« Links Roundup | Main | Email Submission Between Independent Networks »

June 10, 2005

Slammer Retrospective and Worm Mitigation

This Spectrum article on the Slammer worm and its consequences is a pretty good read on the history and current state of intrusion detection as a discipline. The authors say, in reference to their own IDS:

We designed Billy Goat to take advantage of the way worms propagate. The project began in 2001 as a "follow your nose" exercise in intrusion detection. We noticed that computers connected to the network often received automated requests from other computers—such as the service requests that were at the heart of the Sapphire episode—that did not correspond to their normal function. Investigating these requests, we found that worms caused a large fraction of them.

In other words, if you can build a system that tells you what normal traffic looks like, abnormal traffic is a pretty good indication that your systems are no longer completely under your control. The simplest way to do this is to assign to a monitoring system all addresses that shouldn't actually receive traffic (similar to spamtrapping catchall aliases in the mail realm) and then consider suspicious any system who tries to send to them.

Posted by schampeo at June 10, 2005 10:06 AM

Search Blog

Browse

• Archives
• Categories
  • antispam in practice
  • consortiae
  • gripes
  • history
  • legal
  • news
  • privacy
  • project
  • security
  • spammers
  • studies and statistics
  • tactics
  • tools
  • viruses and worms

Feeds

• RSS
• ATOM

• Classifications
• News
• Request Eval