Johannes Ullrich, SANS ISC: Taking the Internet by Storm

The ISC’s intrusion detection system is the brainchild of Johannes Ullrich, who, as the CTO for the Internet Storm Center, manages the system from his home in Quincy, Mass.

He recently spoke with CSO about the Slammer outbreak and the role of monitoring organizations to prevent or mitigate future outbreaks.

CSO: How do you operate the Internet Storm Center?

Johannes Ullrich: We collect firewall and intrusion detection system logs from everyonefrom home users to universities and enterprises with midsize networks.

Then, we gather reports from our members, which have been batched and sent to us via e-mail, typically once an hour. We dump all the data we receive into a database and run queries to spot new trends.

Why is the Internet Storm Center valuable to CSOs?

CSOs can get the global background [on Internet threats] and identify those particular threats that specifically target their networks.

But not all the information we provide is on attacks. The ISC gives CSOs a glimpse of how the world sees their networks. For example, it would be good to know if you had any rogue clients on your system. If you happen to have a large, diverse network, those are things you can’t control that well. The Internet Storm Center is one way to keep track of what’s going on. Our submitters get a daily summary of their reports that tell them what ports were attacked and what hosts were hit.

For each source of attack, we list how many other companies are targeted from the same source. That helps you determine whether your business is getting targeted.

How many organizations report to the ISC?We have about 41,000 participants registered. About 2,000 of those submit regularly.

Sixty percent of our participants are outside the United Stateslocated mostly in Europe. We receive between 5 million to 10 million submissions every day.

The recent outbreak of Slammer was one of the fastest worms in the history of the Internet. What did it look like from where you were sitting?

Slammer hit instantly. Initially there wasn’t too much we could do about it.

On the backbone level, ISPs were just filtering [Slammer] out. Our service was somewhat affected by other outages, so our alerts didn’t go out until Saturday morning at 10.

In the meantime, I discussed with my colleagues what we should tell users. We sent out an e-mail that reiterated the need to block that port. Then we also did some research to pinpoint all the infected hosts on the network.

What was interesting or unusual about Slammer from your perspective?

That the bandwidth went up within the first 30 seconds, but that ultimately Slammer choked itself.

What is your nightmare outbreak?

It’s definitely a worm attacking a commonly used service [for example, a domain name system or Web HTTP]. In general, I’m not afraid of a flash worm. I’m more afraid of slowly spreading worms with more destructive payloads. These payloads are lines of malicious code that can erase hard drives, steal credit card programs and so on. They can live under the radar for a long time, and it can be hard to raise people’s awareness levels.