Slashdot Mirror
Anti-DDOS Alliance In The Works?
Rackemup writes: "This article on ZDNET says McAfee and some anti-DDOS vendors are finally teaming up to address DDOS attacks and Code-Red-like network scanning. Seems like they're finally catching on that a purely reactive approach to Internet and virus attacks isn't going to cut it anymore, even after all the media coverage of these latest virus attacks there are still loads of zombie machines out there merrily scanning away, looking for others to infect."
It was called a Mac User group in the 80's, but now, I don't see how it could be relevent.
Je t'aime Stéphanie
fp!
"pr0n": An anagram of "porn," possibly indicating the use of pornography. - www.microsoft.com
We did it.. Yep, we saved you from a huge attack that would have crippled your network.. No, honestly, we did.. Please see attached invoice.
air and light and time and space
How will they identify the zombies that happen to be WinXP boxes and have their IP addresses spoofed?
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
The latest in protecting your networks; Our skilled team of ninjas will stealthily infiltrate data centers where infected machines are running and slice off their network connection.
McAfee: We have lots of ninjas(TM).
Hammer of Truth
we all know that the only way to kill a zombie machine is to accidentally lose one's hand, therefore, giving one the oppurtunity to replace it with a chainsaw and hack-away (physically) at the undead machines.
Something like this may be dependent on the ISPs to fully implement. McAfee may release a tool that can sit on a Cisco router on a firewall or something that will watch for possible DDoS data, such as a flood of UDP packets to a port that's rarely accessed, in an effort to protect one of their customer's from being DDoS'd. Given the number of ISPs out there that pay attention to security issues (see Steve Gibson's DDoS Post-Mortem), will ISPs actually expel the effort to help the situation with DDoS?
I suspect not, given how quickly some email viruses spread despite both McAfee and Symantec providing virus scanning products for use on SMTP relay servers.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Imagine if routers could be dynamically updated to intelligently scan traffic for DDOS attack patterns and block these before any host in the internal network even sees it.
MIT has done a lot of work in this area of "Active Networking".
There's 10 types of people in this world, those who understand binary and those who don't.
Recent threats such as the code Red and Leave worms are proof that virus writers and hackers are pooling resources to produce hybrid weapons that can cause tremendous damage.
Yes, more anti-hacker media hype caused by a couple of retards who just fucked up everyone's day.
Apparently they read my post on this subject. :)
There is no doubt in my mind that ISPs need to take better action. I should be able to report probing and infection to the ISP, and they should investigate the other party. If it's a rogue hacker, they report them to the authorities. If it's a virus, the other party should be notified and their connection pulled until the system is disinfected.
Having had my Linux box infected/hacked via the WU-FTPd bug, I know that this is not limited to Windows machines.
In fact, I might even be open to public financing of ISP's investigation departments under a law-enforcement arm. This is a public nuisance issue. Just as you don't want a fire at your neighbor's house setting fire to your house*, we should have "fire fighters" putting out viruses as well.
*Incidently, to all the Libertarian wackos who think that fire departments should be privately hired by each homeowner, this is why it needs to be under the "promote the general welfare" part of the constitution.
Sometimes it's best to just let stupid people be stupid.
How is this going ot work ? They are going to "exchange researchs, and researchers". Big deal! A DDOS attack cannot be predicted so how are they going to help stupid sys admin who feel applying patches is "time-consuming" ?
/.-attack.
Any OS can be targetted by a DDOS and a DDOS attack will always exist. You can't force a stupid kid to write a small program that will "only ping random servers, like 1billion time. That's it..."
You can "help" by teaching sys admins to apply patches when they come out and possibly by running a safer OS. (what's the name again ? pretty sure it ends with "ux".)
Anyway, i'm not sure this "alliance" is anything more than marketing. On the plus side, those other small cies (with mcafee) are going to see if they can resist a Distribute
IP Therefore I am.
basicaly -- "Let us scan your network in order to prevent other scanning activities".
How many firewall will be triggered by this?
Oh, and usual "Sed Quis Custodiet Ipsos Custodes?"
