Hi folks. Ed Amoroso, I want to tell you a little bit about some issues that came up on the public internet in 2003. Let me start with a story. A writer in January 2003, a lot of us were woken up on a Saturday morning, a bunch of texts and calls and notices that the internet was going nuts and in particular it was the packets on a UDP port that were building up like crazy. Just completely exploding, hitting gateways, taking out networks, taking out systems. Now you recall in earlier lesson, we talked about the way a worm program works. And this issue in 2003 was called the Slammer Worm was really one of the first instantiations of a worm that would affect the whole internet. And you remember there were three ways that a worm works: we find a system, copy the worm program to the system then remotely execute and it cascades. So what was happening in January 2003 is we were seeing the effects of this cascade across the internet on UDP. So, a lot of questions emerge. Number one, what do you do about it? I mean when there's UDP packets hitting a gateway, the first question that any security administrator would have is, what's attracting this in? Why are these UDP packets coming in? Are they good, are they errant, is this denial of service? It's that kind of chaos that typically characterizes what happens during defensive work when a worm is ongoing. Second thing that people noticed is that a lot of the intrusion detection systems and defenses that you have for small scale problems don't work for a worm. I mean think about it, on a small system, when you have intrusion detection firewalls, the kinds of things that are probably very familiar to you, particularly if you have them on your PC, they just don't work when there's a barrage of UDP packets coming at you. So, it's one of the first times we all noticed back in 2003 that we had to come up with ways of doing intrusion detection and intrusion mitigation on a larger scale, meaning across the entire internet. And this worm of 2003, this Slammer Worm, really woke a lot of us up. I mean it just went nuts. Now a couple of interesting things about this worm. One is that when we went back and looked, when we looked at the metadata associated with this worm, with UDP traffic on the internet, what we noticed is that the worm actually launched. You can see on the chart at the end of January, the worm kind of spikes this gigantic increase in UDP traffic. But there had been attempts earlier through the month of January, presumably on the part of whoever was writing this worm, to try to launch it soon. It was a very interesting observation because it gave us quite a bit of hope that perhaps by observing metadata in large scale on the internet, that might be the secret to intrusion detection, intrusion prevention in large scale. So, think about that. So, instead of indicators on a system or an audit log on a PC or on a server, question emerges, can you collect that kind of data on the internet? Can you collect metadata at internet gateways, appearing points or places where service providers potentially are looking at public traffic and use that as an indicator that maybe something is brewing? It was way back in 2003. And I'm laughing because I'm guessing there may be some of you watching this who weren't even born then. But that 14 years ago, we that issue with this thing just exploding. We learned a lot of lessons. And just sort of to summarize here. The Slammer Worm was one of the first times we saw a broad cascade of a worm affecting internet infrastructure. Second, it demonstrated that a lot of the techniques that we use in the small don't work in the large. It's just not going to be the same kind of effect. And third, that maybe there are some hints in early metadata collected across networks that something might be brewing. So, this gave us a lot of hope in 2003 and lead to a lot of companies and organizations and universities and researchers investing more time, effort and money into something that we would now call large scale intrusion detection and intrusion prevention. It's one of the ways that we stop other kinds of attacks to servers and so on. And we'll get to that in some later discussions. But for now, I want you to understand that this SQL Slammer worm was kind of the beginning of the modern era in large scale internet service and internet infrastructure attacks. So, we'll get more into this in some additional videos. But for now, I think that's a key lesson that we take back from the SQL Slammer worm of 2003. We'll see you in the next video.
