Visual DDoS Representation and Its Ramifications

winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."

Visual DDoS?

Is the a new programming language from Microsoft?

Re:Visual DDoS?

[Mister+Transistor]

Nope, but it IS Windows based...

Neat!

[failure-man]

Can it build a map for a /.ing?

Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.

Re:Neat!

[geomon]

Not exactly a map, but a nice graph of a site getting slashdotted.

Re:Neat!

[notAyank]

Thanks to you we can all watch it happen all over again!

Re:Neat!

[geomon]

Thanks to you we can all watch it happen all over again!

True, but I suspect that due to the time of day it will probably not reach the hits per second that it did in the *two* other occasions that the server was stressed.

And this one wasn't associated with a post that emanated from their department. That ought to keep the admin busy for a few minutes.

Re:Neat!

[DigiShaman]

WTF? No "funny" mod yet? It sure deserves one :P

Re:Neat!

[RemovableBait]

Nice... now they can have history repeat itself.

:)

Re:Neat!

[william.gunn]

I can't believe the graph doesn't show how long it takes for the increased activity to fall off! It would show the "attention span" of /.

In the future will we have net traffic reports?

[rokzy]

I hope not!

isn't the whole point that there's redundancy and stuff to make things reliable and invisible to the end user?

time spent visualising problems is a total waste unless you use it to stop the problem happening again. and prevention is better than cure.

Re:In the future will we have net traffic reports?

[miaDWZ]

In the future will we have net traffic reports

hah, too late.

http://www.internettrafficreport.com/

Better

This site has a much better visualisation of zombie infections.

Re:Better

[kiddailey]

Funny... but don't ever link to a website that resizes your browser window again, or we'll be forced to kill you ;)

Europe has most zombie infested networks..

[guyfromindia]

From TFA, Overall, Europe has the most zombie infested networks ranking over the United States.
Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)

Re:Europe has most zombie infested networks..

Clearly, their PCs must be liberated.

Re:Europe has most zombie infested networks..

[Tyler+Eaves]

Errm, the total population of Europe alone is easily twice the US, at least.

Re:Europe has most zombie infested networks..

[martin-boundary]

Unfortunately, the statistics are meaningless, and therefore so is your conclusion.

TFA reports number of networks (but not how big the compared networks are, so if Europe has two networks with 10 connected PCs each that's what compared to the US with one network with 100 connected PCs, say?) and infections per capita (which is also meaningless because capita measures population size, not number of internet connected PCs. They should at least give the number of households connected to the internet in each country).

Re:Europe has most zombie infested networks..

[HermanAB]

Almost 2/3: USA = 295M EU = 457M

Re:Europe has most zombie infested networks..

[meestaplu]

Another issue is the proliferation of broadband connections. Europe has a lot more of these than the US, and they are generally faster. A 10 mbps connection in the US is pretty much unheard of -- my Comcast 4.5 mbps connection is considered excellent -- while 10 mbps is commonplace in Sweden and other European countries.

Re:Europe has most zombie infested networks..

[xenocide2]

The rankings are per capita, which means they're adjusted for population.

Re:Europe has most zombie infested networks..

[Stauf]

The rankings are per capita, which means they're adjusted for population.

From the article: "Overall, Europe has the most zombie infested networks ranking over the United States. Hong Kong is the most infested network per capita."

So the 'Europe has more' figure is explicitly not adjusted for population.

Re:Europe has most zombie infested networks..

[ravloony]

Yup. I'm on a 20Mbps one in France :-)

Re:Europe has most zombie infested networks..

Psst... they don't have any oil.

Re:Europe has most zombie infested networks..

err.. Europe != EU.

Re:Europe has most zombie infested networks..

[xenocide2]

Most of the European states beat out the US in the per capita ranking, given by the table in the article.

Re:Europe has most zombie infested networks..

[Stauf]

But that doesn't prove anything. If 10% of 100 people puts LittleCountryA at the top of the list, but BiggerCountryB has 1% of 1000 and is at the bottom of the list - then out of the total population, 20 machines of 1100 people or not even 2% are infected.

So, the argument that most european countries beat out the US in the per capita ranking does not support the argument that those same european countries, taken as part of a whole will beat the US per capita. That's not to say that it proves it won't, but your data isn't relevant to your conclusion.

Re:Europe has most zombie infested networks..

