Home page logo

nanog logo nanog mailing list archives

Re: [dmoore () caida org: Re: Symantec detected Slammer worm "hours" before]
From: "David Luyer" <david () luyer net>
Date: Fri, 14 Feb 2003 20:37:35 +1100

David Moore <dmoore () caida org> wrote:

  So actually thinking about this a bit more, our numbers count from
  when single well connected or a set of less well connected hosts
  are infected.  If a single (or small number) of infected machines
  were on slow links (dsl/cable modem/etc) it might take them up to
  about an hour to find the next vulnerable host (also depending on
  luck and which cycle of the RNG they are in).  So there might be
  a longer startup period than we suggested if the worm was launched
  in a poor environment.
  However, at those rates, the scanning by the worm (small number of
  hosts with tiny total bandwidth) would be well below the noise of
  even "normal" port scanning activity.  I find it difficult to
  believe that that _at the time_ it would have been flagged as
  suspicious.  Perhaps going back through their logs after the growth
  was over would have yielded something.

Signs of Slammer which could have been noticed early:

  * increased router load / NetFlow blow-out

    (if you monitor the rate of disk usage growth on your NetFlow
     server you will notice Slammer had a *massive* impact on the
     number of distinct flows -- even if you have half a dozen
     modem customers infected, the increase in NetFlow data volumes
     above normal is massive, while the network impact is not
     even a bump on a graph)

  * modem customers with congested links

    (although Slammer congested links for 100Mbps+ colo's, so
     all customers would have detected congested links equally)

  * colocation customers hitting service-policy "anti-DoS" limits

    (some colo SP's place limits on colo switches, and then monitor
     to see if these limits are hit, in which case the NOC can
     investigate and either increase the limit -- if traffic is
     legit -- or note an attack in progress and completely block
     the port[s] on which the attack is occurring)

That said, IMO it's rather unlikely Symantec noticed Slammer early.
If they did, of course, they should have posted to their mailing
lists such as INCIDENTS and BUGTRAQ when they detected it.  I don't
remember seeing an early posting.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]