Well, not for the basic DDOS network scanning, but the later item in the story is slated to come out in May. That coupled with a moderately clear description of what the technology does ought to pretty much guarantee that the virus writers will have something developed to evade it by then.
... I wish there was an ethernet "magic packet" I could send to the wee shit that's been trying every NT4 and Win2K exploit against my machine, which would connect his ethernet cable between phase and neutral. A big relay and some logic ought to do it, 240v up his Cat 5 would stop him pissing me off.
They've been at it all weekend now.
I think it'll go like this:
DDos detectors send reports to central data pool, ISP's pay for acces to said pool (the bandwidth saved may be your own!!) ISP's terminate connections and ask questions later.
this way MC Crappy can charge for acess to the DDos Zombie list. any bets on if they'll provide this information for free?
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Sorry, try this link instead
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
..All this talk of 'hackers' and 'zombies' shutting down websites.. Don't you understand? They're going to shut down Slashdot!! Where else do thousands of hackers gather together to load a single webpage all at one time, blocking 'legitimate' access? Oh! whats to be done! Won't somebody please think of the children!
air and light and time and space
Unfortunatly the idea of being re-active instead of pro-active permiates the whole IT industry currently. This is why we see software being shipped with little or no beta testing resulting in massive patches after release. ,without fear of prosecution, about their problems.
Part of the problem stems from the fact that to often it is A.) Dangerous to report the problem to someone.
Example B.) Against the law to report it Example or C.) So common that it would take to much time to shift through it and report it to the apropraite people to have them take no action (I'd make an example of my firewal logs from just today but I suspect I would find out quickly what exactly the maximum size on a post could be as I overload it).
I don't think we shoudl wait for the manufactures to solve this problem for us, I think we should handle this problem ourselves. If you get a badly tested product return it, no matter how much it may hurt. Maybe we can have something like Earth day where , instead of cleaning the beachs, all the system admins can spend a day collectively informing each other
then again I may be just dreaming this all, at my job we cannot even get around to replacing the horribly flaky mail server yet because it has not gone tits up let alone arange a day for the internet community to pick up the litter on the side of the information super highway.
A final thought, aren't they advocating a DDOS circumvention tool? Isn't that agains the DMCA? Maybe the president of Mcafee needs a couple days in jail to think this one over next to Dmitry Sklyarov.
Papa Legba come and open the gate
Right now, the wolves (black-hats) have two real advantages over the shepherds (white-hats). The first is that there are just too many damned sheep in the fold for the shepherds to keep track of, and the second is that the sheep farmers are too busy competing with each other to collaborate the way the wolves do.
This is a baby step towards eliminating two of those. The most important one is that although most folks don't have their ports locked down or update, they do have anti-virus software installed. So by teaming with McAfee to make an anti-trojan solution, a lot more computers are going to be able to be protected, and it'll really take the teeth out of a DDOS attack.
The second baby step is that by collaborating, the shepherds can now do a better job of keeping tabs on the wolves. It's only a baby step; this looks like it's just an ordinary corporate alliance, not a sign of genuine teamwork. But it's a start, and really cuts into the black-hats' current advantages.
Does that mean McAfee is going to try to shut down Slashdot?
political_news.c: warning: comparison is always true due to limited range of data type
Wasn't this the name of BE's integrated OS?
You wish.
The guy that hit him, however, was found dead.
Read it here.
-72
-Those who dance are considered insane by those who can't hear the music.
Here's a list of groups actively working on Anti-DOS projects:
RedHat
Slackware
Debian
One of the first
Honestly, while I agree that we must stop DOS at all costs, I fail to see why this is news. Hell, it could be argued that even McRosoft themselves do a good job at getting people to quit using the product.
I heard recently (likely on NPR) about another anti-cracker outfit that was setting up servers with the intent of letting them get cracked so they could watch the invaders in real time to learn their techniques and so forth. apparently they are learning quite a bit. if i find a link to the site or group I'll reply to myself.
-
I can just see it now:
McAfee StrikeBack(tm) contains an [ActiveX|DLL] vulnerability, causing [mailcious email|specially formatted string on port XXX] to [crash the box|get root|return false results to unintended targets]. Users are advised to [upgrade|disable until upgrade posted|other].
