hjs@LINDY.STANFORD.EDU (Harry Saal) (11/09/88)
I would be very interested in receiving any network packet traces taken while the recent worm hopped about and (re)infected multiple machines connected by LAN connections/routers. We would like to see to what degree the externally visible network traffic stood out from the "normal" traffic. The goal would be to be able to provide earlier warnings of anomalous behaviour than having a system choke itself to death, and then try to take action. For example, I am interested in any observations as to whether average activity took a nose dive (as other processes clogged up) or increased (due to the agressive attempts to spread itself). Any formats of actual traces are of interest (assuming they are described in some .h file - like fashion somewhere).
jon@ATHENA.MIT.EDU (Jon Rochlis) (11/15/88)
I would be very interested in receiving any network packet traces taken while the recent worm hopped about and (re)infected multiple machines connected by LAN connections/routers. The folks at the MIT Lab for Computer Science had at least an RA81 of packet headers from one subnet at MIT for Wednesday morning. We looked at one point on Friday morning (before we realized the ernie could wouldn't work) for packets to/from ernie, but found nothing (which is no longer suprising). We would like to see to what degree the externally visible network traffic stood out from the "normal" traffic. The goal would be to be able to provide earlier warnings of anomalous behaviour than having a system choke itself to death, and then try to take action. For example, I am interested in any observations as to whether average activity took a nose dive (as other processes clogged up) or increased (due to the agressive attempts to spread itself). I have to agree with Mike Muss (among others) who noted at the NCSC meeting that you're not going to find anything. The network traffic generated by this virus was so small as to not be noticeable. Perhaps you'll find that infected machines were slow in responding to normal queries and that might have a effect on traffic levels, but so many machines were not touched that I doubt it. And then again, many of the numbers would be skewed by the numerous shutdowns that occurred. -- Jon