[mad_goldfish]

Well, I didn't see the figure take into account the penetration of PC and Broadband in various countries. Hong Kong is very connected, so you'd expect it's per capita infection rate to be higher as there are more machines on more of the time with more bandwidth. I'd expect BB to have spread wider in Europe than US looking at the comments about rural areas in the US, whereas well over 90% of the UK has BroadBand capability. I'm sure someone has the figures... I think what the figures show are that Europe is more connected (and has more bandwidth overall) than the US, and so there are more vulnerable people online here, and each person is more vulnerable thanks to thicker pipes and even thicker sysdamins at the ISP :-)

Grammar Cop

[Doc+Ruby]

"Prolexic has a report on Zombie infections that bring a visual representation"

That would be a report, which brings a visual representation. These kinds of grammar errors come from the speaker/writer paying more attention to the last word they spoke/wrote ("infections") than to the subject of the sentence ("report") with which their next words must agree. The choice of "that/which" is a subtle style point in which few are skilled these days. But getting the plural of the subject and adjective to agree should be natural. Spoken English requires quick thinking, but written English allows a chance to reread the sentence before publishing it. The publishing effort is going to pay off a lot more when the statements are intelligible consistently by most readers.

Relevant info missing

[Stormwatch]

They forgot to list zombies per operating system.

Oh, wait...

Re:Relevant info missing

[trelanexiph]

I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.

Re:Relevant info missing

[someone1234]

Wowie, you saw ENTIRE dosnets on IRIX? You might come up with a 'proof of concept' thingie which 'might' work on a completely defenseless machine, but i doubt you'll find so many of them on the net to build a net. How many IRIX is still on the net? One would believe dosnets are viable only on an OS (aside from OS vulnerabilities) with a large and ignorant user base. Maybe in the future you'll see linux dosnets but i guess they are only in your fantasy.

Re:Relevant info missing

[Frogbert]

And lets face it any Unix/Irix/Non-Windows operating system is going to have access to a much fatter pipe then your average windows system.

Re:Relevant info missing

[dbIII]

the guys hitting unix are usually far more skilled than those using cookie cutter exploits

I've been called in after a couple of *nix machines were rooted, and in both cases it was simple rootkits run by people who didn't appear to have the slightest ability to cover their tracks, who left dos commands like "dir" in the history. Whoever put together the rootkits did appear to have a clue, so the only answer is to reformat, re-install and be sure the data files restored from backup are what they are supposed to be.

Of course, other people deal with this sort of stuff daily and may have other ideas.

What's the surprise?

[FireballX301]

For all intents and purposes, that could just be a list of largest ISP networks. Large ISPs generally don't have the time to perform broad sweeps against zombie computers.

What is surprising is the European zombie count is higher than that of the United States. I wonder why.

Re:What's the surprise?

[HermanAB]

Why?

EU population is 460 million, US population is only 300 million.

No surprises there - more people, more PCs.

Re:What's the surprise?

[Jesus_666]

Also, consider that some European countries are quite Internet-crazy. IIRC, German is the second most frequent language spoken on the Internet, even before Franch, Spanish and Mandarin. Note that outside of Europe, German is not quite as common as the other three languages.
As of 2004, 47% of all German households had Internet access, versus 43% in 2003 - and the number is still growing (source: German Federal Statistical Office (destatis.de)).

Re:What's the surprise?

[scupper]

what's important is per capita. US isn't the worst offender, but the krauts could improve.

Re:What's the surprise?

[gorbachev]

"What is surprising is the European zombie count is higher than that of the United States. I wonder why."

If I may hazard a guess...and that's all these are.

I think three reasons.

1. There are a couple of very big and completely clueless ISPs in Europe (blueyonder, tiscali, wanadoo). You think Comcast is bad? You have no idea...

2. Some of the national ISPs in a lot of the European countries have a much larger percentage of users within their countries than any US ISP. If that ISP happens to be one of the completely clueless ones, you have a REALLY big problem.

3. In US, the biggest ISP, AOL, has cleaned house so well that there's very little network infestation coming from them.

Re:What's the surprise?

Franch?!

Re:What's the surprise?

No surprises there - more people, more PCs.

and still they refuse to use soap!

Details

[FrozedSolid]

The site is short on details. I'm kind of curious how their DoS filtering systems work. How can you detect the difference between a valid client and one that that's just part of an attack?

And what is being done about this?

[khasim]

From TFA:

The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.