Not that I'm against it, as such, but we're talking about the Keystone Kops of security, here.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
"...there are still loads of zombie machines out there merrily scanning away, looking for others to infect."
I think there should be a law against this sort of thing. Think about it. You should get 10 days to patch your equipment and after 10 days the owner of the equipment should pay fines for wasting bandwidth and trying to infect other hosts.
I use a dial-up connection on a class C address and I'm still getting scaned for port 80 about 70 times in one day. I never got traffic like that before.
It seems to me that people are just running their boxes and not checking up on them or patching them and it irritates me. Oh well....
"A plan fiendishly clever in its intricacies"- Homer Simpson
Generally, when something like Code Red shows up, someone asks about exploiting the same flaws to patch up the systems, rather than proliferate the virus. That's when people chime in about how that would be immoral.
But if virii are opportunistic, and your average internet/Windows user is a babe in the woods, why not do what we do with our real children - innoculate them before they can be harmed?
Ok, so maybe that's an elitist approach, but the other stance - "don't do anything to their system without their permission" - has brought us Code Red et al.
If MS won't plug the holes, why shouldn't the internet at large look after it's own?
This is not gonna help by far.
The problem is rooted much deeper than you might think. People are simply not going to upgrade software out of security reasons. They don't care about anything as long as the software keeps working.
People should be held accountable for bad security, this is the only way to get them to friggin secure their internet connected boxes and thereby dramatically reducing the chance that a worm will ever reach proportions like Code Red II again..
The first thing people tell me when I try to convince them they need to keep up with security patches is that they "don't have anything interesting for a cracker to find"(TM). But they forget that if their servers get cracked into, the first thing the cracker is going to do is crack other boxes from there. So by not securing your internet connected boxes u are actually helping crackers(or worms) crack more and more boxes without anyone being able to trace them.
Worms like code red are just the beginning, I have already made a worm concept that will be far worse than Code Red II. Just add some P2P like networking between the compromised systems and u can actually make the worm aware of itself, by making it react if large numbers of hosts are being disconnected by starting to spread again. Even anonymous communication with the worm is possible through means of something like Freenet, and by communicating with the worm someone could feed new ip-ranges to scan or even upgrade the worm to use new exploits. Someone could have (close) to realtime control of hundreds of thousands of internet connected boxes. This is just a simple example of what a well written worm can do, and it will be practically unstoppable.
So instead of being one step behind all the time maybe it's time for some regulation here. If your box gets cracked using an exploit that has been patched over say... six months ago (whether it be done by a worm *or* a cracker), then you *should* be held accountable for the damage your system causes. It's just plain irresponsible to keep an insecure box connected to the internet, and if people won't use their common sense and thereby cousing problems for other innocent people they deserve getting in trouble.
pfew... end rant here...
--
Heisenberg could have been here...
-- Heisenberg could have been here...
Here is the technology: Hummer
Here is the company implementing the research: TriGeo
There is money in antivirus software. The bigger the media coverage, the more money it will generate. But it's the wrong end of the equation. Antivirus outfits will never get enough people to buy in to stop the problem of DDOSs.
The right place to fix this is by holding ISPs responsible for traffic from their networks with invalid addresses and making them investigate zombie reports and notify people when they've been compromised. (Spoofed addresses makes the latter impossible so we need to make sure we can find the zombies.) There's no money in this though. Could ISPs charge users when they become infected? No, but no ISP will commit resources when their competition isn't doing it. Usually the market will right itself but this is a situation that needs oversight before it will get better.
I think a big help to everyone would be if ISPs made sure that packets leaving their networks had a source address that belonged within their network.
I'm not sure why *I* have to deny all RFC1918 traffic and other garbage on my border router. In my shop, a packet doesn't leave unless its source address is from my network.
It could be easily done at the ISPs lowest branch routers so it wouldn't be too hard to configure or cost too much in performance.
Seems to me this would be the responsible thing to do for the entire community. I've never heard a reasonable argument for letting packets out onto the Internet that don't have a source address in your network.
