Slashdot Mirror
Anti-DDOS Alliance In The Works?
Rackemup writes: "This article on ZDNET says McAfee and some anti-DDOS vendors are finally teaming up to address DDOS attacks and Code-Red-like network scanning. Seems like they're finally catching on that a purely reactive approach to Internet and virus attacks isn't going to cut it anymore, even after all the media coverage of these latest virus attacks there are still loads of zombie machines out there merrily scanning away, looking for others to infect."
It was called a Mac User group in the 80's, but now, I don't see how it could be relevent.
Je t'aime Stéphanie
We did it.. Yep, we saved you from a huge attack that would have crippled your network.. No, honestly, we did.. Please see attached invoice.
air and light and time and space
we all know that the only way to kill a zombie machine is to accidentally lose one's hand, therefore, giving one the oppurtunity to replace it with a chainsaw and hack-away (physically) at the undead machines.
Something like this may be dependent on the ISPs to fully implement. McAfee may release a tool that can sit on a Cisco router on a firewall or something that will watch for possible DDoS data, such as a flood of UDP packets to a port that's rarely accessed, in an effort to protect one of their customer's from being DDoS'd. Given the number of ISPs out there that pay attention to security issues (see Steve Gibson's DDoS Post-Mortem), will ISPs actually expel the effort to help the situation with DDoS?
I suspect not, given how quickly some email viruses spread despite both McAfee and Symantec providing virus scanning products for use on SMTP relay servers.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Imagine if routers could be dynamically updated to intelligently scan traffic for DDOS attack patterns and block these before any host in the internal network even sees it.
MIT has done a lot of work in this area of "Active Networking".
There's 10 types of people in this world, those who understand binary and those who don't.
Apparently they read my post on this subject. :)
There is no doubt in my mind that ISPs need to take better action. I should be able to report probing and infection to the ISP, and they should investigate the other party. If it's a rogue hacker, they report them to the authorities. If it's a virus, the other party should be notified and their connection pulled until the system is disinfected.
Having had my Linux box infected/hacked via the WU-FTPd bug, I know that this is not limited to Windows machines.
In fact, I might even be open to public financing of ISP's investigation departments under a law-enforcement arm. This is a public nuisance issue. Just as you don't want a fire at your neighbor's house setting fire to your house*, we should have "fire fighters" putting out viruses as well.
*Incidently, to all the Libertarian wackos who think that fire departments should be privately hired by each homeowner, this is why it needs to be under the "promote the general welfare" part of the constitution.
Sometimes it's best to just let stupid people be stupid.
... I wish there was an ethernet "magic packet" I could send to the wee shit that's been trying every NT4 and Win2K exploit against my machine, which would connect his ethernet cable between phase and neutral. A big relay and some logic ought to do it, 240v up his Cat 5 would stop him pissing me off.
They've been at it all weekend now.
I think it'll go like this:
DDos detectors send reports to central data pool, ISP's pay for acces to said pool (the bandwidth saved may be your own!!) ISP's terminate connections and ask questions later.
this way MC Crappy can charge for acess to the DDos Zombie list. any bets on if they'll provide this information for free?
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Sorry, try this link instead
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
..All this talk of 'hackers' and 'zombies' shutting down websites.. Don't you understand? They're going to shut down Slashdot!! Where else do thousands of hackers gather together to load a single webpage all at one time, blocking 'legitimate' access? Oh! whats to be done! Won't somebody please think of the children!
air and light and time and space
Right now, the wolves (black-hats) have two real advantages over the shepherds (white-hats). The first is that there are just too many damned sheep in the fold for the shepherds to keep track of, and the second is that the sheep farmers are too busy competing with each other to collaborate the way the wolves do.
This is a baby step towards eliminating two of those. The most important one is that although most folks don't have their ports locked down or update, they do have anti-virus software installed. So by teaming with McAfee to make an anti-trojan solution, a lot more computers are going to be able to be protected, and it'll really take the teeth out of a DDOS attack.
The second baby step is that by collaborating, the shepherds can now do a better job of keeping tabs on the wolves. It's only a baby step; this looks like it's just an ordinary corporate alliance, not a sign of genuine teamwork. But it's a start, and really cuts into the black-hats' current advantages.
