Wow, Symantec is making an amazing claim. They were able to detect
the slammer worm "hours" before. Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier? Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
"For example, the DeepSight Threat Management System discovered the
Slammer worm hours before it began rapidly propagating. Symantec's
DeepSight Threat Management System then delivered timely alerts and
procedures, enabling administrators to protect against the attack
before their environment was compromised."
I saw this mentioned in an article a day or two after the attack.
Clearly they are wrong about this (lying or mistaken), for as you say the speed
of propogation means that a single infected host would have infected the whole
internet in minutes which means we all see the first packets at almost exactly
the same time.
From the context it is written below, this seems a cheap stunt to promote their
service.
Steve
really? wow then according to their press release none of their Deepsight customers were compromised because of this early warning? I bet that can be debunked fairly quickly. Let's se what falls out of the busy once it is shaken a bit.
Stephen J. Wilcox wrote:
Not to mention that most firewalls and IDSs that DeepSight relies on
didn't flag on 1434 before Slammer.
Best regards,
davidmoore certainly thought it was cute when he saw it last nite:
david is impressed that deepsight was tracking the worm "hours before
it began propagating".
david says, "What, did the worm author call them up and tell them,
"hey, I'm letting it go in an hour!""
host -N, cool trick
about time someone overcame that
inconvenient speed of light thing. tap tap
k
Wow, Symantec is making an amazing claim. They were able to detect
the slammer worm "hours" before. Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier? Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.
I assume Symantec has some data to back up their claim.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1985&EID=0
"For example, the DeepSight Threat Management System discovered the
Slammer worm hours before it began rapidly propagating. Symantec's
DeepSight Threat Management System then delivered timely alerts and
procedures, enabling administrators to protect against the attack
before their environment was compromised."
Sean,
I agree that this claim is innately suspect - I've seen a few opportunistic press releases on this, at least some of which are clearly false.
Now at the Security BOF in Phoenix, Avi and I both showed some data with anomalies prior to the well-known onset time. Unfortunately, the anomalies don't match in "shape", but we were looking at different things (he looked at DNS servers; I looked at averages of many end to end traces); they did very roughly match in time.
Neither Avi nor I claimed that we had detected the worm early; what we appear to have are just suspicious anomalies. I can tell you that a measurement box of mine reacted several hours before the well-known onset time, and due to that reaction, was remarkably well positioned when the attack actually occurred. I'm ready to believe that I just got lucky on this one - that I reacted to some other serious signal which by good fortune got me out of the way. What I don't know yet is what exactly my device reacted to.
You added comment on a fiber cut in that time period - can you offer more detail? Barry mentioned another roughly simultaneous attack in Korea. One other theory, of course, would be trial runs of the worm, perhaps with restricted PRNG to localize attack. I've seen no direct evidence that this happened, though.
Anyone got data points to share on, say, the 6-hour period before we got Slammed?
Mike
Sean Donelan wrote:
You added comment on a fiber cut in that time period - can you offer
more detail? Barry mentioned another roughly simultaneous attack in
Korea. One other theory, of course, would be trial runs of the worm,
perhaps with restricted PRNG to localize attack. I've seen no direct
evidence that this happened, though.
It wouldn't be the first time that someone kicked off some code, found that
it was running too slowly, removed the sleep timers and tried again.
However, if this were the case, trying to find and localize the initial
"slow worm" compared to the later release would be difficult to say the
least.
Jack Bates
BrightNet Oklahoma
One way they could have known about it is that some of their
customers got nailed _and called them_.
The other is IDS signature. I'm not sure if there was one already
out there that would have caught this, but if the customers were
calling they would have been able to create one quickly, as
people did.
If there's no alarm, no event tripped, there is no correlation
data.
YMMV.
An other possibility is that they wrote the slammer them self so they had
early knowledge of it 
K
Sean Donelan wrote:
Wow, Symantec is making an amazing claim. They were able to detect
the slammer worm "hours" before. Did anyone receive early alerts from
Symantec about the SQL slammer worm hours earlier? Academics have
estimated the worm spread world-wide, and reached its maximum scanning
rate in less than 10 minutes.
