Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Providers Band Together to Fight Evil

Posted by timothy on from the hola-arborites dept.

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

3 of 116 comments (clear)

  1. Barracuda Networks by p0 · · Score: 5, Informative

    The best example for collaborative evil fighting is www.barracudanetworks.com

    --
    This is my sig. There are thousands more, but this one is mine.
  2. How it works by hal9000(jr) · · Score: 5, Informative

    Ok, Peakflow SP tracks and reports on network flows and the associated data gleaned from a flow such as src/dst IP addresses and ports, bytes transferred, duration of flow, etc. It does't capture packet data (though you can do that on a limited basis). A flow is a unique network transaction that starts with the first packet from a source to a destination and ends with either a time-out(no packet sent) or in the case of TCP, a close sequence (RST, FIN).

    What is interesting about this is that traffic like DoS/DDoS attacks port scans have unique network fingerprints. For example, a DDoS attack is a large amount of traffic to a single source, often without any return traffic. That is unusual. Sure, the /. effect might trigger a DoS alert, but someone has to go investigate the cause. Besides, how many sites get /.ed on a daily basis? But in general, flash traffic would be seen.

    What this means for service providers, hopefully, is that they can more quickly respond to attacks and improve the general health of the networks they manage by locating the source of the malicious traffic more quickly.

  3. Re:"Evil"? by hal9000(jr) · · Score: 5, Informative

    If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting",

    No, a denial of service against a web server such as a syn flood or a resource attack doesn't look like /.ing. When a /. event occurs, the clients actually try to complete the TCP connections and HTTP transactions. The flow of data is two way. Think about what HTTP looks like from a packet perspective. From client to server, the initiation of the HTTP session, small packets to the server signifying GETs and POSTs or TCP ACK, and more data from server to client returning pages, images, etc. It's a pretty well known behavior.

    In a denial of service like a syn flood, there are a bunch of incomplete TCP handshakes, often from the reserved address space. In a resource starvation attack, the TCP may complete, but the client doesn't actually send any traffic to the host, in the case of an HTTP transation, would be a GET or a POST--so you get a TCP set-up and then nothing else.

    In a /. event, what Peakflow will is a a spike in traffic but it will also see that clients are attempting transactions and they are coming from valid addresses (non reserved). That looks different.

    See?