[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Jay Sulzberger jays@panix.com
Fri Jan 31 20:24:39 PST 2003

On Sat, 1 Feb 2003, Karsten M. Self wrote:

< ... />

> > The tiny worm was content free.  A proper watcher system would have stopped
> > the worm not because the watcher analyzed the content and deduced that it
> > was a bad worm, but because the behavior of the node on the Net changed,
> > specifically some Microsoft program began spewing near duplicate UDP
> > packets at a high rate.
> Jay:  you've referenced such watch programs now twice -- here and as a
> "changepoint analysis" tool earlier.
> I'm curious to know if you actually have such a tool in mind and/or use
> one, and what it might be.
> Peace.
> --
> Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/

I do not have such.  But I would be willing to actually copy the
statistical engine out of the texbook and lay out some of the design of a
watcher system, if a decent offer were made me.  I just looked briefly at
Robert Graham's analysis.  Here is half of a what I am sure is a quite
effective dicriminator:

  I ran the worm on a (slow) machine with a gigabit Interface. It produced
  over 100,000 packet/second and 300-mbps. It randomly chooses target IP

What is the other half of the discriminator?  Well, how many UDP packets
are sent to where when the node is operating normally?

This particular style of Net annoyance is an old well known and well solved
problem.  What remains to be done is simply a small matter of programming.


More information about the linux-elitists mailing list