How about if ISPs and antivirus outfits make an alliance? If ISPs got a cut whenever one of their users bought antivirus software, they'd be reporting the breakins to their users like nobody's business... then maybe we'd see some progress on the problem.
...and then the bad guys start spoofing ddos detectors and use the anti-ddos infrastructure itself to deny services.
even better than a traditional ddos attack!
Makes sense to me.
Seems to me like the best way to do this would be to have the next-gen routing protocols be able to propogate 'blocks' in addition to routes.
Yes, I know this would be massively memory intensive on the routing tables, but how cool would it be if you could set a block on an ip on your border/edge/first router and that block would propogate to the border/edge/first router in front of the offending ip.
Again, yes,I know there are all sorts of security problems with this, but shouldn't this be the direction of the majority of effort in this regard?
Oh yeah, they just want to make money, not actually fix things... Sorry.
TruSecure corporation started a similar initiative last year during the DDOS scare that was happening then.
h tml
See http://www.trusecure.com/html/partners/alliance.s
Never again will I trust them or buy a product from them. They don't understand the meaning of tech support and they want to charge $2.95/minute for some no talent arse clown to sit on the other end of the phone and throw people for a loop.
It takes quite a bit of research to even find customer service to complain to about the crappy tech support.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Today since 8 am EST i got ( hey 3 new ones )
72 tries on port 80 ! : )
That's everyday since Code Red has been out.
Are Windows users THAT clueless ?
Okay, so they will eventually have a way to slow and possibly even stop the spread of the garden variety DDoS attack like the packet floods or viral-zombie Code Red types they mention as the detection mechanisms improve. However, the sad truth folks is that it just isn't possible to stop a DDoS attack.
Don't believe me? Before you warm up your flamethrowers just follow along here for a sec.
Think for a bit about how the net works. You got your SYN, the SYN_RECV's, the SYN_ACK's. You got packets that have a frame, header and route info, a data payload etc. You got stuff that has to be there in order for this neat internet doohickey to function. In other words there is a framework that makes pattern matching algorithms and heuristics (and other stuff involving math :) possible so you can try to separate good packets from the bad packets.
Problem is that there's one thing that can't be predicted/recognized/prevented/controlled: where that first SYN is coming from. And that's the reason that DDoS works so well. All the Black Hats have to do is keep coming up with stuff that is harder and harder to crack pattern-wise while having that randomized Ace up their sleeve.
The perfect DDoS attack tool would be a method that infects thousands of machines and each machine has a unique source or random strain of the tool in such a manner that the only thing they share is the trigger to set it in motion at a target... and the trigger isn't where anti-virus or other client checking stuff could detect it. When you pull the trigger thousands of infected machines attack the target and there's no way the target can tell it's not legit traffic. Basically a code version of the Slashdot Effect. CmdrTaco pulls the trigger with an article link and we "zombies" blast the crap out of the site. :)
Amoeba
Do not taunt Happy-Fun Ball
I don't think that many of the ISPs will actually dump the money on some kind of DDOS filtering...
.. but if they do, how do you know exactly what is a DDOS? how do you know they are not going to filter legit traffic? All I see is another trajedy like the web content filters where tons of 'good' traffic gets dropped because the algorithms suck.
Uhh.. isn't that built into the Linux kernel and called IP Tables?
-- I thought I was wrong once, but I was mistaken
If cable operators would stop filtering out silly things like port 80, and start filtering out forged packets, we might actually be able to stop some of these attacks before they start.
If you see a packet transmitted from a cable modem in your network and it claims to be from outside your network, drop it on the floor, it's not a valid packet.
If the packet is going to into a cable modem, but its origination claims it came from that cable modem, drop it on the floor, it's not a valid packet.
If the packet has address 0.0.0.0 as its origin or destination, drop it on the floor, it's not a valid packet.
Don't think this happens? Get a firewall and you can watch these packets go by all day long.
You know what I want? I want a third party database that will allow sysadmins to list their 24/7 telephone number along with blocks of IPs. That way, if someone is being scanned/flooded by my ip, and has paid for access to the database (Keeps idiot h4x0rz from looking up my number.) he can then call me immediatly instead of trying to track me down through whois, and I can pull the machine off-line and deal with it.