I am still of the belief that it was released in direct reaction to the
worldwide message from Bill Gates <BillGates@chairman.microsoft.com>,
entitled "Security in a Connected World," and sent to all sorts of people
who NEVER asked to be on his silly list (me, for example). My timestamp for
the email says: Fri, 24 Jan 2003 11:06:50 (PST, give or take a few). Hmmmm,
how close in time to the appearance of the worm that is...
I can just picture the annoyance of the worm author, who then said to
himself "I'll show him security all righty." Perhaps it was something he'd
been working on the night before. It wasn't that complex, after all, and
really not destructive, if you don't count the annoyance factor. Just the
same, I've had my excitement for the year, I don't really want to see
another.
Bill? If you're out there, don't send out any more unsolicited newsletters,
ok?
There are bumps all the time on the net. Most of the time they are
ignored. Tracking down their cause or their effect is an inexact
science. For example, on July 19 2001 we had both the Code Red worm and
the Baltimore train tunnel fire. The Internet had problems, but which
caused what problems? Eventually, after staring at a lot of data sources
and squinting really, really hard, the tunnel fire was probably
responsible for most of the slowdown on July 19.
On January 24 2003, Friday afternoon there was a cable cut affecting
several providers. Friday night/Saturday morning, the slammer worm was
spreading across the Net around 12:30am EST. This time I think the worm
was probably responsible for most of the slowdowns.
Several folks with data sets saw a bump around 6-6:30pm EST Friday
night. Was it a worm test/slow worm propagation, manual patching around
the earlier fiber cut, or something completely different? I don't know.
Any network engineers willing to admit futzing with the Net earlier that
night?
According to Wired, Symantec is now saying they sent out an alert to their
paying customers about 30 minutes (9pm PST) before the SQL slammer worm
was detected by anyone else around 9:30pm PST.
I have not seen a copy of the Symantec message.
The first problem report on Nanog was 13 minutes after the worm was widely
detected at 12:43amEST (9:43pm PST) concerning Level 3 issues. The first
Nanog report about port 1434 was 1:28am EST. There was some discussion on
some private mail lists earlier, but I have not seen any reports prior to
9:25pm PST (12:25am EST or 05:25 UTC). I suspect some of the early
firewall logs were clock skew issues, so 05:30 UTC plus or minus 5
minutes.
Sean Donelan wrote:
> According to Wired, Symantec is now saying they sent out an alert to
> their paying customers about 30 minutes (9pm PST) before the SQL
> slammer worm was detected by anyone else around 9:30pm PST.
>
> I have not seen a copy of the Symantec message.
OK, if there really was a private alert... one would expect that after news hit NANOG, BUGTRAQ et al, a public advisory would have been released by Symantec as well.
There was no information about Slammer available on Symantec's public web site for more than four hours after it reached criticality (3AM MST). I kept a close eye on Symantec, McAffee, dshield.org, incidents.org and other usual suspects, none of them had information available until the next morning.
Mike
Give it time..i bet Symantec will get some serious egg on its face...either they are really stretching the truth or the are outright lying.
Sean Donelan wrote:
Apologies if this is old news. It's from Thursday, but I didn't see it
until today.
Symantec comes clean.... Somewhat:
http://www.theregister.co.uk/content/56/29406.html
Another anomaly detection product and its proactive/reactive response to the
Slammer Worm.
http://www.q1labs.com/qvision_slammer_white_paper.pdf
Glen
Symantec explains its ‘we spotted Slammer’ claim • The Register
Interesting.
So they meant they got IDS "hits" hours before anyone posted a full
description of the attacks to bugtraq when they said they had detected
the worm hours before it spread?
That's a novel use of english 
[snip]
So they meant they got IDS "hits" hours before anyone posted a full
description of the attacks to bugtraq when they said they had detected
the worm hours before it spread?
That's a novel use of english
One typically finds little else in marketing.