Slashdot Mirror

← Back to Stories (view on slashdot.org)

Visual DDoS Representation and Its Ramifications

Posted by Zonk on from the seeing-things-helps-to-understand-them dept.

winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."

3 of 104 comments (clear)

  1. Neat! by failure-man · · Score: 5, Interesting

    Can it build a map for a /.ing?

    Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.

  2. And what is being done about this? by khasim · · Score: 4, Interesting
    From TFA:
    The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.
    Okay, so you hve the IP address of a cracked machine ...

    From that, you can find the ISP ...

    From that, you can find the machine ...

    From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

    Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

    1. Re:And what is being done about this? by plover · · Score: 4, Interesting
      Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.

      I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.

      Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.

      --
      John