Visual DDoS Representation and Its Ramifications

← Back to Stories (view on slashdot.org)

Visual DDoS Representation and Its Ramifications

Posted by Zonk on Saturday May 28, 2005 @04:24PM from the seeing-things-helps-to-understand-them dept.

winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."

19 of 104 comments (clear)

Min score:

Reason:

Sort:

Visual DDoS? by Anonymous Coward · 2005-05-28 16:29 · Score: 5, Funny

Is the a new programming language from Microsoft?
Neat! by failure-man · 2005-05-28 16:30 · Score: 5, Interesting

Can it build a map for a /.ing?

Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.
1. Re:Neat! by geomon · 2005-05-28 16:40 · Score: 4, Informative
  
  Not exactly a map, but a nice graph of a site getting slashdotted.
  
  --
  "Rocky Rococo, at your cervix!"
In the future will we have net traffic reports? by rokzy · 2005-05-28 16:32 · Score: 4, Insightful

I hope not!

isn't the whole point that there's redundancy and stuff to make things reliable and invisible to the end user?

time spent visualising problems is a total waste unless you use it to stop the problem happening again. and prevention is better than cure.
1. Re:In the future will we have net traffic reports? by miaDWZ · 2005-05-28 16:59 · Score: 3, Informative
  
  In the future will we have net traffic reports
  
  hah, too late.
  
  http://www.internettrafficreport.com/
Europe has most zombie infested networks.. by guyfromindia · 2005-05-28 16:38 · Score: 3, Interesting

From TFA, Overall, Europe has the most zombie infested networks ranking over the United States.
Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)
1. Re:Europe has most zombie infested networks.. by Anonymous Coward · 2005-05-28 16:42 · Score: 4, Funny
  
  Clearly, their PCs must be liberated.
Relevant info missing by Stormwatch · 2005-05-28 16:43 · Score: 4, Funny

They forgot to list zombies per operating system.

Oh, wait...

--
Circumcision is child abuse.
1. Re:Relevant info missing by trelanexiph · 2005-05-28 18:53 · Score: 3, Insightful
  
  I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.
And what is being done about this? by khasim · 2005-05-28 16:51 · Score: 4, Interesting

From TFA:
The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.
Okay, so you hve the IP address of a cracked machine ...

From that, you can find the ISP ...

From that, you can find the machine ...

From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
1. Re:And what is being done about this? by Anonymous Coward · 2005-05-28 17:04 · Score: 3, Informative
  
  It's not quite that easy. There is no such thing as a 'sniffer' you can put on an internet connection.
  
  Odds are these bots will all be logged on to an IRC channel somewhere. You can track it back to that by simply monitoring the network activity of the machine. After that, you can monitor that channel and find the user who is directing the botnet. Unfortunately, the best you are going to get - unless the botnet operator is an idiot - is the last proxy in a chain of four to eight, each of which is located in a foreign country. Being able to get obtain the logs from such a single such proxy is very unlikely. Four to eight simply isn't going to happen.
2. Re:And what is being done about this? by plover · 2005-05-28 17:20 · Score: 4, Interesting
  
  Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.
  I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.
  
  Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.
  
  --
  John
3. Re:And what is being done about this? by Kent+Recal · 2005-05-28 22:58 · Score: 3, Insightful
  
  what can we do after we've detected them?
  we often know who they are, and even where they live
  
  Easy. Make a public list.
  Put up a description of all incidents and all related information (IP-Address -> ISP -> personal info) that you have gathered.
  
  The kids don't like to read their real name on a website.
the gibson by mnemonic_ · 2005-05-28 16:57 · Score: 4, Funny

But have they hacked the Gibson yet?
Where is the Spinning Cube of Potential Doom? by qualico · 2005-05-28 17:01 · Score: 3, Interesting

This story reminds me of the Spinning Cube of Potential Doom.
http://developers.slashdot.org/developers/04/06/01 /1747223.shtml

It seems the source for this is still unavailable.
Does anyone know where to get binaries or a similar program?

The concept is fantastic and would certainly help in security.
Although, I'd prefer to have a text version similar to how Nethack displays in text mode.

Call me old school, can't shake my affinity for text only Linux. :P
LOL... by d474 · 2005-05-28 17:31 · Score: 3, Funny

FTFA:

"Interesting Notes:
AOL is the most infested network on the Internet."

Gee. I wonder why.

--
Authority questions you. Return the favor.
Amazing photos... by d474 · 2005-05-28 17:38 · Score: 4, Funny

...they almost look like a "web" of some sort...

--
Authority questions you. Return the favor.
Re:What's the surprise? by HermanAB · 2005-05-28 17:44 · Score: 3, Informative

Why?

EU population is 460 million, US population is only 300 million.

No surprises there - more people, more PCs.

--
Oh well, what the hell...
Etherape/Cube of Impending Doom by miquong · 2005-05-28 20:11 · Score: 3, Informative

Etherape is a good real-time program for visualizing connects to you and their relative traffic. While it only runs on *nixes, you can set up box for monitoring your uplink. Also check this post from last year: http://developers.slashdot.org/article.pl?sid=04/0 6/17/135220&tid=172&tid=141&tid=8