[logs] SQL Slammer Learnings

From: Rainer Gerhards (rgerhardsat_private)
Date: Mon Jan 27 2003 - 09:36:18 PST

  • Next message: Chris Adams: "Re: [logs] Re: Reliably detecting things like the SQL worm...."

    Hi all,
    I have written a short analysis of what we think why the SQL Slammer
    worm was that successful and what to learn from it. I am not looking at
    the actual worm code or explain how it worked - there has enough of that
    material already been published and it is excellent. My paper focusses
    on the "breading bed" of the worm. I do so in the hope that we can learn
    enough to prevent further attacks of this kind. In fact, I fear the next
    ones are just around the corner - and SQL Slammer has risen some
    questions that I find are tough to answer with current state of
    technology AND user education.
    In posting this paper, I hope to gather more feedback and insight from
    the community. I also hope that others point out more learnings we can
    take from it. As such, please deem the paper is incomplete and me eager
    to complete it with all feedback I can receive...
    I would also like to add a section on forensics in this situation, but I
    do not have any useful samples as of now. I am looking for responses to
    tbird's and my questions in this regard ;-)
    The paper can be found at:
    With the hopes that traffic has come back to normal volume,
    Rainer Gerhards
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 10:10:53 PST