Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributed Computing for Tracking Net Problems?

Posted by Cliff on from the how-effective-would-it-be dept.

Osrin asks: "A software firewall package that came with a recent computer purchase is using a site called MyNetWatchman to track, catalog and escalate firewall incidents back to ISPs. I was wondering what Slashdot readers think of this type of solution and which other Internet problems it would lend itself to helping resolve?"

15 comments

  1. Dshield too by isn't+my+name · · Score: 4, Interesting

    Dshield also performs a similar service. Between it and mynetwatchman, they do seem to perform a valid service. With the fast-acting worms, they may not be able to do anything on new worms before it is too late, but they are in an excellent position to track trends and they are going to see some of the preliminary scans that go on as someone is testing an early exploit.

    I'm waiting for the time that data from those two sources is actually used to track down someone who releases an exploit. I really think it is only a matter of time.

    1. Re:Dshield too by Bad+Boy+Marty · · Score: 2, Interesting

      Note that Dshield has a number of prepackaged clients to submit data, including both ipchains & iptables (Linux) log analyzers, as well as a host of others.

      Even with the spoofing of IP addresses available easily via nmap, it still seems like contributing to the database is a Good Thing[TM]....

      --
      RHCE; are you certified? Karma: ambiguous.
    2. Re:Dshield too by phorm · · Score: 2, Insightful

      track down someone who releases an exploit.

      Really, this is more the case of "track somebody who releases a virus using an exploit." The problem with this is that crackers can and often will seed the virus through more conventional methods (kazaa, hijacked email, etc), and allow others to infect themselves and thus continue on with the trend.

    3. Re:Dshield too by isn't+my+name · · Score: 1

      The problem with this is that crackers can and often will seed the virus through more conventional methods (kazaa, hijacked email, etc), and allow others to infect themselves and thus continue on with the trend.

      Oh, I completely agree. Howver, before they have the virus totally debugged, if you are talking a new exploit, there have to be some small probes and packets sent out into the wild to test things. Of course, these are probably going to go through zombie computers, but I still think that one day in the forensics after the fact that mynetwatchman or dshield will have data on the early tests that will be used to track someone down.

  2. Umm this isn't the first by jelevy01 · · Score: 2, Informative

    This has been going on for a while and you may not have known it. Earthlink and many other ISP's have been using Visual Network's IP Insight in your branded dialers for many years to track QOS and connection statictics under your nose...

  3. Too much greed... by wal · · Score: 4, Insightful

    The internet is too saturated with greed to allow any kind of distibuted application viable on the internet.

    As soon as any type of app becomes widely used enough to make it worth while it is either bought up and ruined by any number of corporations or sued and shutdown for some kind of obscure copyright violation in order to allow for a bigger and better solution from the copyright holder which will inturn be so ridden with spyware that it will never get used.

    Not that I am a pessimist or anything...

    1. Re:Too much greed... by ldspartan · · Score: 1, Funny

      Yeah! Like... WinAmp! AOL really ruined that!

      Oh, wait, no, thats wrong... Winamp 3 may have been stupid, but that wasn't AOL's fault.

      Anyway, thats the only counterexample I could come up with, so take that as you will.

      --
      lds

  4. Spoofed addresses by Anonymous Coward · · Score: 5, Informative
    When blocking a TCP connection most firewalls will just drop the SYN packet and log it. Since the 3-way handshake has not been completed, it is impossible to verify the source address and silly to notify the "sending" ISP. If you actually ran a service on that port which accepted, logged, and closed the connection, then it would be OK (but there's no trick like this to detect spoofed UDP packets).

    nmap has an option ("-S") to spoof the source address. Here's the documentation from the man page:
    Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! This is not a supported usage (or the main purpose) of this flag. I just think it raises an interesting possibility that people should be aware of before they go accusing others of port scanning them. -e would generally be required for this sort of usage.
    You could also combine this with the -D (decoy) option, which accepts a list of addresses to spoof. More text from the same man page:
    The real moral of the story is that detectors of spoofable port scans should not take action against the machine that seems like it is port scanning them. It could just be a decoy!
  5. Yes, but. . . by isn't+my+name · · Score: 3, Insightful

    All valid points, but the bulk of the worm infestations out there aren't spoofing becuase then they can't spread the infection. Given the number of ip addresses that mynetwatchman.com or dshield.org has reporting to them and the fact that they both require independent reports from multiple sources on ports with known exploits before making any type of report, the overwhelming majority of those reports are going to be for infected machines.

    1. Re:Yes, but. . . by Anonymous Coward · · Score: 3, Informative

      All valid points, but the bulk of the worm infestations out there aren't spoofing becuase then they can't spread the infection.

      Worms that spread over UDP (like Blaster) could spread using spoofed packets since they don't require two-way communication. That would probably force a lot of ISPs to install egress filters.

      Even worms that spread using TCP could send some spoofed packets occasionally, just to screw with these distributed tracking systems.

      Given the number of ip addresses that mynetwatchman.com or dshield.org has reporting to them and the fact that they both require independent reports from multiple sources on ports with known exploits before making any type of report, the overwhelming majority of those reports are going to be for infected machines.

      A spoofed scan could still trigger that - I could scan thousands of machines while spoofing your IP address as the source, using a port with a known exploit. Somebody would probably report this to your ISP - and depending on how clueless your ISP is, they might think you're infected.

      Or if a worm is spoofing, it could find IP addresses of non-vulnerable machines and use those as the source addresses for spoofed packets. If it sent 3 spoofed packets for every real packet, any packet you received would have a 75% chance of being fake.

    2. Re:Yes, but. . . by bobbozzo · · Score: 1
      Worms that spread over UDP (like Blaster) could spread using spoofed packets since they don't require two-way communication. That would probably force a lot of ISPs to install egress filters.

      IIRC, Slammer DID spoof. Fortunately, it was easy for the backbone carriers to drop the port it used, as it wasn't port 80 or any other critical port.

      With a port 80 worm, you can't block it easily.

      --
      Nothing to see here; Move along.
  6. Tracking VS Reacting by mstovenour · · Score: 1

    Could the feedback loop be closed so that the "service" would corelate an attack and then update the firewall filters on each host? Clearly there are trust issues to overcome, but for the sake of this discussion, let's assume the trust issue can be solved.

    1. Re:Tracking VS Reacting by AMystery · · Score: 1

      I think that is a way of the future, and probably will be right before the internet becomes self aware. everything that happens causes changes, those changes propogate out, it becomes an environment where each node is intelligent and responsive, not merely passive.

      A worm appears, it affects the first few boxes and they report out what is happening and then the network adapts. Isn't that how the Borg developed? MmM, Borg vs SkyNet. This could get interesting.