Okay, so you hve the IP address of a cracked machine ...

From that, you can find the ISP ...

From that, you can find the machine ...

From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

Re:And what is being done about this?

[rel4x]

From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
Several reasons.
First off, a lot of the zombies are in countries different from the person controlling them, making it tricky to pass information, and get search warrants(for the sniffer). A lot of people use proxies, which also complicates things.

Re:And what is being done about this?

It's not quite that easy. There is no such thing as a 'sniffer' you can put on an internet connection.

Odds are these bots will all be logged on to an IRC channel somewhere. You can track it back to that by simply monitoring the network activity of the machine. After that, you can monitor that channel and find the user who is directing the botnet. Unfortunately, the best you are going to get - unless the botnet operator is an idiot - is the last proxy in a chain of four to eight, each of which is located in a foreign country. Being able to get obtain the logs from such a single such proxy is very unlikely. Four to eight simply isn't going to happen.

Re:And what is being done about this?

[plover]

Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.

I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.

Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.

Re:And what is being done about this?

The advantage with this peer-based method is that the cop, once they get control of one zombie, can find all of the other zonbies on the network, by looking at one zombie's peers, looking at the peers' peers, until the entire botnet is traversed.

Re:And what is being done about this?

[DrSkwid]

I don't think that the person controlling the botnet sends out a "do ddos now" command to all of his owned hosts from home.

You will trace it from the zombie to the controller then it's off back to court, possibly in another country, to get another warrant to monitor the controller. Then you trace that back to another controller ad nauseum.

Re:And what is being done about this?

[Isomer]

I help out on the Undernet IRC Network. We have automated tools that detect botnets, but what can we do after we've detected them? Email their ISP's? They in general don't care. Talk to the FBI? They don't care either. Ban (Gline) them from the network? We get DDoS'd for the trouble, either directly by the kiddie taking revenge, or even indirectly by just having to live with the constant synflood of thousands of DDoS drones still trying constantly to reconnect to our servers.

Finding out who these people are isn't hard, we often know who they are, and even where they live, but nobody cares. These kiddies start by playing around DDoSing a few IRC servers here or there, but then they move on to bigger things like extortion rackets etc. Almost all of the people being put away for various High profile Cybercrimes have at one stage or another been well known by IRC administrators, but nobody cares until they've turned their sights on bigger fish than IRC networks.

Re:And what is being done about this?

[Kent+Recal]

what can we do after we've detected them?
we often know who they are, and even where they live

Easy. Make a public list.
Put up a description of all incidents and all related information (IP-Address -> ISP -> personal info) that you have gathered.

The kids don't like to read their real name on a website.

Re:And what is being done about this?

[Darkman,+Walkin+Dude]

Argh, do I even need to talk about the futility of publicly posting the authors of DDOS attacks on a website? This calls for good ol' vigilante justice. When the law doesn't suffice to cover your needs, or hasn't gotten that far in terms of enforcement, you need to take it into your own hands. Yes yes, I know all the arguments against that, but they all fall flat; the law is unwilling or unable to help where you have a legitimate greivance, therefore you become the law.

There should be an agency or group to mess these people up, not cause actual physical harm, but play with their tiny minds. Hire a private detective to ferret out their most personal details and bring them to the attention of local law enforcement and media. Hire a male escort to get their girlfriends drunk and give them syphillis. Disconnect their phones, steal their identities and use them to open bank accounts, then post these up on warez sites. Get creative, people, think like Sherriff Lucas Buck in American Gothic. When the law fails, you may not have the right to take it upon yourself to take revenge, but that doesn't mean you shouldn't.

Re:And what is being done about this?

[Kent+Recal]

Well, while your approach sounds sensible ;-), I want to make clear that I don't encourage that way of dealing with it.

I really think just posting these names will be enough. Not so that people can go and beat the kids up (I doubt anyone would bother anyways!) but more as a blunt message to the DDoS kids saying "We are paying attention and we know who you are".

Once your name shows up on such a list you'll probably re-think whether your hobby is really worth the potential backlash.

Re:And what is being done about this?

[plover]

But only if they can actually find to the next zombie. If one bot infected and recruited 100 other windows boxes, which of those lead to others? Can you get to the next box? Is it in the same country? Can you get logs from the ISPs involved to identify it? When they're not under direct use, they're kept busy portscanning for other victims, so it's never a static "snapshot", either. How do you know when you've got 'em all?

Remember, there are over 10,000 bots in a typical professional extortionist or spammer's botnet. Are you capable of rolling them all up and identify the single one which received the spammer's actual input? That's a helluva feat.

There are tools, such as the "internet telescope", which might reveal the "first source" of a spam or of an attack. But when the bots are syncrhonized, as when an extortionist commands "Begin a DDoS attack on www.foo.com at 0800 GMT", timing on the telescope reveals nothing other than "which of these idiots with infected PCs also don't have their clocks set properly."

Re:And what is being done about this?

[Pyrrus]

They certianly won't when future employers grep these lists for the name of any potential employee.

the gibson

[mnemonic_]

But have they hacked the Gibson yet?

Re:the gibson

pool on the roof must have a leak

Re:the gibson

[Jomac]

Gibsons story (http://www.grc.com/dos/grcdos.htm) makes for a great read - and he did put up a list - and it worked pretty well.

Watch the grandsons infections

[bigtreeman]

On our home network I watch the infections eminating from the grandsons Windoze gaming boxen with etherape - http://etherape.sourceforge.net/ it's not a desktop background, but it's cool (the grandson reckons its sick)

Where is the Spinning Cube of Potential Doom?

[qualico]

This story reminds me of the Spinning Cube of Potential Doom.
http://developers.slashdot.org/developers/04/06/01 /1747223.shtml

It seems the source for this is still unavailable.
Does anyone know where to get binaries or a similar program?

The concept is fantastic and would certainly help in security.
Although, I'd prefer to have a text version similar to how Nethack displays in text mode.

Call me old school, can't shake my affinity for text only Linux. :P

Re:Where is the Spinning Cube of Potential Doom?

Try this http://research.wand.net.nz/software/visualisation .php

Re:Where is the Spinning Cube of Potential Doom?

[Isomer]

The WAND visualisation (lovingly called BSOD by the people who use it) is very interesting to watch. We use it on the Universities /16, and we see all kinds of neat patterns ranging from background scans from viruses, to highly sophisticated scans obviously looking for infectable machines.

The visualisation supports a "darknet" mode where it can show all traffic that isn't being responded to by internal machines, showing scans on other useless traffic (on our capture point it shows up heaps of NTP traffic going to an old NTP server that has been decommissioned).

The visualisation is fully customisable by a series of plugins for things such as layouts (for the left (internal) and right (external) networks), and colours (letting you colour traffic based on the type of traffic).

You can see infected machines on it as a cone of traffic, port scans as a sparkling of different colours to one machine. You can see that different parts of the Internets address space have different protocol mixes (P2P and HTTP interestingly don't have the same patterns). You very quickly get a feel for what "normal" traffic looks like, and can see at a glance if something on the network isn't working right. It's fascinating to watch, and even a layperson can easily see what's going on and understand what's happening. It makes great eyecandy for investors and managers too :)

We're almost ready for a new release supporting a lot more really cool features, including the ability to choose colours based on BPF expressions, tonnes of performance improvements, new plugins such as a geoip layout module.

Download it and it a go (the URL is in the parent post), and let us know if you have any suggestions, we're really keen on new ideas to extend it with.

Re:Where is the Spinning Cube of Potential Doom?

[qualico]

sweet!

Thanks for my new project.
Looks like the client will run on Windows so I don't have to setup a graphical X machine.

Let you know how it goes.

Re:Where is the Spinning Cube of Potential Doom?

[qualico]

Road block.
Need to install another Hard Drive.
My 3Gb of 9 year old SCSI technology is full.

Not to the fault of a 190k BSOD, but because I need g++ version > 2.95.
And to install that version of g++ I need more space.

From the INSTALL file:

The bsod server requires:

* libtrace (http://research.wand.net.nz/software/)
* g++-3.0 or greater (known to work with 3.0, fails with 2.95)

In the famous words of Arnold: "I'll be back"

DDoS protection

[StreetFire.net]

With more and more ISP's offering DDoS protection in the cloud I have to wonder how much longer DDoS in it's current form will remain relevant. Most of the Tier I backbone providers are shutting down these things in the cloud keeping the traffic from ever reaching the customer Gateway (for customers that subscribe to this service), however these systems are looking for uncompleted TCP connections and scripted browsing sequences. So in the next round of DDoS arms escalation, any thoughts on what the next evolution of the zombie net attacks will be?

