Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Could Dodge Net traps

Posted by Zonk on from the crafty-devils dept.

Danse writes "ZDNet reports that future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken. According to papers presented at the Usenix Security Symposium, just as surveillance cameras are sometimes hidden the locations of the Internet sensors are kept secret. From the article: 'If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.' A team of computer scientists from the University of Wisconsin wrote up the background in their award-winning paper titled 'Mapping Internet Sensors with Probe Response Attacks.'"

4 of 58 comments (clear)

  1. Passive scanning? by Anonymous Coward · · Score: 1, Informative

    If these are used solely for detecting, rather than taking action and blocking traffic, why on earth aren't they located passively? By that I mean a ethertap. rather than having a device sat on the line that responds to traffic.
     
    That would essentially make the device invisible - all you'd then have to do is have your network of passive detectors inform you when odd traffic passes through.

    1. Re:Passive scanning? by Mnemia · · Score: 2, Informative

      These are passive sensors.

      What the paper refers to is sites that publish information about network traffic they see. Some print tables with statistics and others generate graphs of network traffic levels. Their technique is basically a way to map where the passive listening points are based on the traffic reports these sites create. They strategically generate traffic which creates measurable spikes, and these show up in the reports. They use this information to determine where the listeners are.

  2. DSheild Discussion by tjohns · · Score: 3, Informative
    A similar article by zdnet.co.uk was brought up a few days ago on the DShield discussion list. One choice quote is from Johannes Ullrich, a member of the SANS Internet Storm Center and the developer of DShield:

    We do receive reports from about 500-700k IP addresses each day.
    Including the full list would be hard (or make for a very large worm).
    In addition, many of these IPs are dynamic, so you have to exclude
    networks rather then individual IPs.

    To put it down bluntly: If every IP is a sensor, there is nobody left to
    attack ;-)


    For those of you who don't know, DShield is precisely one of the 'early-warning sensor' networks the article is talking about.
  3. Re:Quick Summary by aussie_a · · Score: 2, Informative

    "We found a way to eliminate the obscurity.".

    Sorry, but I'm not seeing where the obscurity is eliminated. The entire article basically says "It's easy to make Internet Network Sensors not work by easily identifying them (can be done in a week) and then avoiding them." The only solution the article offers is:

    The threat could be diminished, both studies said, if the information in the networks' public reports was less detailed.

    Which to me is saying "If the network's public information was obscured a bit more, it'd work better." So they're saying obscurity through security would work better then the current system.