On Mon, Feb 24, 2003 at 05:07:33PM -, [EMAIL PROTECTED] said:
[snip]
> So they meant they got IDS "hits" hours before anyone posted a full
> description of the attacks to bugtraq when they said they had detected
> the worm hours before it spread?
> That's a novel use of english :)
One typicall
> http://www.theregister.co.uk/content/56/29406.html
Interesting.
So they meant they got IDS "hits" hours before anyone posted a full
description of the attacks to bugtraq when they said they had detected
the worm hours before it spread?
That's a novel use of english :)
ruary 23, 2003 4:37 PM
Subject: RE: Symantec detected Slammer worm "hours" before
>
> Apologies if this is old news. It's from Thursday, but I didn't see it
> until today.
>
> Symantec comes clean Somewhat:
>
> http://www.theregister.co.uk/content/56/294
Apologies if this is old news. It's from Thursday, but I didn't see it
until today.
Symantec comes clean Somewhat:
http://www.theregister.co.uk/content/56/29406.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sean Donelan
Sent: Thursday, Febru
It's quite interesting, Mike and Sean, to note that on
Symantec's "Expanded Security Response List"
//securityresponse.symantec.com/avcenter/security/Advisories.html
there is nothing (that's right, nothing) at all between
January 21 and January 27, 2003.
As I said the other day, this is an ins
According to Wired, Symantec is now saying they sent out an alert to their
paying customers about 30 minutes (9pm PST) before the SQL slammer worm
was detected by anyone else around 9:30pm PST.
I have not seen a copy of the Symantec message.
The first problem report on Nanog was 13 minutes afte
David Moore <[EMAIL PROTECTED]> wrote:
> So actually thinking about this a bit more, our numbers count from
> when single well connected or a set of less well connected hosts
> are infected. If a single (or small number) of infected machines
> were on slow links (dsl/cable modem/etc) it
Sean Donelan wrote:
>
> Wow, Symantec is making an amazing claim. They were able to detect
> the slammer worm "hours" before. Did anyone receive early alerts from
> Symantec about the SQL slammer worm hours earlier? Academics have
> estimated the worm spread world-wide, and reached its maximum
On Thu, 13 Feb 2003, Martin Hannigan wrote:
>
> On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
> >
> >
> > Wow, Symantec is making an amazing claim. They were able to detect
> > the slammer worm "hours" before. Did anyone receive early alerts from
> > Symantec about the SQL sl
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
>
>
> Wow, Symantec is making an amazing claim. They were able to detect
> the slammer worm "hours" before. Did anyone receive early alerts from
> Symantec about the SQL slammer worm hours earlier? Academics have
> estimated the wo
[david not on nanog list so am forwarding for him]
- Forwarded message from David Moore <[EMAIL PROTECTED]> -
Date: Thu, 13 Feb 2003 10:42:18 -0800
From: David Moore <[EMAIL PROTECTED]>
Subject: Re: Symantec detected Slammer worm "hours" before
To: k cl
From: "Mike Lloyd"
> You added comment on a fiber cut in that time period - can you offer
> more detail? Barry mentioned another roughly simultaneous attack in
> Korea. One other theory, of course, would be trial runs of the worm,
> perhaps with restricted PRNG to localize attack. I've seen no
DeepSight is SecurityFocus. Their claim may have some truth in it. But, so
does the 19000+ partners. They mean customersbut not necessarily
customers/ subscribers to DeepSight. (they may have 'accidentally' included
all their SecurityFocus lists' subscribers in that number as well
:). T
Sean,
I agree that this claim is innately suspect - I've seen a few
opportunistic press releases on this, at least some of which are clearly
false.
Now at the Security BOF in Phoenix, Avi and I both showed some data with
anomalies prior to the well-known onset time. Unfortunately, the
anoma
If the author had any sense of irony at all; I bet we'd
find Patient Zero was in Redmond.
--
A host is a host from coast to [EMAIL PROTECTED]
& no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or
On Thu, Feb 13, 2003 at 11:59:48AM -0500, Sean Donelan wrote:
davidmoore certainly thought it was cute when he saw it last nite:
david is impressed that deepsight was tracking the worm "hours before
it began propagating".
david says, "What, did the worm author call them up and tell them,
I attribute this to over-zealous marketing. As I
mentioned at the NANOG BoF, there is, indeed, a
decrease in latency about 6 hours prior to the
actual mass attack. Mike Lloyd (RouteScience)
saw this, too. There's also a decrease about
16 hours out. Sean suggested that they might be
attrib
t; Sent: Thursday, February 13, 2003 9:17 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Symantec detected Slammer worm "hours" before
>
>
>
> really? wow then according to their press release none of their
> Deepsight customers were compromised because of this early
really? wow then according to their press release none of their
Deepsight customers were compromised because of this early warning? I
bet that can be debunked fairly quickly. Let's se what falls out of the
busy once it is shaken a bit.
Stephen J. Wilcox wrote:
I saw this mentioned in an ar
I saw this mentioned in an article a day or two after the attack.
Clearly they are wrong about this (lying or mistaken), for as you say the speed
of propogation means that a single infected host would have infected the whole
internet in minutes which means we all see the first packets at almost
20 matches
Mail list logo
