Security Pro File: Spam-Inspired Journey From Physics To Security

SANS Internet Storm Center director Johannes Ullrich talks threat tracking, spam, physics -- and his pick for the World Cup.

Johannes Ullrich, director, SANS Internet Storm Center

Johannes Ullrich was a physicist in the late 1990s when he set up a new cable modem connection for his home Linux machine. Like most Linux servers back then, the machine could be used as an open email relay, forwarding mail for everyone, so it didn't take long before spammers started abusing Ullrich's machine and slowing his connection to a crawl.

"My super-fast -- at the time -- cable modem all of a sudden was pretty much as slow as my old dialup modem, which caused me to look at the network traffic in more detail… ultimately discovering the spam," says Ullrich, who is the director of the SANS Internet Storm Center (ISC) and a senior instructor for SANS.

It was Ullrich's first real brush with cybersecurity, after a career specializing in x-ray optics and doing application development. "It led me to getting interested in how to secure stuff," he says. "I got into security the way most people typically get in: You get breached at some point, and then you get interested in what happened" to you.

Ullrich, 45, built an experimental firewall configuration for his home network. "I realized with my experiment at home with firewalls... that everyone is sort of after you. If you look at firewall logs, you see China, Russia, [and others] scanning you. I was wondering, is it just me, or is everyone seeing this?"

That led him to build the first iteration of what is now the widely used open-source DShield tool, which collects firewall logs from contributors to correlate and get a handle on threats and trends in attacks. Ullrich, who studied physics at university in his native Germany and then earned his PhD in physics at the University of Albany in New York, made the switch to security.

DShield now runs the backend of the operation at SANS ISC, which is Ullrich's day job. "DShield was a hobby of mine. This is what got SANS interested in me. Today, a lot of firewall vendors have systems that collect logs from users. DShield was the first one."

SANS ISC serves as a sort of pulse of the security of the Internet, tracking new threats, attacks, and events. Ullrich heads a virtual team of 30 volunteer "handlers" who take turns manning the operation around the clock. "The fun part is there's no real location" for ISC, he says. "There are no big rooms with big screens or anything like that. I manage DShield from my home office in Jacksonville, Florida."

That's where a couple of servers, five database servers, and two application servers running the DShield system reside. "It's a fairly slim infrastructure." He spends about 60% of his time working and researching for the ISC and the rest of his time as a SANS instructor.

"What sets us [the ISC] apart is the community aspect. Our goal is to listen to people, observing and realizing and quickly turning around" threat and other information about Internet security, he says.

Ullrich says the Linksys home router worm infection this year was a big one for the ISC. Word got to ISC that some small ISPs were seeing strange behavior with certain models of Linksys routers. From there, the ISC coordinated a community response to the attack.

It's not always so simple getting the Internet community to share firewall logs via the ISC's DShield, Ullrich admits, even in times of potentially major events like the Linksys worm. "People tend to trust people, not organizations," so it often takes a personal connection to gather logs. "One problem we had was getting people's trust to send us these logs and how to deal with the privacy aspect of it all. That's one of the big lessons of information sharing."

Then came the Heartbleed flaw in April, and the timing was just lousy for the ISC. "Heartbleed... happened right during one of our largest SANS conferences. This gave me little time, other than during breaks, to work on Heartbleed. One of the great things is that there are always members of the larger community willing to work on issues like this, which makes it a lot easier, and in many cases even possible, to obtain and convey an accurate picture of a threat like Heartbleed."

Of course, Ullrich and his ISC team are targets, as well. One time a few years ago, one bot had Ullrich's phone number embedded in the malware. Attempted hacks go with the territory. "I call it a daily vulnerability scan running on us."


World Cup pick: Germany. I am hoping for a Germany-Brazil final repeat with the unlikely upset of Germany winning. US may have a chance to make it to the top eight this time.

Worst day ever at work: In the early days of the DShield database, I had it co-located with a small neighborhood ISP using a little server I built myself for a couple hundred dollars. The machine worked OK, and the site had just been discovered by others, so I saw real submissions, and the data came in at a brisk pace. That is when I got the call from the ISP that smoke came out of the server. No backups, no failover. Luckily, it was just smoke, and the server kept running despite some burned off insulation for a couple more weeks, giving me time to replace it.

Security must-haves: A good dose of "That's probably nothing to worry about." I tend to be very non-paranoid, which is a bit unusual in the industry. But it makes life and work more fun.

Pets: One "forever" dog and one foster dog, as well as a couple of cats (not sure how many of them consider themselves part of the family). The forever dog started out as a foster but turned into a foster failure. Even though she is the best dog -- with over 4,000 Facebook friends -- people who adopted her kept returning her.

Favorite team: Bavaria Munich soccer team. I'm sort of a fair-weather fan, but since they keep winning…

Business hours: There are non-business hours?

For fun: Walking the dogs and historic preservation. I am lucky to live in a very walkable neighborhood [with] plenty of awesome houses where there is always something new to discover.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights