Tools To Squash the Botnets

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Friday November 9, 2007 @01:12PM from the squish-squish-little-bugs dept.

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

13 of 135 comments (clear)

Min score:

Reason:

Sort:

I don't see that. by khasim · 2007-11-09 13:19 · Score: 5, Insightful

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.
1. Re:I don't see that. by feepness · 2007-11-09 19:00 · Score: 4, Insightful
  
  hey chef, the tails of shrimp are not food, cut them off. No, they're not food. They're handles.
Translation: by rtechie · 2007-11-09 13:22 · Score: 4, Insightful

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.
So in other words... by Icarus1919 · 2007-11-09 13:23 · Score: 5, Insightful

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?
1. Re:So in other words... by QuantumG · 2007-11-09 13:52 · Score: 4, Insightful
  
  Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.
  
  220 foo.bar.baz.MIL (Well hello there)
  EHLO so.i.say.mil
  250-foo.bar.baz.MIL offers THREE extensions:
  250-8BITMIME
  250-PIPELINING
  250 DSN
  RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
  # id
  uid=0(root) gid=0(root) groups=0(root)
  # cd /home
  # ls -l
  drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
  drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
  drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
  drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne
  
  pretty obvious that the server didn't reply to the RCPT request correctly isn't it?
  
  --
  How we know is more important than what we know.
2. Re:So in other words... by FooAtWFU · 2007-11-09 14:15 · Score: 3, Insightful
  
  Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.
  Snooping all your outbound SMTP (+etc) traffic to validate that it's conforming to a certain protocol is somewhat resource-intensive. The protocol validation would need to be very, very, very good, or it would be liable to catch all sorts of garbage: there's no shortage of slightly-wrong products out there. (It's not just Microsoft either). Not all communications that you expect to be a certain protocol actually are - and they may be some extended version of the protocol. (Watch WebDAV over HTTP.) Not all protocols are trivial to validate in this manner. Not all exploits require a breach of a certain protocol. (Watch for some of the PHP exploits that you can send in a perfectly valid HTTP POST). Not all exploits are synchronous like this one. And, finally, privacy can be an issue.
  It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
See spot run. Run Spot! Run! by buss_error · 2007-11-09 13:56 · Score: 4, Insightful

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

--
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
I have an idea! by jhfry · 2007-11-09 14:05 · Score: 4, Insightful

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

--
Sometimes the best solution is to stop wasting time looking for an easy solution.
1. Re:I have an idea! by fireboy1919 · 2007-11-09 14:26 · Score: 4, Insightful
  
  Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).
  
  They could up the bandwidth and do it that way.
  
  The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.
  
  I wonder why they don't do that?
  
  --
  Mod me down and I will become more powerful than you can possibly imagine!
Let's look at this logically. by khasim · 2007-11-09 14:39 · Score: 3, Insightful

Someone who isn't going to patch his mail server is going to install this new IDS? Correctly? And keep it patched?

Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?

If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?

Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.

That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.

Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?

Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.
false positives by 1u3hr · 2007-11-09 14:59 · Score: 3, Insightful

FTFAdvertisement:
Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates. In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology. Sure, but if his system went into use, the "hackers" would quickly adapt and it would not be any better than current systems. Lots of anti-spam ideas work fine for the originator, but when they become common enough to bother the spammers, they target them.
Unworthy article by flyingfsck · 2007-11-09 15:23 · Score: 4, Insightful

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Re:ISPs won't implement it anyway. by geminidomino · 2007-11-09 17:20 · Score: 3, Insightful

Why does this get posted in every story involving TCP/IP manipulation? ISPs do not and never have had common carrier status.