Tools To Squash the Botnets

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

I don't see that.

[khasim]

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.

Re:I don't see that.

[feepness]

hey chef, the tails of shrimp are not food, cut them off. No, they're not food. They're handles.

Translation:

[rtechie]

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

So in other words...

[Icarus1919]

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?

Re:So in other words...

[QuantumG]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

          220 foo.bar.baz.MIL (Well hello there)
          EHLO so.i.say.mil
          250-foo.bar.baz.MIL offers THREE extensions:
          250-8BITMIME
          250-PIPELINING
          250 DSN
          RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
          # id
          uid=0(root) gid=0(root) groups=0(root)
          # cd /home
          # ls -l
          drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
          drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
          drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
          drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

pretty obvious that the server didn't reply to the RCPT request correctly isn't it?

See spot run. Run Spot! Run!

[buss_error]

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

I have an idea!

[jhfry]

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

Re:I have an idea!

[fireboy1919]

Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

They could up the bandwidth and do it that way.

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

I wonder why they don't do that?

Unworthy article

[flyingfsck]

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?