The SANS Internet Storm Center Maarten Van Horenbeeck SANS Internet Storm Center E-mail: handlers@sans.org Abstract This paper serves to introduce the SANS Internet Storm Center, and more specifically, its data collection and analysis processes pertaining to information security incidents. It reviews both the technical means of collection as those that rely on human input, and describes the various analysis and output processes. In addition, it provides some case studies on how incidents are handled using the tools available. Keywords: SANS; Internet Storm Center; information security; incident data collection The case for an Internet Storm Center Information Security inherently has an issue with predicting and forecasting futures. Especially during the turbulent 80’s and 90’s, when attacks on information systems were guided mainly to enhance someone’s reputation in a community, predicting next steps on behalf of an attacker was quite a challenge. While recent attacks have been linked more to direct financial repercussions, which are in some ways easier to forecast as they are better understood – protection of end users has always involved a large degree of studying ongoing events and identifying a response strategy. On March 22, 2001, a major increase in port 53 (DNS) traffic could be observed across the internet. Scans were reported by various end users. Through the assistance of various contributors, this data was collected and assessed, at the time, by the SANS Institute’s Consensus Incident Database. This program had been collecting firewall data dating back to November 2000. Based on this increase, a call was opened to the global information security community to see whether anyone could provide further data. Merely a few hours later, an administrator in the Netherlands successfully identified his machine as one of the compromised hosts, extracted the malicious code, and submitted it to the CID analysts, a group of volunteers. The code submitted later became known as the Li0n worm, which scanned the internet for Linux machines running a vulnerable version of the BIND DNS server. The CID analysts sent out a warning to over 200,000 people to warn them of the ongoing attack, ensuring everyone was aware of the vulnerability being exploited and how to prevent them from being affected themselves (SANS ISC, 2001b). This specific incident clearly demonstrated the value of gathering security event logs on a wider scale, and how user contribution can help make “quantities” of information