Tools To Squash the Botnets

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

I don't see that.

[khasim]

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.

Re:I don't see that.

[Penguinshit]

I thought the easiest way was to link them from a Slashdot article.

Talk about a zombie army...

Re:I don't see that.

I couldn't RTFA. The Slashdot zombie army killed the site.

Re:I don't see that.

[Sentry21]

A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.

Re:I don't see that.

[feepness]

hey chef, the tails of shrimp are not food, cut them off. No, they're not food. They're handles.

Translation:

[rtechie]

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

So in other words...

[Icarus1919]

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?

Re:So in other words...

[QuantumG]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

          220 foo.bar.baz.MIL (Well hello there)
          EHLO so.i.say.mil
          250-foo.bar.baz.MIL offers THREE extensions:
          250-8BITMIME
          250-PIPELINING
          250 DSN
          RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
          # id
          uid=0(root) gid=0(root) groups=0(root)
          # cd /home
          # ls -l
          drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
          drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
          drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
          drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

pretty obvious that the server didn't reply to the RCPT request correctly isn't it?

All it needs is just one bit.

[140Mandak262Jamuna]

All packets originating from botnets must set the malicious bit to 1. That is all. Then the system is 100% foolproof.

Talk by Paul Barford

[QuantumG]

Title: Toward Self-directed Network Intrusion Detection and Prevention

Abstract:

Network attacks and intrusions have been a fact of life in the Internet
for many years and continue to present serious challenges for network
researchers and operators alike. The objective of our work is to develop
tools and systems that automate or otherwise enhance key activities of
network security analysts. In the first part of this talk, I will describe
our malicious traffic assessment activities using our Internet Sink
(iSink) system for dark address space monitoring. iSink is a highly
scalable system that includes both passive packet capture and a set of
stateless active responders that enable details of exploits to be
captured. Our results illustrate the variability in the traffic on dark
address space and the feasibility of efficient classification of attack
types. I will also describe how data from dark address space monitors can
be used to provide near real time network "situational awareness" for
security analysts. iSink data is also the basis for our Nemean system that
automatically synthesizes signatures for intrusion detection. Unlike
standard intrusion signatures, Nemean's signatures are protocol aware
which we show greatly enhances their resilience to false alarms. I will
describe Nemean, and conclude with a brief description of our current
activities in adapting Nemean into a real time intrusion prevention
system.

Where: Grad. Lounge

When: Thursday 27th Oct 2005 11 am.

2 years from lab to startup, not bad dude.

See spot run. Run Spot! Run!

[buss_error]

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

I have an idea!

[jhfry]

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

Re:I have an idea!

[fireboy1919]

Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

They could up the bandwidth and do it that way.

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

I wonder why they don't do that?

Not only that, but there are NO details.

[khasim]

I can accept an ad that describes the advances. This article says NOTHING.

And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

I'm thinking "snake oil" here.

Re:Not only that, but there are NO details.

[skoaldipper]

A huckster in our midst? Let's see.

"Botnets represent a convergence of all of the other threats that have existed for some time,"

Scared of rickets? You, sir. Step right up here.

One of the most menacing aspects of botnets is that they can go largely undetected by the owner of a personal computer.

Folks, you might not feel sick today, but that's no guarantee you won't feel sick tomorrow.

Nemean is based on four distinct patents that are either filed or are in process with the Wisconsin Alumni Research Foundation (WARF).

No matter what ails ya, Professor Nemean's original. medicinal, remedial, compound exlixir is patented and irrevocably guaranteed to...

The innovation with Nemean is a method to automatically generate intrusion signatures, making the detection process faster and more precise.

boost your bends, target your temperature, and positively palliate your particulars. Yes, folks...

"The technology we're developing here really has the potential to transform the face of network security,"

this age-defying, mystifying, wiz bang fandangle will cure everything from flakey skin to original sin.

Only two bits a bottle. Worth a dollar a drop! Step right up! Step right up!

Ahoy! Press release!

[martin-boundary]

Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

Does he think slashdot readers don't read the article or something?

BotHunter, anyone?

[AgentPhunk]

A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.

http://www.cyber-ta.org/releases/botHunter/

From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

There's also a great PDF available showing a full dissection of a Storm variant.

Unworthy article

[flyingfsck]

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?