Home » Data Protection » Network Security

Q&A

Johannes Ullrich, SANS ISC: Taking the Internet by Storm

The sudden emergence in January of the Slammer worm called attention to the vital role played by Internet monitoring services such as the Internet Storm Center (ISC) at The SANS Institute.

April 01, 2003 — CSO — The sudden emergence in January of the Slammer worm called attention to the vital role played by Internet monitoring services such as the Internet Storm Center (ISC) at The SANS Institute. As the worm spread across the Internet on Jan. 25, the ISC's website tracked the developing attackmeasured by an increase in traffic—in close to real-time.

The ISC's intrusion detection system is the brainchild of Johannes Ullrich, who, as the CTO for the Internet Storm Center, manages the system from his home in Quincy, Mass.

He recently spoke with CSO about the Slammer outbreak and the role of monitoring organizations to prevent or mitigate future outbreaks.

CSO: How do you operate the Internet Storm Center?

Johannes Ullrich: We collect firewall and intrusion detection system logs from everyonefrom home users to universities and enterprises with midsize networks.

Then, we gather reports from our members, which have been batched and sent to us via e-mail, typically once an hour. We dump all the data we receive into a database and run queries to spot new trends.

Why is the Internet Storm Center valuable to CSOs?

CSOs can get the global background [on Internet threats] and identify those particular threats that specifically target their networks.

But not all the information we provide is on attacks. The ISC gives CSOs a glimpse of how the world sees their networks. For example, it would be good to know if you had any rogue clients on your system. If you happen to have a large, diverse network, those are things you can't control that well. The Internet Storm Center is one way to keep track of what's going on. Our submitters get a daily summary of their reports that tell them what ports were attacked and what hosts were hit.

For each source of attack, we list how many other companies are targeted from the same source. That helps you determine whether your business is getting targeted.

How many organizations report to the ISC?We have about 41,000 participants registered. About 2,000 of those submit regularly.

Sixty percent of our participants are outside the United Stateslocated mostly in Europe. We receive between 5 million to 10 million submissions every day.

The recent outbreak of Slammer was one of the fastest worms in the history of the Internet. What did it look like from where you were sitting?

Slammer hit instantly. Initially there wasn't too much we could do about it.

On the backbone level, ISPs were just filtering [Slammer] out. Our service was somewhat affected by other outages, so our alerts didn't go out until Saturday morning at 10.