Does that mean McAfee is going to try to shut down Slashdot?
political_news.c: warning: comparison is always true due to limited range of data type
Here's a list of groups actively working on Anti-DOS projects:
RedHat
Slackware
Debian
One of the first
Honestly, while I agree that we must stop DOS at all costs, I fail to see why this is news. Hell, it could be argued that even McRosoft themselves do a good job at getting people to quit using the product.
I heard recently (likely on NPR) about another anti-cracker outfit that was setting up servers with the intent of letting them get cracked so they could watch the invaders in real time to learn their techniques and so forth. apparently they are learning quite a bit. if i find a link to the site or group I'll reply to myself.
-
I can just see it now:
McAfee StrikeBack(tm) contains an [ActiveX|DLL] vulnerability, causing [mailcious email|specially formatted string on port XXX] to [crash the box|get root|return false results to unintended targets]. Users are advised to [upgrade|disable until upgrade posted|other].
Not that I'm against it, as such, but we're talking about the Keystone Kops of security, here.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
"...there are still loads of zombie machines out there merrily scanning away, looking for others to infect."
I think there should be a law against this sort of thing. Think about it. You should get 10 days to patch your equipment and after 10 days the owner of the equipment should pay fines for wasting bandwidth and trying to infect other hosts.
I use a dial-up connection on a class C address and I'm still getting scaned for port 80 about 70 times in one day. I never got traffic like that before.
It seems to me that people are just running their boxes and not checking up on them or patching them and it irritates me. Oh well....
"A plan fiendishly clever in its intricacies"- Homer Simpson
Generally, when something like Code Red shows up, someone asks about exploiting the same flaws to patch up the systems, rather than proliferate the virus. That's when people chime in about how that would be immoral.
But if virii are opportunistic, and your average internet/Windows user is a babe in the woods, why not do what we do with our real children - innoculate them before they can be harmed?
Ok, so maybe that's an elitist approach, but the other stance - "don't do anything to their system without their permission" - has brought us Code Red et al.
If MS won't plug the holes, why shouldn't the internet at large look after it's own?
This is not gonna help by far.
The problem is rooted much deeper than you might think. People are simply not going to upgrade software out of security reasons. They don't care about anything as long as the software keeps working.
People should be held accountable for bad security, this is the only way to get them to friggin secure their internet connected boxes and thereby dramatically reducing the chance that a worm will ever reach proportions like Code Red II again..
The first thing people tell me when I try to convince them they need to keep up with security patches is that they "don't have anything interesting for a cracker to find"(TM). But they forget that if their servers get cracked into, the first thing the cracker is going to do is crack other boxes from there. So by not securing your internet connected boxes u are actually helping crackers(or worms) crack more and more boxes without anyone being able to trace them.
Worms like code red are just the beginning, I have already made a worm concept that will be far worse than Code Red II. Just add some P2P like networking between the compromised systems and u can actually make the worm aware of itself, by making it react if large numbers of hosts are being disconnected by starting to spread again. Even anonymous communication with the worm is possible through means of something like Freenet, and by communicating with the worm someone could feed new ip-ranges to scan or even upgrade the worm to use new exploits. Someone could have (close) to realtime control of hundreds of thousands of internet connected boxes. This is just a simple example of what a well written worm can do, and it will be practically unstoppable.
So instead of being one step behind all the time maybe it's time for some regulation here. If your box gets cracked using an exploit that has been patched over say... six months ago (whether it be done by a worm *or* a cracker), then you *should* be held accountable for the damage your system causes. It's just plain irresponsible to keep an insecure box connected to the internet, and if people won't use their common sense and thereby cousing problems for other innocent people they deserve getting in trouble.
pfew... end rant here...
--
Heisenberg could have been here...
-- Heisenberg could have been here...
I think a big help to everyone would be if ISPs made sure that packets leaving their networks had a source address that belonged within their network.
I'm not sure why *I* have to deny all RFC1918 traffic and other garbage on my border router. In my shop, a packet doesn't leave unless its source address is from my network.
It could be easily done at the ISPs lowest branch routers so it wouldn't be too hard to configure or cost too much in performance.
Seems to me this would be the responsible thing to do for the entire community. I've never heard a reasonable argument for letting packets out onto the Internet that don't have a source address in your network.
