Anti-DDOS Alliance In The Works?

Rackemup writes: "This article on ZDNET says McAfee and some anti-DDOS vendors are finally teaming up to address DDOS attacks and Code-Red-like network scanning. Seems like they're finally catching on that a purely reactive approach to Internet and virus attacks isn't going to cut it anymore, even after all the media coverage of these latest virus attacks there are still loads of zombie machines out there merrily scanning away, looking for others to infect."

Anti-DOS Alliance?

[SpanishInquisition]

It was called a Mac User group in the 80's, but now, I don't see how it could be relevent.

Hmm..

[PopeAlien]

For the anti-DDoS vendors, the partnership with McAfee is a golden opportunity to show that their nascent solutions can detect and shut down these attacks before they cripple corporate networks.

We did it.. Yep, we saved you from a huge attack that would have crippled your network.. No, honestly, we did.. Please see attached invoice.

Zombies?

[Tregod]

we all know that the only way to kill a zombie machine is to accidentally lose one's hand, therefore, giving one the oppurtunity to replace it with a chainsaw and hack-away (physically) at the undead machines.

The hardware companies need to be involved too

[Ryu2]

Stopping these DDOS attacks in software is a step, but still, you're using bandwidth and CPU cycles you otherwise wouldn't have. Network infrastructure companies like Cisco etc. could probably play a good role.

Imagine if routers could be dynamically updated to intelligently scan traffic for DDOS attack patterns and block these before any host in the internal network even sees it.

MIT has done a lot of work in this area of "Active Networking".

Finally

[Reality+Master+101]

Apparently they read my post on this subject. :)

There is no doubt in my mind that ISPs need to take better action. I should be able to report probing and infection to the ISP, and they should investigate the other party. If it's a rogue hacker, they report them to the authorities. If it's a virus, the other party should be notified and their connection pulled until the system is disinfected.

Having had my Linux box infected/hacked via the WU-FTPd bug, I know that this is not limited to Windows machines.

In fact, I might even be open to public financing of ISP's investigation departments under a law-enforcement arm. This is a public nuisance issue. Just as you don't want a fire at your neighbor's house setting fire to your house*, we should have "fire fighters" putting out viruses as well.

*Incidently, to all the Libertarian wackos who think that fire departments should be privately hired by each homeowner, this is why it needs to be under the "promote the general welfare" part of the constitution.

It's not DDoS but...

[Gordonjcp]

... I wish there was an ethernet "magic packet" I could send to the wee shit that's been trying every NT4 and Win2K exploit against my machine, which would connect his ethernet cable between phase and neutral. A big relay and some logic ought to do it, 240v up his Cat 5 would stop him pissing me off.

They've been at it all weekend now.

We must fight this!

[PopeAlien]

..All this talk of 'hackers' and 'zombies' shutting down websites.. Don't you understand? They're going to shut down Slashdot!! Where else do thousands of hackers gather together to load a single webpage all at one time, blocking 'legitimate' access? Oh! whats to be done! Won't somebody please think of the children!

This has been in the works for years

[fobbman]

Here's a list of groups actively working on Anti-DOS projects:

RedHat

Slackware

Debian

One of the first

Honestly, while I agree that we must stop DOS at all costs, I fail to see why this is news. Hell, it could be argued that even McRosoft themselves do a good job at getting people to quit using the product.

Isn't this risky?

[banky]

I can just see it now:

McAfee StrikeBack(tm) contains an [ActiveX|DLL] vulnerability, causing [mailcious email|specially formatted string on port XXX] to [crash the box|get root|return false results to unintended targets]. Users are advised to [upgrade|disable until upgrade posted|other].

Not that I'm against it, as such, but we're talking about the Keystone Kops of security, here.

Re:Let's Start with something simple

[jmauro]

Err.... Won't really stop code red. None of the packets sent to other computers were forged at all. Kind of sucks that way.

Re:DDoS cannot be stopped

[Amoeba]

Unless the number of attacking clients is large relative to the number of legitimate clients, that should limit the damage.

Until incoming packets can be torn down, analyzed and determination made to allow/deny at a rate equal or greater than the wire speed at the router device then DDoS will always be possible. Yeah you can throttle forged-source-address attacks just dandy but your site is still screwed if the sheer amount of inbound packets pegs the CPU/memory on your router(s) to where it falls behind in processing the queue.... There are some methods you can put into hardware (ASICs etc) but unlike SSL accelerator cards (like in the F5 or Foundry) and similar approaches, the complexity at that front-end would make the cost of the solution prohibitive or result in still more dedicated devices (load balancers etc) at the network level... and there's always going to be a bottleneck to cause things to jam.

Amoeba