This would be much better than having the box messing with people for a few days because tracking down someone who can shut it off is so damned troublesome. I mean, face it, no matter how good a sysadmin is, at time there will be a box that for whatever reason is online and insecure. We could all benefit from such a service, and most of our companies would probably pay for it.
Anyone else agree (I know people will happily disagree and flame me for posting this at all...)?
FYI, Steve Gibson has posted his latest explanation of the WinXP Raw Sockets Vulnerability here from whence the concern of "WinXP boxes and ... their [spoofed] IP addresses" evidently first originated.
Steve & Co. also provide two "quick 'n dirty" FREE programs to download to:
test your access to "raw sockets" (all Win OS)
secure NON-SYSTEM "raw sockets" access (Win2K & WinXP) to see that Win2K & WinXP continue to function just fine
The funny part is that Steve Gibson now uses Microsoft's own MSDN Technical Documentation against Microsoft. Steve provides quotes from the Microsoft MSDN websites and links to the original Microsoft Technical Documentation
As of 8/13/01 @ 0801 PST, all the links to the Microsoft Technical Documentation PROVING (?) Steve Gibson's points were fully functional.
BTW, for a "nail biting" (grin - soon to be a motion picture - grin) tale of one man's experience with a Distributed Denial of Service attack read both here and SlashDot commentary to learn where Steve's fear of WinXP Raw Sockets originates (i.e. WinXP zombies doing DDOS with the easy to spoof WinXP box IP addresses due to desktop Joe/Jane-consumer user always being "root")
Funny thing now is that Steve Gibson can now quote chapter and verse back to Microsoft and ask Microsoft "Why are you [microsoft] now contradicting yourself."
BTW, there is now an "astroturf" (?) website devoted to debunking Steve Gibson here although all the DNS details seem bogus ("How convenient for the astroturf PR agency!!!" says the Church lady)
I believe Juanita
PAUSE ... PAUSE ... PAUSE
security-patch == security-patch ... 133%!!!!!
If you mean a "security-patch" all by itself that is just and only a "security-patch" then I am with you brother
service-pack != security-patch
If you mean a "security-patch" that is bundled with a slew of other upgrades, modifications, bug fixes, and such that historically lead to headaches, more holes, and expensive hardware upgrades that didn't need to be done but I had to do anyway due to this poorly designed SERVICE PACK then I am going to quite willfully turn around and BLAME THE VENDOR OF THE OS for creating an environment where it is safer not to implement the "NON security-patch" because they never offered a "security-patch" in the first place
I believe Juanita
Some people blame Microsoft for the world's computer security problems. After all, if Microsoft cared a whit about security, the virus outbreaks wouldn't be so damn nasty. Others say Microsoft isn't the problem; networks are inherently insecure (see the EROS Project for a solution in development). I'm not one to say Microsoft is totally to blame, but I would like to quote Stanley Kubrick's Full Metal Jacket on the issue:
HARTMAN:
If it wasn't for dickheads like you, there
wouldn't be any thievery in this world, would there?
Intercarve Networks, LLC
Do we really expect business to suddenly save the internet? Codered vigilante is a java based server that listens on 80 then sends back a message to CR infected computers telling them to get a patch.
As usual, NAI is two years behind the times.
I don't know what all the fuss is about- there's a little company called Captus that already has a box that deals with DDoS for you. Been available for a while, i think....I don't know why it's been so slow to catch on, though. It's a screamin' demon....
What does everyone have against an old program like Dr. Dos?
Donate background CPU time to fight cancer.
Assuming responsibility for this problem, also implies that the entity also assume legal liability for the problems created as well should the efforts fail in the future. While it all sounds good to claim that the ISP's are responsible for filtering for certain classes of evil packets, should they accept the responsibility they also must accept the liabilities should their efforts fail sometime in the future.
... and a long list down a controversial slope.