Re:DDoS protection

[mrchaotica]

any thoughts on what the next evolution of the zombie net attacks will be?

Ones that parse webpages and follow random links (staying on the same server, of course) so that they look as much as possible like legitimate traffic? Maybe have it emulate a Slashdotting by forging the referer headers? ; )

brings a whole new meaning to the phrase

[wolftone]

"Where do you want to go today?"

I still wonder...

[game+kid]

...which exact people/bots do the most requests.

Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)

Re:I still wonder...

[DrSkwid]

please, no more IP based filtering

it is bad enough that I get regularly banned from posting because my ISP (ntl:) uses an inline cache that reports itself as the remote address and slashcode can't differentiate between different ntl: customers. And, yes, it has been reported many times, the /. attitude is : if you're such a geek, sort yourself another proxy (which I do but it is still a pain).

Re:I still wonder...

[moonbender]

Inline cache? Forget getting another proxy, get another ISP!

Re:I still wonder...

Personally, I'd refuse to deal with an isp that thinks it's a good thing to have a colon in their name. But it's probably your only choice--and I know what that's like.

But seriously...

Re:I still wonder...

[DrSkwid]

It was called Diamond Cable when I signed the contract.

Our illustrious former leader carved the country up into regions and then auctioned off the areas to act as cable TV stations to give new start up telecoms companies a boost while generating revenue for vote winning tax breaks.

Anyhoo, these days they are amalgamated into just about two big cable providers Telewest and ntl: who went on a buying spree once the statutory period of buyout protection expired.

I'm lazy. I got my 512k the day it came out and haven't changed a thing since. And yay, it's 1mb now! I use my own proxy with 4mb upstream elsewhere so 100k a sec is fine for the last hop.

Re:I still wonder...

[bedessen]

The actual term is a 'transparent web cache'. What happens is the ISP proxys all traffic on port 80 outbound through a machine on their network running squid. To the end user, the effect is the same as if they were connecting directly to the destination web server, but they're really connecting to this squid proxy. That way if two of their customers request the same page, the squid machine only has to fetch it once (assuming it's cacheable) and it can then send it to both customers. It's a bandwidth-saving measure, because to the ISP the 'external' traffic is more costly than internal traffic that doesn't have to leave their core network.

The effect of this is that web traffic on the destination server appears to come from the proxy machine, not the end user's actual machine/IP address. Usually there is a HTTP header (such as 'X-Forwarded-For:') that contains the real IP address of the actual end user. The problem for the site though is that you cannot trust this header, because anyone can add any HTTP header they want. If slashdot were to consider the header as genuine, then any old crapflooder could claim to be any IP address they desire, and evade bans. There is no way to differentiate the case of a real squid proxy that is actually inserting a legitimate header, and an end-user that is doing the same for nefarious purposes. You really can't blame slashdot for not considering the X-Forwarded-For header, because it's just completely unreliable.

Many other web applications have similar problems. For example, some forum software such as IPB (Invision Power Board) *does* consider the IP address contained in the X-Forwarded-For header, because it does make for better logging for users with ISPs that use transparent proxies. However, it makes banning forum users by IP address completely worthless, because the malicious user can just stick anything there they desire.

This also crops up with BitTorrent trackers, because when the BT client contacts the tracker, the tracker must note the IP address of the client so that it can give it out to other clients. (Clients are introduced via the common middleman of the tracker.) If the tracker is on port 80 and the user has an ISP that has one of these transparent proxies, the tracker will get the IP of the proxy and not the end-user. This means it will give out the wrong address to other clients, and that user will never get any incoming connections. The solution to this is to either tell the client to explicitly inform the tracker of its IP address, or to have the tracker on a port other than 80. The former is fraught with difficulties when you consider dynamically changing IP addresses and NAT, because it requires that the end user's software be configured correctly to send the proper IP address. The latter is the preferred way of handling it, because transparent proxies really only care about stuff on port 80.

Yeah

[kernelpanicked]

I've only been monitoring this sort of thing with EtherApe for about 4 years now.
http://etherape.sourceforge.net/

Cool Picture

[vga_init]

This picture is a little bit different, but this concept reminds me of the depiction of large scale computer networks given in William Gibson's Neuromancer.

From what I remembered, he depicted computer networks as having visual representation, describing how colors changed based on the level and types of network activity.

What is given in the novel is more of a virtual reality type thing, though. I thought that was nifty. Now, if only we could get some diagrams like the one in the article done in 3D and rendered in real time as variables changed.

