[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Jay Sulzberger jays@panix.com
Fri Jan 31 20:50:08 PST 2003


On Sat, 1 Feb 2003, Karsten M. Self wrote:


> on Fri, Jan 31, 2003 at 10:35:40PM -0500, Jay Sulzberger (jays@panix.com) wrote:

< ... />

> > The tiny worm was content free.  A proper watcher system would have stopped
> > the worm not because the watcher analyzed the content and deduced that it
> > was a bad worm, but because the behavior of the node on the Net changed,
> > specifically some Microsoft program began spewing near duplicate UDP
> > packets at a high rate.
>
> Jay:  you've referenced such watch programs now twice -- here and as a
> "changepoint analysis" tool earlier.
>
> I'm curious to know if you actually have such a tool in mind and/or use
> one, and what it might be.
>
> Peace.
>
> --
> Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/

In the next couple of days, I shall try to write a hundred words on the
general design of such watcher systems.

oo--JS.



More information about the linux-elitists mailing list