Most, if not all, ISP's have strict legal liability disclaimers about their customers activities - used to defend themselves against all 3rd parties that might litigate against their customers actions, or inactions. The legal/business side of any ISP would be wary to set the stage claiming to take responsibility for the actions of packets originating from customer owned/managed facilities. Once they start down that road, then all sorts of claims can be made that they are responible for filtering all kinds of evil packets, including as some might suggest - porn, pirate copyrighted material, all types of virus and trojan outbreaks,
Cable/DSL modems owned/leased/managed/operated by end users should contain any network required manadated filtering to facilitate the mandate that every customer is responsible for packets originating from their facility - intended or not.
If all these devices were proper NAT devices, and filtered/firewalled well known ports
which are generally associated with server functions typically not allowed under many of the service plans un-skilled customers subscribe to, then we could see the total number of exposed machines drop by 95% in a few months. The remaining machines would not number enough to realistically mount DDOS attacks of the magnitude we have seen this last month.
The ISP doesn't need to filter - it just needs to mandate that it's customers do - or risk disconnection. In this case, making firmware patches available for the cable/dsl modems, and setting a deadline for deployment.
I would like to see a law specifically permitting a response to virus and worm attacks. We could have an agency which identifies ligitimate attacks and grants the world an authorized response to the attack.
For example, the agency (let's call it the Internet Defense Agency) would identify the Code Red worm as a ligitimate problem. The IDA would define an HTTP request of "GET default.ida..." as an attack event. Any time someone detects the attack event, they would have permission to respond in a certain way (like plugging the hole or notifying the machine's owner). The response would depend on the situation.
Obviously, this agency would have to follow guidelines (they could not permit someone to erase the attacker's hard drive).
I would much rather see the IDA than have congress do something totally stupid and ineffective, like requiring all web servers to have a license.
Don't you read [slashdot.org]? It works like this: You report the probing and infection to the ISP, they contact the FBI, and you're arrested.
Ugh. That's insane.
To me, that's akin to being arrested for reporting a drunk driver.
It's *my* highway, too... (I'd argue more so, since I'm not a luser running AOL on Windows 2000 with IIS running by default; *hell*, I used to have a UUCP e-mail address back in 1988, but I've ranted about that enough already). Don't *my* needs for safety on the Information Superhighway count for anything?
Prior to this, I'd always attributed intelligence to the FBI. And, I'd still like to hope that there are some Fox Mulders in the department. Unfortunately, it sounds like this guy has become the victim of an overzealous donut-eater of a prosecutor whose computer illiteracy is eclipsed only by the FBI's Keystone Kops.
Before a brush with the Peel Regional Gestapo where my truck was taken off the road for an alleged safety violation, I had held law enforcement in high regard. I'd always found cops to be friendly, helpful, diplomatic and logical.
<rant>(The truck was really ugly but the steering, brakes, body and lights were all solid and working perfectly, so they decided that they didn't like the way my battery was held down and yanked my license plates. Interestingly enough, the battery was held down exactly the same way as Chrysler held down the battery on all 149,999 other Dodge Rams they made in 1983. I had two mechanics (one of whom works at a restoration shop where they fix $500,000 Bugattis day in and day out) and a mechanical engineer testify for me that the vehicle was absolutely, perfectly safe; even so, the judge upheld the Peel Regional Gestapo's cop (not a licensed mechanic) was capable of making the decision better than two mechanics and an engineer. I considered sneaking into the USA and claiming refugee status as a publicity stunt in retaliation. I took the cop aside afterwards, asked him if he had children, and then told him that I would attend church that Sunday and pray that his wife and children would both be stricken with inoperable bowel cancer. A man like him has no business procreating.)</rant>
With news like that, I start to think that it's time for me to overthrow the government of some small South Pacific island and make LawrenceLand, appointing myself head of state and chief of police. Any cop with more donuts in his squad car than measurable IQ points would be executed, by his victims, in front of the teeming masses.
Fire and Meat. Yummy.
I happened to find an interesting company at reactivenetwork.com.
It isn't just another dot-bomb or hot-dot. There is a real method behind mitigating DDOS attacks. This methodology certainly isn't suggested by this article, and therefore is fairly senseless chatter about nothing in particular. The companies, Arbor, Asta and Mazu and McAfee talk a lot about Zombie detection, and use an array of industry buzzwords and marketing hype surrounded by code-red to carve a niche in the market for themselves. They want to offer their services and fail to come up with a distributed scheme and proper good traffic bad traffic differentiation.