LOL...

[d474]

FTFA:

"Interesting Notes:
AOL is the most infested network on the Internet."

Gee. I wonder why.

Re:LOL...

[qualico]

too funny, I'll venture a guess... ...is it cause people on AOL are the same people who click punch the monkey ads, install comet cursor and New.net along with Gator and WebShots?

Re:LOL...

[t0ny747]

...is it cause people on AOL are the same people who click punch the monkey ads, install comet cursor and New.net along with Gator and WebShots?

I thought aol came with all that by default?

Re:LOL...

[xenocide2]

"So easy to abuse no wonder its number one!"

Re:LOL...

[l3v1]

Maybe it's not the AOL who has the fault, but the people. Hell, I've heard people finding it nice that they have that buddy thing installed :) - oh, that's not funny

Re:LOL...

[qualico]

LOL!

Dell out of the box has Norton and AOL by default.
A winning combination. :->

Re:LOL...

[t0ny747]

Dell out of the box has Norton and AOL by default.

All the Dells I've seen like my Insporon 8600 and the ones at work came with a 30 day demo of Mcafee. Before I uninstalled it my on laptop took 10-20mins to boot.

Amazing photos...

[d474]

...they almost look like a "web" of some sort...

Re:Amazing photos...

and it's world wide!

You're looking for something like Carnivore

[jgaynor]

I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see.

Try Carnivore. It's a simple sniffer that acts as a backend to any visualizer you can write (in a number of supported languages). There's a nice online library of those frontends on their site as well. The only downside is that currently there's no linux version :(.

Digital Pictures

Digital Information Graphics

"The information age has brought inconceivable amounts of data to every area of life-at home and in the office, for leisure and travel, for shopping and banking. While the Internet provides instant freedom and instantaneous access to hundreds of valuable resources, navigating through the streams of cyber-information can be maddening. Today's web designers are beginning to understand that it's not just how good the home page looks, but how quickly and easily information can be displayed, accessed, and delivered. Digital Information Graphics confronts the issues that directly affect our interaction with the screen, whether for the World Wide Web, multimedia programs, or even small-screen devices like mobile phones or PDAs. Filled with tested principles, surefire strategies, and scores of examples and case studies, here are the effective, proven ways to present deep arrays of data for the information age. Readers will discover how to display complex environment and infrastructure in simple, innovative ways; analyze and present data gathered from demographics and news sources; convey complex events and situations in a clear, straightforward manner; and push today's technology to its limits, resulting in brand-new ways for navigating a website or interacting with the computer. Filled with 500 stunning examples from top information designers from around the world, Digital Information Graphics makes a vital part of design available to everyone living and working in the digital age."

Re:Details (the devil always lurks there)

[eUdudx]

it's not the single challange/response that's identifiable but the fact that seldom is an attack a single transaction, by monitoring the stream of activity both signature and learning filters can do a good job. Config-free IPS's are not impossible.

Do the numbers...

[Flabasha]

It's funny just to think what percentage of these boxes are Windows machines. Has anyone ever even heard of botnet boxes being run on Linux/*BSD/non-Windows machines? I guess there's one thing Microsoft should be thanked for... Inadvertently starting a new technology market.

John

Re:Do the numbers...

[sosume]

doh, i think its safe to assume that

windows users vs non-windows users ~= windows bots vs non-windows bots.

Re:Do the numbers...

[DrSkwid]

Botnets used to be found mostly on infected redhat and solaris boxes infected by trinoo

DDoS?

[sunwolf]

Which one is the picture of the site being Slashdotted?

Radioactive-DDoS?

"Which one is the picture of the site being Slashdotted?"

The one with the mushroom cloud above it."

---
"Slow Down Cowboy!

Slashdot requires you to wait till hell freezes over between each successful posting of a comment to allow everyone a fair chance at posting a comment about Taco's weight.

It's been 1,000 BC since you last successfully posted a comment that didn't poke fun at CowboyNeal."

Visual DDoS Representation and Its Ramifications

This is Slashdot. You should have used "it's" in the story title, then the grammar Nazis could have had fun shooting you down.

Homer

[rhizome]

Okay, so you hve the IP address of a cracked machine ...

From that, you can find the ISP ...

From that, you can find the machine ...

From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

"In America, first you get the sugar, then you get the power, then you get the women."

