Slashdot Mirror

← Back to Stories (view on slashdot.org)

Visual DDoS Representation and Its Ramifications

Posted by Zonk on from the seeing-things-helps-to-understand-them dept.

winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."

34 of 104 comments (clear)

  1. Visual DDoS? by Anonymous Coward · · Score: 5, Funny

    Is the a new programming language from Microsoft?

    1. Re:Visual DDoS? by Mister+Transistor · · Score: 2, Funny

      Nope, but it IS Windows based...

      --
      -- You are in a maze of little, twisty passages, all different... --
  2. Neat! by failure-man · · Score: 5, Interesting

    Can it build a map for a /.ing?

    Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.

    1. Re:Neat! by geomon · · Score: 4, Informative

      Not exactly a map, but a nice graph of a site getting slashdotted.

      --
      "Rocky Rococo, at your cervix!"
  3. In the future will we have net traffic reports? by rokzy · · Score: 4, Insightful

    I hope not!

    isn't the whole point that there's redundancy and stuff to make things reliable and invisible to the end user?

    time spent visualising problems is a total waste unless you use it to stop the problem happening again. and prevention is better than cure.

    1. Re:In the future will we have net traffic reports? by miaDWZ · · Score: 3, Informative

      In the future will we have net traffic reports

      hah, too late.

      http://www.internettrafficreport.com/

  4. Europe has most zombie infested networks.. by guyfromindia · · Score: 3, Interesting

    From TFA, Overall, Europe has the most zombie infested networks ranking over the United States.
    Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)

    1. Re:Europe has most zombie infested networks.. by Anonymous Coward · · Score: 4, Funny

      Clearly, their PCs must be liberated.

    2. Re:Europe has most zombie infested networks.. by xenocide2 · · Score: 2, Informative

      The rankings are per capita, which means they're adjusted for population.

      --
      I Browse at +4 Flamebait

      Open Source Sysadmin

  5. Relevant info missing by Stormwatch · · Score: 4, Funny

    They forgot to list zombies per operating system.

    Oh, wait...

    --
    Circumcision is child abuse.
    1. Re:Relevant info missing by trelanexiph · · Score: 3, Insightful

      I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.

  6. What's the surprise? by FireballX301 · · Score: 2, Insightful

    For all intents and purposes, that could just be a list of largest ISP networks. Large ISPs generally don't have the time to perform broad sweeps against zombie computers.

    What is surprising is the European zombie count is higher than that of the United States. I wonder why.

    1. Re:What's the surprise? by HermanAB · · Score: 3, Informative

      Why?

      EU population is 460 million, US population is only 300 million.

      No surprises there - more people, more PCs.

      --
      Oh well, what the hell...
  7. And what is being done about this? by khasim · · Score: 4, Interesting
    From TFA:
    The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.
    Okay, so you hve the IP address of a cracked machine ...

    From that, you can find the ISP ...

    From that, you can find the machine ...

    From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

    Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

    1. Re:And what is being done about this? by rel4x · · Score: 2, Informative

      From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
      Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
      Several reasons.
      First off, a lot of the zombies are in countries different from the person controlling them, making it tricky to pass information, and get search warrants(for the sniffer). A lot of people use proxies, which also complicates things.

      --

      Before you mod me funny, think, perhaps I was insightfully funny?
    2. Re:And what is being done about this? by Anonymous Coward · · Score: 3, Informative

      It's not quite that easy. There is no such thing as a 'sniffer' you can put on an internet connection.

      Odds are these bots will all be logged on to an IRC channel somewhere. You can track it back to that by simply monitoring the network activity of the machine. After that, you can monitor that channel and find the user who is directing the botnet. Unfortunately, the best you are going to get - unless the botnet operator is an idiot - is the last proxy in a chain of four to eight, each of which is located in a foreign country. Being able to get obtain the logs from such a single such proxy is very unlikely. Four to eight simply isn't going to happen.

