[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Steve Beattie steve@wirex.net
Fri Jan 31 21:51:03 PST 2003


On Sat, Feb 01, 2003 at 12:30:48AM -0500, Jay Sulzberger wrote:
> Oddly enough, if you put
> 
> changepoint
> 
> to Google, you mainly get back nonsense about a company named
> "Changepoint".  Of course, that it has this name is a sign that one of the
> founders knows something.
> 
> changepoint analysis
> 
> gets you better stuff, but still no decent introduction is pointed to in
> the first ten pages of Google results.
> 
> Here is a paradigm case of changepoint analysis:
> 
> Consider that every tenth of a second we produce a summary of all traffic
> to/from a node on the net, this summary being done in tenth second blocks.
> Let us form the time series of such summaries.  Now we want to know when
> something of interest to us changes by looking at the time series.  An
> analysis that gives us an answer is a changepoint analysis.

There is a somewhat vaguely related vein of research in the computer
security field, called anomaly detection. Mostly, it's been applied to
host based intrusion prevention and detection (in general, unsuccessfully,
IMHO), but there's people doing it at the network level, I'm sure.

I also seem to recall reading a paper in the last six months that did
pretty much what you're proposing, restricting the number of outgoing
connections of a client machine to a tunable limit (n/sec, n ~= 5--10),
so that even if the machine was 0wned, the amount of bandwidth it could
effectively use was throttled.  Unfortunately, I can't seem to track
down where I saw it...

-- 
Steve Beattie                               Don't trust programmers?
<steve@wirex.net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030131/6089111f/attachment.pgp 


More information about the linux-elitists mailing list