[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Jay Sulzberger jays@panix.com
Fri Jan 31 22:03:37 PST 2003


On Fri, 31 Jan 2003, Steve Beattie wrote:

> On Sat, Feb 01, 2003 at 12:30:48AM -0500, Jay Sulzberger wrote:
> > Oddly enough, if you put
> >
> > changepoint
> >
> > to Google, you mainly get back nonsense about a company named
> > "Changepoint".  Of course, that it has this name is a sign that one of the
> > founders knows something.
> >
> > changepoint analysis
> >
> > gets you better stuff, but still no decent introduction is pointed to in
> > the first ten pages of Google results.
> >
> > Here is a paradigm case of changepoint analysis:
> >
> > Consider that every tenth of a second we produce a summary of all traffic
> > to/from a node on the net, this summary being done in tenth second blocks.
> > Let us form the time series of such summaries.  Now we want to know when
> > something of interest to us changes by looking at the time series.  An
> > analysis that gives us an answer is a changepoint analysis.
>
> There is a somewhat vaguely related vein of research in the computer
> security field, called anomaly detection. Mostly, it's been applied to
> host based intrusion prevention and detection (in general, unsuccessfully,
> IMHO), but there's people doing it at the network level, I'm sure.

Yes, "anomaly detection" is very close to "changepoint analysis", many
would say a part of changepoint analysis.  Both are much used today in the
analysis of genomic, seismographic, medical, and business data.

>
> I also seem to recall reading a paper in the last six months that did
> pretty much what you're proposing, restricting the number of outgoing
> connections of a client machine to a tunable limit (n/sec, n ~= 5--10),
> so that even if the machine was 0wned, the amount of bandwidth it could
> effectively use was throttled.  Unfortunately, I can't seem to track
> down where I saw it...
>
> --
> Steve Beattie                               Don't trust programmers?

Yes, throttling is an important part of a standard minimal system.  Indeed
there should be almost no nodes on the net without the throttle set very
low.

oo--JS.



More information about the linux-elitists mailing list