Missing Color in key?

[ThePolkapunk]

Am I going blind, or is there a color missing in the key? Or perhaps it's a firefox rendering error? At any rate, I can't find out what light blue is supposed to represent.

Along that same line of thought...

[lullabud]

If somebody takes the time to 0wn a server, it's likely because that server is on a fat pipe. If the purpetrator throttles his network usage it could go undetected and have much more serious reprecussions than a dozen infected desktop PC's on DSL. Then again, not all computers on fat pipe's are non-windows boxes... I had to clean up a Serv-U hack on our T1. =/

Religious Botnets

[lullabud]

So, what you're saying is that current botnets function like the prayer chain of Satan, the Lord of Spam?

Etherape/Cube of Impending Doom

[miquong]

Etherape is a good real-time program for visualizing connects to you and their relative traffic. While it only runs on *nixes, you can set up box for monitoring your uplink. Also check this post from last year: http://developers.slashdot.org/article.pl?sid=04/0 6/17/135220&tid=172&tid=141&tid=8

yeah, nice

[lampajoo]

but it's goddamn pointless. who gives a fuck if you have a picture of it or not?

LGL is used, but does anybody have it working?

[MavEtJu]

OPTE is using LGL to make their graphs. Their website is at http://bioinformatics.icmb.utexas.edu/lgl/.

I have tried to get it running on Linux and FreeBSD, but it doesn't want to compile due to mismatches in their C++ classes. This is with gcc 2.95, 3.3 and 3.4. (See http://www.mavetju.org/~edwin/lgl.fail.txt for the full log)

Has anybody gotten LGL to compile on their machines? Or does know patches to get it working?

Thanks in advance, Edwin

provocative, tasty little parent

[Dioscorea]

I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.

go on then trelanexiph u cheeky little chappie, tell us about one of these linux dosnets you've seen.... how did you learn of it? exactly

lots of ramifications

[cahiha]

Thousands of ramifications. (quite literally).

What it is lacking in however, is utility. Other than noticing that denial of service attacks use thousands of zombies all over the world, this doesn't really help you.

peep!

[Archeopteryx]

There is an audio network status tool called peep.

http://sourceforge.net/projects/peep/

Give it a try!

Back in "the day" we used to put an AM radio on top of the IBM 1130 and listen to the resulting noise to determine if the programs were working properly. Every program had a different sound and every phase of operation of each program was usually discernible from the sound.

As an operator in one of your largest channels...

[Animaether]

that isn't warez, mp3, or sex-based, #chatzone, it would at least be nice if you could acknowledge the existance of certain botnets, their owners, etc. That and give -us- some level of information on what -we- can do against them.

This isn't directly referring to those botnets used for IP DDoS'ing - UnderNET users typically have very little notice of them, I'm sorry that the UnderNET servers obviously do by sheer connection/disconnection power - but more to those used to DDoS channels and users by crapflooding/messaging/ctcp'ing/etc.

I'm talking about botnets like those under control by AlkkatraZ (username Almighty1 - connects using a plethora of vhosts). Some of which can be dealt with by a simple ban due to their structure, others could be dealt with if there was such a thing as a regex ban and banning capabilities on the username part - but alas.
But all in all, they could most easily be dealt with by crippling them. For example: flagging all of these bots as not being able to receive messages.

At best, the botnet operator will wonder why the frick his bots are no longer responding.
At semi-worst, there's somebody real behind one of those infected machines as well and they'll wonder why their friends are no longer messaging them.
At worst, the botnet operator figures it out and goes on a revenge-tour and DDoS's UnderNET servers.

Oh, and for what it's worth, yes we do contact the ISPs behind the infected machines, and although response rate isn't 100%, it's not zero either. We think it's worth the try - why wouldn't you ?

Please note that 'you' here isn't directed at you personally, but at IRCopers and Admins of UnderNET. I just think it's lame that obviously you have automated tools to detect them, but then you (apparently, from your own post) do diddly-squat about them.

Just my 2 cents. For what it's worth, UnderNET still kicks EF/DAL/IRCnet ass :P

Has anyone here used Prolexic?

[Tancred]

I met with them a while back and I think outsourcing the sinking and scrubbing of DOS traffic is a great idea. I'd like to hear from anyone using their service though.

Malaysia, so small yet so vulnerable

[timyang]

A big thank you to the admins at TMNet. You have finally made Malaysia one of the best at something.