aiSee: the Effect of Worms on the Internet

Visualization of 15 minutes of log data for a class B firewall, with and without background worm traffic. Courtesy of Ed Blanchfield.

“I’d like to nominate my brother Ed Blanchfield for Graph of the Month. You’re going to love what he did with some Firewall/Intrusion Detection System (IDS) log data using aiSee, to get “before” and “after” graphs showing the impact of an MS-SQL worm which hit the Internet around January 25th 2003.

When this particular worm hit a a large class B sized network, an IDS system Ed designed and implemented from scratch while working under contract to a large managed services provider, was one of the first sites in the world to detect and report the incident.

Ed posted his original findings and info to various security lists.

He then used aiSee to demonstrate the impact of the worm to his management and their client.

(I had previously recommended aiSee to Ed, as at the time I’d been using it to map the .AU name space and IP address space crawled by a search engine project of mine.)

Anyway, Ed, being the data junkie and Perl guru that he is, quickly wrote up a parser to create GDL files from Firewall and IDS logs, fed them into aiSee and visually mapped this worm’s effect on their customer’s network.

The graphs show just 15 minutes worth of traffic at midnight, but the impact of the worm is already clearly visible. You can imagine what 24 hours must have been like.

I love to see Ed’s work recognised, and this is just one example of what he does both for a living and for fun, on a day-to-day basis. He is indeed a great guy, a very bright, humble, quietly spoke fellow. And singularly the best and brightest security guru I know.

I ”am very grateful to AbsInt for the opportunity to have Ed’s work displayed as the aiSee Graph(s) of the Month. This will be a most unexpected early Christmas gift for him.

Dez Blanchfield, Cradle Technologies, Sydney, Australia.