Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Providers Band Together to Fight Evil

Posted by timothy on from the hola-arborites dept.

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

12 of 116 comments (clear)

  1. "It sounds a bit like Razor, doesn't it?" by Moskie · · Score: 5, Funny

    How about: "It sounds a bit like SkyNet, doesn't it?"

  2. "Evil"? by Markus+Persson · · Score: 5, Insightful

    DDOS attacks? BitTorrent traffic? Spam email? Slashdotting? Seems a bit too vague to be good.

    --
    If the cat can't experience its own death, nothing will ever kill you. (No, really!)
    1. Re:"Evil"? by KiloByte · · Score: 4, Insightful

      Uh oh.
      If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting", it takes just a single trigger-happy sysadmin somewhere on the way to knock you and the rest of us from the participating networks.

      The article is pretty vague, and if I read correctly, there _is_ a human factor involved. Of course, humans are better from machines from telling apart a bone-fide Slashdotting (beh, a "bona-fide" DDOS attack :p ) from something that's meant just to destroy.

      However, our bona-fide attack just took their server down. We're entering a gray area here: is it still a legitimate flash crowd? It's often hard to tell. The problem is, until today, the one who used to lose was the affected server. If enough backbone ISPs will join this alliance, it will be us getting hurt by the collateral damage.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:"Evil"? by hal9000(jr) · · Score: 5, Informative

      If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting",

      No, a denial of service against a web server such as a syn flood or a resource attack doesn't look like /.ing. When a /. event occurs, the clients actually try to complete the TCP connections and HTTP transactions. The flow of data is two way. Think about what HTTP looks like from a packet perspective. From client to server, the initiation of the HTTP session, small packets to the server signifying GETs and POSTs or TCP ACK, and more data from server to client returning pages, images, etc. It's a pretty well known behavior.

      In a denial of service like a syn flood, there are a bunch of incomplete TCP handshakes, often from the reserved address space. In a resource starvation attack, the TCP may complete, but the client doesn't actually send any traffic to the host, in the case of an HTTP transation, would be a GET or a POST--so you get a TCP set-up and then nothing else.

      In a /. event, what Peakflow will is a a spike in traffic but it will also see that clients are attempting transactions and they are coming from valid addresses (non reserved). That looks different.

      See?

  3. hmm by Sv-Manowar · · Score: 4, Interesting

    This all seems to vague to work, a box that could be exploitable reporting "evil" acts to others, there's something missing here

    I can't see this working unless they make it more secure, and define what "evil" is

    --
    Business Voyeur
  4. MSIE Deletion squad by FidelCatsro · · Score: 4, Interesting

    Ok when i first read this , i had images of a bunch of guys in orange suits bursting into peoples houses and Instaling firefox and anti spyware software on windows machines, then just before diving out the window shouting "All in a days work Ma'am"

    After reading the story though , i must say "About fragleing time " .
    As the submitter mention razor ,which has been around for a good while i have been amazed how many ISPs are actualy doing very little about it , I have my theorys why some do so little (pay per bandwidth is becoming rather popular these days) though most are not like this.
    The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC ), the sooner we can start to enjoy our times online without fear of Spam or fear that our servers will be DDoS'ed into the ground.,

    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  5. Barracuda Networks by p0 · · Score: 5, Informative

    The best example for collaborative evil fighting is www.barracudanetworks.com

    --
    This is my sig. There are thousands more, but this one is mine.
  6. prominent...... by mwdmeyer · · Score: 4, Funny

    A group of prominent Internet providers
    Not after we slashdotted them :\

    Shouldn't these so called "Internet providers" cope with a small increase in traffic?

  7. "Internet Providers Band Together to Fight Evil" by TheSpeedoBeast · · Score: 4, Funny

    This could be the greatest comic book. Ever.

  8. Internet automimmune diseases by G4from128k · · Score: 4, Informative

    Initiatives such as this one are part of a move toward an internet immune system -- active systems that watch for and halt undesirable activities. But like the mammalian immune system, it will doubtless be subject to false positives. This raises the potential for auto-immune diseases such as when someone's IP is inappropriately blacklisted.

    The core of the problem will be a disconnect between the fast response time required for properly halting fast-spreading malware (e.g., a compact worm that attacks even just 1% of hosts will probably double its infected base every second and saturate the entire net within a minute) and the slower response times of human-mediated due-process procedures. The need to quickly halt infections will lead to a hair-trigger system that may shutdown innocent hosts or kill legitimate activity.

    Internet auto-immune diseases are potentially quite serious as that actually create a serious new vulnerability. Criminals could try to trigger an immune response on a target and trigger an immunity-DOS response on the target by using the system against itself.

    --
    Two wrongs don't make a right, but three lefts do.
  9. How it works by hal9000(jr) · · Score: 5, Informative

    Ok, Peakflow SP tracks and reports on network flows and the associated data gleaned from a flow such as src/dst IP addresses and ports, bytes transferred, duration of flow, etc. It does't capture packet data (though you can do that on a limited basis). A flow is a unique network transaction that starts with the first packet from a source to a destination and ends with either a time-out(no packet sent) or in the case of TCP, a close sequence (RST, FIN).

    What is interesting about this is that traffic like DoS/DDoS attacks port scans have unique network fingerprints. For example, a DDoS attack is a large amount of traffic to a single source, often without any return traffic. That is unusual. Sure, the /. effect might trigger a DoS alert, but someone has to go investigate the cause. Besides, how many sites get /.ed on a daily basis? But in general, flash traffic would be seen.

    What this means for service providers, hopefully, is that they can more quickly respond to attacks and improve the general health of the networks they manage by locating the source of the malicious traffic more quickly.

  10. This could be perfect for fighting zombie spam by minas-beede · · Score: 4, Insightful

    If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.

    The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.

    The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.

    All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)