[Full-Disclosure] AT&T early warning system
Steve Wray
steve.wray at paradise.net.nz
Mon Oct 20 05:32:41 BST 2003
And, contrary to one other post on the topic,
it shouldn't be to hard to perform a trial run;
If one made the worms code modular enough
that one could plug in a variety of "victim finding" code
stubs.
This way, one could plug in a fixed list of targets,
(which one owned oneself so that one could watch how
they responded).
Once one had the field test working one would then replace
the stub with real "victim finder" code and away it goes...
Advantage; better testing.
Disadvantage; what if people detect the trial runs?
Ummmm actually, as a sysadmin I think I might swap the
Advantage/Disadvantage there!
:)
> -----Original Message-----
> From: full-disclosure-admin at lists.netsys.com
> [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of jkm
> Sent: Monday, 20 October 2003 2:02 p.m.
> To: full-disclosure at lists.netsys.com
> Subject: Re: [Full-Disclosure] AT&T early warning system
>
>
>
> On 18 Oct 2003 12:27:23 -0400, "Hoho" <hoho at tacomeat.net> said:
> > On Fri, 2003-10-17 at 22:44, jkm wrote:
> > > Quote 2:
> > > "AT&T saw anomalies in its network three to four weeks
> before that worm
> > > hit and was able to take certain precautions. "When the
> worm actually
> > > happened, AT&T's network did not take a hit,'' Eslambolchi said."
> >
> >
> > Doesn't it seem like they're trying to violate causality?
> If the worm
> > doesn't exist yet, then its associated traffic doesn't
> exist yet, hence
> > there's nothing to detect. Wonder what those 'anomalies'
> were. Seems no
> > more effective than just watching MS security patches and
> reading FD.
> > --
>
> Yeah, I agree unless as other threads are saying, the worm author
> releases a test worm. I wonder if it would in fact catch
> script kiddies
> and other criminal traffic, thus actually acting as an intrusion
> detection system?
Full-Disclosure is hosted and sponsored by Secunia.