Slashdot Mirror
Internet Providers Band Together to Fight Evil
toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"
How about: "It sounds a bit like SkyNet, doesn't it?"
DDOS attacks? BitTorrent traffic? Spam email? Slashdotting? Seems a bit too vague to be good.
If the cat can't experience its own death, nothing will ever kill you. (No, really!)
From TFA: Arbor Networks added the Fingerprint sharing capability to Peakflow SP to allow companies to share attack fingerprints automatically without revealing any competitive information.
The notion of "Fingerprints" is interesting, I wonder if this will really stop the spammers and other cyber-criminals.
As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??
Ubuntu is an African word meaning 'I can't configure Debian'
This all seems to vague to work, a box that could be exploitable reporting "evil" acts to others, there's something missing here
I can't see this working unless they make it more secure, and define what "evil" is
Business Voyeur
Will they all be wearing spandex bodysuits and flowing capes to work?
Ok when i first read this , i had images of a bunch of guys in orange suits bursting into peoples houses and Instaling firefox and anti spyware software on windows machines, then just before diving out the window shouting "All in a days work Ma'am"
. ,which has been around for a good while i have been amazed how many ISPs are actualy doing very little about it , I have my theorys why some do so little (pay per bandwidth is becoming rather popular these days) though most are not like this.
After reading the story though , i must say "About fragleing time "
As the submitter mention razor
The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC ), the sooner we can start to enjoy our times online without fear of Spam or fear that our servers will be DDoS'ed into the ground.,
The only things certain in war are Propaganda and Death. You can never be sure which is which though
The best example for collaborative evil fighting is www.barracudanetworks.com
This is my sig. There are thousands more, but this one is mine.
Powerful is he who overpowers his temptations.
A group of prominent Internet providers :\
Not after we slashdotted them
Shouldn't these so called "Internet providers" cope with a small increase in traffic?
This could be the greatest comic book. Ever.
Last I looked, Google was not an Internet provider. Even more damning to your case, none of the three companies you mentioned seem to be included in the alliance.
Initiatives such as this one are part of a move toward an internet immune system -- active systems that watch for and halt undesirable activities. But like the mammalian immune system, it will doubtless be subject to false positives. This raises the potential for auto-immune diseases such as when someone's IP is inappropriately blacklisted.
The core of the problem will be a disconnect between the fast response time required for properly halting fast-spreading malware (e.g., a compact worm that attacks even just 1% of hosts will probably double its infected base every second and saturate the entire net within a minute) and the slower response times of human-mediated due-process procedures. The need to quickly halt infections will lead to a hair-trigger system that may shutdown innocent hosts or kill legitimate activity.
Internet auto-immune diseases are potentially quite serious as that actually create a serious new vulnerability. Criminals could try to trigger an immune response on a target and trigger an immunity-DOS response on the target by using the system against itself.
Two wrongs don't make a right, but three lefts do.
Ok, Peakflow SP tracks and reports on network flows and the associated data gleaned from a flow such as src/dst IP addresses and ports, bytes transferred, duration of flow, etc. It does't capture packet data (though you can do that on a limited basis). A flow is a unique network transaction that starts with the first packet from a source to a destination and ends with either a time-out(no packet sent) or in the case of TCP, a close sequence (RST, FIN).
/. effect might trigger a DoS alert, but someone has to go investigate the cause. Besides, how many sites get /.ed on a daily basis? But in general, flash traffic would be seen.
What is interesting about this is that traffic like DoS/DDoS attacks port scans have unique network fingerprints. For example, a DDoS attack is a large amount of traffic to a single source, often without any return traffic. That is unusual. Sure, the
What this means for service providers, hopefully, is that they can more quickly respond to attacks and improve the general health of the networks they manage by locating the source of the malicious traffic more quickly.
Subject says it all, and it's pretty much all I want, a automated system where by if I say I don't want to recieve ICMP messages for the next hour, my ISP firewalls them off.
A similar system could be employed by the ISP to inform the backbone to stop sending them specific types of packet for a while, and mabie evolved so that backbones can tell large ISPs to filter some of there customers from sending packets at a specific target.
First of all, some more details about this project can be found here.
There is nothing new about the idea, in fact, it's long overdue. There is however something new in the idea having a practical implementation. The problem so far was that various network operators use very different hardware and software to monitor their networks (if at all..), thus, the idea of a 'fingerprint' may vary. Sharing becomes difficult.
By standarlizing on one platform (Arbor Networks PeakFlow SP), this becomes possible. All operators have the same device, which, coupled with this functionality, can finally bring this idea to life.
PeakFlow SP are Intel/OpenBSD boxes with additional Arbor software. They do however retail for 120,000$ per collector unit, and a collector unit can only proccess data from up to 5 devices (usually routers which export NetFlow formatted data). This is quite a steep entrance fee to pay for the pleasure; and many of the smaller players will never be able to afford this.
In fact, it's all not much more than clever marketing for overpriced Arbor devices; without the initiative, you can easily look toward other products (Cisco GuardXT, ex-Riverhead, many others). With the initiative, you now have a bit more of a reason to send $120,000 to Arbour.
Expect every security vendor to have a similar central fingerprinting repository soon. Non-compatible with one another, ofcoure.
http://netsquid.tamu.edu/
When I read "Internet Providers Band Together to Fight Evil" for some reason I had the mental image of a bunch of kids with the names of major ISPs written on their T-shirts running around with rings containing the power of broadband, low latency etc.
Whenever the evil Doctor Congestion and Señor Spam try to take over the 'Net they come together to summon Captain Internet who saves the day and educates us about how to use up less bandwidth.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.
The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.
The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.
All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)
(goofy tech looking at LAN Monitor) What's that on the LAN ?
Is it a torrent packet ?
Is it a ping ?
No... it's ISP man !!!!
I just hope they wear good tights. Superheros need good tights.
Sky subscribers are morons. They pay to be advertised at !
Will they all be wearing spandex bodysuits and flowing capes to work?
Oh god, please... NO. I have this delicate image of a 300 pound sysadmin with greasy hair and beard wearing what you described. For some reason, I have now completely lost my appetite...
"These people have lives outside of slashdot, you know."
Would that I could mod this +10 Insightful and put it up in 40-point flashing type.
Ignorance is curable, stupid is forever.