TruSecure corporation started a similar initiative last year during the DDOS scare that was happening then.
h tml
See http://www.trusecure.com/html/partners/alliance.s
Never again will I trust them or buy a product from them. They don't understand the meaning of tech support and they want to charge $2.95/minute for some no talent arse clown to sit on the other end of the phone and throw people for a loop.
It takes quite a bit of research to even find customer service to complain to about the crappy tech support.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Okay, so they will eventually have a way to slow and possibly even stop the spread of the garden variety DDoS attack like the packet floods or viral-zombie Code Red types they mention as the detection mechanisms improve. However, the sad truth folks is that it just isn't possible to stop a DDoS attack.
Don't believe me? Before you warm up your flamethrowers just follow along here for a sec.
Think for a bit about how the net works. You got your SYN, the SYN_RECV's, the SYN_ACK's. You got packets that have a frame, header and route info, a data payload etc. You got stuff that has to be there in order for this neat internet doohickey to function. In other words there is a framework that makes pattern matching algorithms and heuristics (and other stuff involving math :) possible so you can try to separate good packets from the bad packets.
Problem is that there's one thing that can't be predicted/recognized/prevented/controlled: where that first SYN is coming from. And that's the reason that DDoS works so well. All the Black Hats have to do is keep coming up with stuff that is harder and harder to crack pattern-wise while having that randomized Ace up their sleeve.
The perfect DDoS attack tool would be a method that infects thousands of machines and each machine has a unique source or random strain of the tool in such a manner that the only thing they share is the trigger to set it in motion at a target... and the trigger isn't where anti-virus or other client checking stuff could detect it. When you pull the trigger thousands of infected machines attack the target and there's no way the target can tell it's not legit traffic. Basically a code version of the Slashdot Effect. CmdrTaco pulls the trigger with an article link and we "zombies" blast the crap out of the site. :)
Amoeba
Do not taunt Happy-Fun Ball
Uhh.. isn't that built into the Linux kernel and called IP Tables?
-- I thought I was wrong once, but I was mistaken
You know what I want? I want a third party database that will allow sysadmins to list their 24/7 telephone number along with blocks of IPs. That way, if someone is being scanned/flooded by my ip, and has paid for access to the database (Keeps idiot h4x0rz from looking up my number.) he can then call me immediatly instead of trying to track me down through whois, and I can pull the machine off-line and deal with it.
This would be much better than having the box messing with people for a few days because tracking down someone who can shut it off is so damned troublesome. I mean, face it, no matter how good a sysadmin is, at time there will be a box that for whatever reason is online and insecure. We could all benefit from such a service, and most of our companies would probably pay for it.
Anyone else agree (I know people will happily disagree and flame me for posting this at all...)?
Err.... Won't really stop code red. None of the packets sent to other computers were forged at all. Kind of sucks that way.
Some people blame Microsoft for the world's computer security problems. After all, if Microsoft cared a whit about security, the virus outbreaks wouldn't be so damn nasty. Others say Microsoft isn't the problem; networks are inherently insecure (see the EROS Project for a solution in development). I'm not one to say Microsoft is totally to blame, but I would like to quote Stanley Kubrick's Full Metal Jacket on the issue:
HARTMAN:
If it wasn't for dickheads like you, there
wouldn't be any thievery in this world, would there?
Intercarve Networks, LLC
Do we really expect business to suddenly save the internet? Codered vigilante is a java based server that listens on 80 then sends back a message to CR infected computers telling them to get a patch.
As usual, NAI is two years behind the times.
I don't know what all the fuss is about- there's a little company called Captus that already has a box that deals with DDoS for you. Been available for a while, i think....I don't know why it's been so slow to catch on, though. It's a screamin' demon....
What does everyone have against an old program like Dr. Dos?
Donate background CPU time to fight cancer.
Don't you read [slashdot.org]? It works like this: You report the probing and infection to the ISP, they contact the FBI, and you're arrested.
Ugh. That's insane.
To me, that's akin to being arrested for reporting a drunk driver.
It's *my* highway, too... (I'd argue more so, since I'm not a luser running AOL on Windows 2000 with IIS running by default; *hell*, I used to have a UUCP e-mail address back in 1988, but I've ranted about that enough already). Don't *my* needs for safety on the Information Superhighway count for anything?
