm spread world-wide, and reached its > maximum scanning > >>rate in less than 10 minutes. > >> > >>I assume Symantec has some data to back up their claim. > >> > >>http://enterprisesecurity.symantec.com/content.cfm?articleid =1985&EID= >>0 >> "For example, the DeepSight Threat Management System discovered the >> Slammer worm hours before it began rapidly propagating. Symantec's >> DeepSight Threat Management System then delivered timely alerts and >> procedures, enabling administrators to protect against the attack >> before their environment was compromised." >> >> > > > > -- May God Bless you and everything you touch. My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Re: Symantec detected Slammer worm "hours" before
really? wow then according to their press release none of their Deepsight customers were compromised because of this early warning? I bet that can be debunked fairly quickly. Let's se what falls out of the busy once it is shaken a bit. Stephen J. Wilcox wrote: I saw this mentioned in an article a day or two after the attack. Clearly they are wrong about this (lying or mistaken), for as you say the speed of propogation means that a single infected host would have infected the whole internet in minutes which means we all see the first packets at almost exactly the same time. From the context it is written below, this seems a cheap stunt to promote their service. Steve On Thu, 13 Feb 2003, Sean Donelan wrote: Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised." -- May God Bless you and everything you touch. My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Re: Symantec detected Slammer worm "hours" before
I saw this mentioned in an article a day or two after the attack. Clearly they are wrong about this (lying or mistaken), for as you say the speed of propogation means that a single infected host would have infected the whole internet in minutes which means we all see the first packets at almost exactly the same time. >From the context it is written below, this seems a cheap stunt to promote their service. Steve On Thu, 13 Feb 2003, Sean Donelan wrote: > > > Wow, Symantec is making an amazing claim. They were able to detect > the slammer worm "hours" before. Did anyone receive early alerts from > Symantec about the SQL slammer worm hours earlier? Academics have > estimated the worm spread world-wide, and reached its maximum scanning > rate in less than 10 minutes. > > I assume Symantec has some data to back up their claim. > > http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 > "For example, the DeepSight Threat Management System discovered the > Slammer worm hours before it began rapidly propagating. Symantec's > DeepSight Threat Management System then delivered timely alerts and > procedures, enabling administrators to protect against the attack > before their environment was compromised." > >
Symantec detected Slammer worm "hours" before
Wow, Symantec is making an amazing claim. They were able to detect the slammer worm "hours" before. Did anyone receive early alerts from Symantec about the SQL slammer worm hours earlier? Academics have estimated the worm spread world-wide, and reached its maximum scanning rate in less than 10 minutes. I assume Symantec has some data to back up their claim. http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0 "For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised."