Tools To Squash the Botnets

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

commercially.

[memnock]

if the botnet thing is that serious, wouldn't it be a better solution if it was free?

i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.

Not only that, but there are NO details.

[khasim]

I can accept an ad that describes the advances. This article says NOTHING.

And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

I'm thinking "snake oil" here.

Ahoy! Press release!

[martin-boundary]

Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

Does he think slashdot readers don't read the article or something?

Re:I don't see that.

[Sentry21]

A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.

Re:I don't see that.

[sumdumass]

It probably means that there is some java app that as part of it's workings, checks against whatismyip to determine an actual IP addressable from the public. That is somewhat of an issue with a useful site like that. People tend to take it for granted and end up writing programs assuming they have the ability to access it and that the site could handle any of the traffic. Dlink and a few of the home router manufacturers were defaulting their NTP clients to one server and in effect DDos'd that server when those router started selling like hotcakes.

It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.