[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)
Fri Jan 31 20:50:08 PST 2003
On Sat, 1 Feb 2003, Karsten M. Self wrote:
> on Fri, Jan 31, 2003 at 10:35:40PM -0500, Jay Sulzberger (email@example.com) wrote:
< ... />
> > The tiny worm was content free. A proper watcher system would have stopped
> > the worm not because the watcher analyzed the content and deduced that it
> > was a bad worm, but because the behavior of the node on the Net changed,
> > specifically some Microsoft program began spewing near duplicate UDP
> > packets at a high rate.
> Jay: you've referenced such watch programs now twice -- here and as a
> "changepoint analysis" tool earlier.
> I'm curious to know if you actually have such a tool in mind and/or use
> one, and what it might be.
> Karsten M. Self <firstname.lastname@example.org> http://kmself.home.netcom.com/
In the next couple of days, I shall try to write a hundred words on the
general design of such watcher systems.
More information about the linux-elitists