    3. Re:And what is being done about this? by plover · · Score: 4, Interesting
      Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.

      I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.

      Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.

      --
      John
    4. Re:And what is being done about this? by Isomer · · Score: 2, Insightful

      I help out on the Undernet IRC Network. We have automated tools that detect botnets, but what can we do after we've detected them? Email their ISP's? They in general don't care. Talk to the FBI? They don't care either. Ban (Gline) them from the network? We get DDoS'd for the trouble, either directly by the kiddie taking revenge, or even indirectly by just having to live with the constant synflood of thousands of DDoS drones still trying constantly to reconnect to our servers.

      Finding out who these people are isn't hard, we often know who they are, and even where they live, but nobody cares. These kiddies start by playing around DDoSing a few IRC servers here or there, but then they move on to bigger things like extortion rackets etc. Almost all of the people being put away for various High profile Cybercrimes have at one stage or another been well known by IRC administrators, but nobody cares until they've turned their sights on bigger fish than IRC networks.

    5. Re:And what is being done about this? by Kent+Recal · · Score: 3, Insightful

      what can we do after we've detected them?
      we often know who they are, and even where they live

      Easy. Make a public list.
      Put up a description of all incidents and all related information (IP-Address -> ISP -> personal info) that you have gathered.

      The kids don't like to read their real name on a website.

    6. Re:And what is being done about this? by Darkman,+Walkin+Dude · · Score: 2, Funny

      Argh, do I even need to talk about the futility of publicly posting the authors of DDOS attacks on a website? This calls for good ol' vigilante justice. When the law doesn't suffice to cover your needs, or hasn't gotten that far in terms of enforcement, you need to take it into your own hands. Yes yes, I know all the arguments against that, but they all fall flat; the law is unwilling or unable to help where you have a legitimate greivance, therefore you become the law.

      There should be an agency or group to mess these people up, not cause actual physical harm, but play with their tiny minds. Hire a private detective to ferret out their most personal details and bring them to the attention of local law enforcement and media. Hire a male escort to get their girlfriends drunk and give them syphillis. Disconnect their phones, steal their identities and use them to open bank accounts, then post these up on warez sites. Get creative, people, think like Sherriff Lucas Buck in American Gothic. When the law fails, you may not have the right to take it upon yourself to take revenge, but that doesn't mean you shouldn't.

      --
      What he can't kill, he has sex on. Trent.
  8. the gibson by mnemonic_ · · Score: 4, Funny

    But have they hacked the Gibson yet?

  9. Where is the Spinning Cube of Potential Doom? by qualico · · Score: 3, Interesting

    This story reminds me of the Spinning Cube of Potential Doom.
    http://developers.slashdot.org/developers/04/06/01 /1747223.shtml

    It seems the source for this is still unavailable.
    Does anyone know where to get binaries or a similar program?

    The concept is fantastic and would certainly help in security.
    Although, I'd prefer to have a text version similar to how Nethack displays in text mode.

    Call me old school, can't shake my affinity for text only Linux. :P

    1. Re:Where is the Spinning Cube of Potential Doom? by Isomer · · Score: 2, Interesting

      The WAND visualisation (lovingly called BSOD by the people who use it) is very interesting to watch. We use it on the Universities /16, and we see all kinds of neat patterns ranging from background scans from viruses, to highly sophisticated scans obviously looking for infectable machines.

      The visualisation supports a "darknet" mode where it can show all traffic that isn't being responded to by internal machines, showing scans on other useless traffic (on our capture point it shows up heaps of NTP traffic going to an old NTP server that has been decommissioned).

      The visualisation is fully customisable by a series of plugins for things such as layouts (for the left (internal) and right (external) networks), and colours (letting you colour traffic based on the type of traffic).