I saw a demonstration of the product that reactive networks had. It is certainly a meritorious endeavor that deserves a closer look. It is also interesting because this is far beyond theory and academia; this is laden with applicative value. It is a Linux based detector/actuator distributed schema. It is interesting because it does a few things that could really, really make NSP's lives much better. The first step is to recognize the good traffic from the bad. It tends to learn what network traffic is normal. It knows when a DDOS attack is coming in and mitigates the attack while letting the good traffic come through. What is amazing I have seen this work in a LAN at GigE speeds! I can mitigate a randomly spoofed source address attack while letting "normal" web traffic through. And this product isn't beta, prerelease, etc, its at version 1.0.
The next time ZD's editors start babbling about something that got into the news or on CNN that had to do with technology, they should look for the real gems of technology, not sift through a pile of marketing hype and whitepapers without seeing some action. You can talk about doing something, or you can do it. AFAIK, reactive is the only company to prove to me whitepaper or not that AT&T, UUNet, Sprint/MCI/WorldCom Verizon, Savvio and others should pick up software like Reactive Network's and not worry about finding and punishing script kiddies and killing zombies. There are too many zombies to count, there are too many IP's to worry about. You have to let the good traffic through and block the evil traffic. The best way of doing this is to have a distributed triggering scheme and to identify good traffic, and to make holes for the typical good traffic and let the customers of a web site through, its not about launching a holy crusade against script kiddies, its fruitless.
Always look at a problem that addresses a problem. HAS a product that fixes it. And find a company that isn't about marketing buzz but about engineering a new solution that big players would be able to use to nullify the ill effects of script-kiddies.
Just my two cents
Legalize the constitution. Think for yourself question authority.
I never upgrade it and never will, until the perceived risk of not upgrading it is greater than the risk of upgrading it.... A) If I don't upgrade it might go pearshaped in future and need the hassle of reinstalling... B)If I do, the upgrade will be hassle (possibly not much), and will probably go pearshaped as I do it, and is probably just as likely to go wrong in future.
This is how I and I expect most ppl regard windows and so adopt the policy of if it ain't *too* broke don't fix it.
So I still have win-95 (but spend most of my time using Gnu/Intel/Bsd/Perl/RMS/GOD/Anyone-else-want-credit -here/Linux)
I deem my windows 99% secure 'cos I use it less than 1 hr every 4 days.
Their products work by scanning incoming network traffic and searching for signs of packet floods.
Won't sniffing all those packets slow your connection to a crawl?
Yes but every time I try to see it your way, I get a headache.
The CodeRed viruses leave security holes in the machines that allow for the running of arbitrary code. Use that mechanism to install/run the patch on the server then restart the machine. You basically have command line access to do anything that you want.
The simplest and most effective solution is a clause in the ISP' terms of service reserving the right to disconnect infected machines.
being the company grc is, I'm 100% sure they had all their patches up to date
Not grc need to patch their systems. The people who's boxes were owned and used to attack grc need to patch their systems. zyklone's 100% right. DDoS can happen because so many machines on the Internet are trivial to own. Without all those boxes being fixed, the ISPs and everyone else is at the mercy of the hackers.
Remember, Code Red only uses an IIS 5 vulnerability. What percentage of Windows boxes on the Internet is that? I'd guess small. What if the next worm uses a general Windows bug instead of just IIS? What if they ALL started flooding? This is the point I think zyklone was trying to make. Until everyone takes responsibility for the security of their own boxes, everyone else is at risk.
A site being slashdotted would be allowed because the traffic is from tens of thousands (maybe even millions) of IP addresses (as opposed to a few hundred from the typical ddos attack) all going after tcp port 80 (which is a standard port, as opposed to UDP port 5785, which isn't a standard port for anything afaik)
Heard of Code Red? Read your comment again with that in mind. Doesn't seem so cut and dry now, does it?
IMHO,
Michael