It's been 10 years
Last Updated: 2009-12-28 20:51:44 UTC
by Joel Esler (Version: 2)
The Internet Storm Center directly traces it's roots back to the year 1999. A SANS Project called the Consensus Internet Database was created as part of the infamous Y2K effort. On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes to port 53, the port that supports the Domain Name Service. Over a period of a few hours, more and more probes to port 53 were arriving - first from dozens and then from hundreds of attacking machines.
Within an hour of the first report, several analysts, all of whom were fully qualified as SANS GIAC certified intrusion detection experts back then called "Track 3", now named "503", agreed that a global security incident was underway. They immediately sent a notice to a global community of technically savvy security practitioners asking them to check their systems to see whether they had experienced an attack. Within three hours a system administrator in the Netherlands responded that some of his machines had been infected, and he sent the first copy of the worm code to the analysts.
The analysts determined what damage the worm did and how it did it, and then they developed a computer program to determine which computers had been infected. They tested the program in multiple sites and they also let the FBI know of the attack. Just fourteen hours after the spike in port 53 traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack in progress, telling them where to get the program to check their machines, and advising what to do to avoid the worm.
The Li0n worm event demonstrated what the community acting together can do to respond to broad-based malicious attacks. Most importantly, it demonstrated the value of sharing intrusion detection logs in real time. Only in the regional and global aggregates was the attack obvious. The technology, people, and networks that found the Li0n worm were all part of the SANS Institute's Consensus Incident Database (CID) project that had been monitoring global Internet traffic. CID's contribution the night of March 22 was sufficient to earn it a new title: the SANS Internet Storm Center. Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. The Internet Storm Center is a free service to the Internet community.
The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. Volunteer incident handlers donate their valuable time to analyze detects and anomalies, and post a daily diary of their analysis and thoughts on the Storm Center web site.
What we would like to hear from you, the readers is, in the past 10 years. What are the memorable moments? What are the highs and lows of the past ten years (information security/ISC wise)? Rather a 'decade in review'. What we are going to is put these all together and on January 1st of 2010, we'll post a diary showing these. The past 10 years in review, submitted by you, the readers, whom without -- The Internet Storm Center, would not function.
Please give us feedback via the Contact link at the top of the page on http://isc.sans.org.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
Dec 28th 2009
1 decade ago
Dec 29th 2009
1 decade ago