      You can see infected machines on it as a cone of traffic, port scans as a sparkling of different colours to one machine. You can see that different parts of the Internets address space have different protocol mixes (P2P and HTTP interestingly don't have the same patterns). You very quickly get a feel for what "normal" traffic looks like, and can see at a glance if something on the network isn't working right. It's fascinating to watch, and even a layperson can easily see what's going on and understand what's happening. It makes great eyecandy for investors and managers too :)

      We're almost ready for a new release supporting a lot more really cool features, including the ability to choose colours based on BPF expressions, tonnes of performance improvements, new plugins such as a geoip layout module.

      Download it and it a go (the URL is in the parent post), and let us know if you have any suggestions, we're really keen on new ideas to extend it with.

  10. DDoS protection by StreetFire.net · · Score: 2, Insightful

    With more and more ISP's offering DDoS protection in the cloud I have to wonder how much longer DDoS in it's current form will remain relevant. Most of the Tier I backbone providers are shutting down these things in the cloud keeping the traffic from ever reaching the customer Gateway (for customers that subscribe to this service), however these systems are looking for uncompleted TCP connections and scripted browsing sequences. So in the next round of DDoS arms escalation, any thoughts on what the next evolution of the zombie net attacks will be?

  11. I still wonder... by game+kid · · Score: 2, Interesting

    ...which exact people/bots do the most requests.

    Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)

    --
    You can hold down the "B" button for continuous firing.
    1. Re:I still wonder... by DrSkwid · · Score: 2, Informative

      please, no more IP based filtering

      it is bad enough that I get regularly banned from posting because my ISP (ntl:) uses an inline cache that reports itself as the remote address and slashcode can't differentiate between different ntl: customers. And, yes, it has been reported many times, the /. attitude is : if you're such a geek, sort yourself another proxy (which I do but it is still a pain).

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  12. Cool Picture by vga_init · · Score: 2, Informative
    This picture is a little bit different, but this concept reminds me of the depiction of large scale computer networks given in William Gibson's Neuromancer.

    From what I remembered, he depicted computer networks as having visual representation, describing how colors changed based on the level and types of network activity.

    What is given in the novel is more of a virtual reality type thing, though. I thought that was nifty. Now, if only we could get some diagrams like the one in the article done in 3D and rendered in real time as variables changed.

  13. LOL... by d474 · · Score: 3, Funny

    FTFA:

    "Interesting Notes:
    AOL is the most infested network on the Internet."

    Gee. I wonder why.

    --
    Authority questions you. Return the favor.
    1. Re:LOL... by qualico · · Score: 2, Insightful

      too funny, I'll venture a guess... ...is it cause people on AOL are the same people who click punch the monkey ads, install comet cursor and New.net along with Gator and WebShots?

    2. Re:LOL... by xenocide2 · · Score: 2, Funny

      "So easy to abuse no wonder its number one!"

      --
      I Browse at +4 Flamebait

      Open Source Sysadmin

  14. Amazing photos... by d474 · · Score: 4, Funny

    ...they almost look like a "web" of some sort...

    --
    Authority questions you. Return the favor.
  15. Along that same line of thought... by lullabud · · Score: 2, Insightful

    If somebody takes the time to 0wn a server, it's likely because that server is on a fat pipe. If the purpetrator throttles his network usage it could go undetected and have much more serious reprecussions than a dozen infected desktop PC's on DSL. Then again, not all computers on fat pipe's are non-windows boxes... I had to clean up a Serv-U hack on our T1. =/

  16. Religious Botnets by lullabud · · Score: 2, Funny

    So, what you're saying is that current botnets function like the prayer chain of Satan, the Lord of Spam?

  17. Etherape/Cube of Impending Doom by miquong · · Score: 3, Informative

    Etherape is a good real-time program for visualizing connects to you and their relative traffic. While it only runs on *nixes, you can set up box for monitoring your uplink. Also check this post from last year: http://developers.slashdot.org/article.pl?sid=04/0 6/17/135220&tid=172&tid=141&tid=8