Prior to this, I'd always attributed intelligence to the FBI. And, I'd still like to hope that there are some Fox Mulders in the department. Unfortunately, it sounds like this guy has become the victim of an overzealous donut-eater of a prosecutor whose computer illiteracy is eclipsed only by the FBI's Keystone Kops.
Before a brush with the Peel Regional Gestapo where my truck was taken off the road for an alleged safety violation, I had held law enforcement in high regard. I'd always found cops to be friendly, helpful, diplomatic and logical.
<rant>(The truck was really ugly but the steering, brakes, body and lights were all solid and working perfectly, so they decided that they didn't like the way my battery was held down and yanked my license plates. Interestingly enough, the battery was held down exactly the same way as Chrysler held down the battery on all 149,999 other Dodge Rams they made in 1983. I had two mechanics (one of whom works at a restoration shop where they fix $500,000 Bugattis day in and day out) and a mechanical engineer testify for me that the vehicle was absolutely, perfectly safe; even so, the judge upheld the Peel Regional Gestapo's cop (not a licensed mechanic) was capable of making the decision better than two mechanics and an engineer. I considered sneaking into the USA and claiming refugee status as a publicity stunt in retaliation. I took the cop aside afterwards, asked him if he had children, and then told him that I would attend church that Sunday and pray that his wife and children would both be stricken with inoperable bowel cancer. A man like him has no business procreating.)</rant>
With news like that, I start to think that it's time for me to overthrow the government of some small South Pacific island and make LawrenceLand, appointing myself head of state and chief of police. Any cop with more donuts in his squad car than measurable IQ points would be executed, by his victims, in front of the teeming masses.
Fire and Meat. Yummy.
I happened to find an interesting company at reactivenetwork.com.
It isn't just another dot-bomb or hot-dot. There is a real method behind mitigating DDOS attacks. This methodology certainly isn't suggested by this article, and therefore is fairly senseless chatter about nothing in particular. The companies, Arbor, Asta and Mazu and McAfee talk a lot about Zombie detection, and use an array of industry buzzwords and marketing hype surrounded by code-red to carve a niche in the market for themselves. They want to offer their services and fail to come up with a distributed scheme and proper good traffic bad traffic differentiation.
I saw a demonstration of the product that reactive networks had. It is certainly a meritorious endeavor that deserves a closer look. It is also interesting because this is far beyond theory and academia; this is laden with applicative value. It is a Linux based detector/actuator distributed schema. It is interesting because it does a few things that could really, really make NSP's lives much better. The first step is to recognize the good traffic from the bad. It tends to learn what network traffic is normal. It knows when a DDOS attack is coming in and mitigates the attack while letting the good traffic come through. What is amazing I have seen this work in a LAN at GigE speeds! I can mitigate a randomly spoofed source address attack while letting "normal" web traffic through. And this product isn't beta, prerelease, etc, its at version 1.0.
The next time ZD's editors start babbling about something that got into the news or on CNN that had to do with technology, they should look for the real gems of technology, not sift through a pile of marketing hype and whitepapers without seeing some action. You can talk about doing something, or you can do it. AFAIK, reactive is the only company to prove to me whitepaper or not that AT&T, UUNet, Sprint/MCI/WorldCom Verizon, Savvio and others should pick up software like Reactive Network's and not worry about finding and punishing script kiddies and killing zombies. There are too many zombies to count, there are too many IP's to worry about. You have to let the good traffic through and block the evil traffic. The best way of doing this is to have a distributed triggering scheme and to identify good traffic, and to make holes for the typical good traffic and let the customers of a web site through, its not about launching a holy crusade against script kiddies, its fruitless.
Always look at a problem that addresses a problem. HAS a product that fixes it. And find a company that isn't about marketing buzz but about engineering a new solution that big players would be able to use to nullify the ill effects of script-kiddies.
Just my two cents
Legalize the constitution. Think for yourself question authority.
it's like that Michael Jackson song from the 80's:
I'm starting with the man in the middle
ddos'n ddos detection system, so cool, now I gotta go learn how to program.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
The simplest and most effective solution is a clause in the ISP' terms of service reserving the right to disconnect infected machines.