Slashdot Mirror
Recruiting Friendly Botnets To Counter Bad Botnets
holy_calamity writes "New Scientist reports on a University of Washington project aiming to marshal swarms of 'good' computers to take on botnets. Their approach — called Phalanx — uses its distributed network to shield a server from DDoS attacks. Instead of that server being accessed directly, all information must pass through the swarm of 'mailbox' computers, which are swapped around randomly and only pass on information to the shielded server when it requests it. Initially the researchers propose using the servers in networks such as Akamai as mailboxes; ultimately they would like to piggyback the good-botnet functionality onto BitTorrent."
Yeah, just let the ISP's bring your site to its knees instead of the botnets.
Ah yes. So now not only do Comcast and company want to throttle my torrents, but now these yahoos want to press my computer into their vigilante posse?
Do these guys, possibly actually WORK for Comcast and are out looking for ways to make every ISP in the world, and possibly governments as well, ban torrents?
NO!
NO NO NO NO!
However you slice it, even if this "friendly" botnet is performing some beneficial task (such as kacking a bad botnet that's infected my machine), it's STILL bad!
It's accessing and carrying out tasks on my machine without my express permission.
HELL FUCKING NO!
This is NOT a "lesser of two evils" choice here. BOTH choices (malicious botnet or "beneficial" botnet) are evil, PERIOD!
Chas - The one, the only.
THANK GOD!!!
I've always wondered why botnets always seemed to be created by black hats. I think it'd be cool to have a competition where some whitehats try to exploit a vulnerability in some software in order to patch it FROM that vulnerability.
Even if it just forced a windows update, it'd still be quite useful, but it seems nobody with the skills to pull off such a feat can be bothered to do it.
Surely there's some benign genius out there who could exploit an existing botnet to send it a shutdown command, rather akin to how captain Picard defeated the Borg after he was captured by them, once again proving that Star Trek has given us great insight into the future and, of course, that Picard is better than Kirk will ever be?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Tell that to the victims of a botnet that don't even knowo what a botnet is.
The researchers are so ignorant of history. All the malware writers have to do is to create a Legion botnet. The Legion defeats a Phalanx every time.
At least watching this in action would be cooler than playing Rome: Total War.
I totally agree. Plus it would be eating up my bandwidth and cpu not by much but over time it will be huge.
can beat up your botnet
Uhm hyperventilating much? This is /. after all and we don't need to RTFA, but please at least cut down the unwarranted profanity. FTA:
/. summaries to form your opinion. *sigh*.
"Rather than using an ill-gotten botnet, Phalanx would use the large networks of computers which companies currently use to serve massive amounts of content," says team member Colin Dixon."
Flame where warranted, but please, please, don't rely on
The grass is always greener on the other side of the light cone.
If someone was willing to pay me to use my computer processor (not hard drive) for scheduled shifts when I knew I wasn't going to be using it other than downloading torrents compiling gentoo (and my isp didn't mind me actually using their bandwidth) I'd think about it. I'd probably say no but I'd still think about it.
The opinions expressed in this post are not necessarily those of my brain.
Did you even read the summary?
It's not an offense, it's a defense. A protected server has all traffic routed to members of large cluster of helper machines (the "good botnet"). The protected server then contacts and collects the content as it is able. Instead of a DDOS attack being able to shovel data down on the target, the data is distributed to the cluster of helper machines. The recipient server then deals with the traffic at a pace it is able.
The article is short, but it kind of sounds like each node in the "good botnet" is serving as a sort of per-connection proxy to the destination server.
Maybe that clarifies things a bit?
They are NOT talking about "accessing and carrying out tasks on my machine without my express permission."
The problem with this approach is not because they 'take over' your machine (by consent).
This is just a treatment of the symptom. The cure would be to sanitize and shield luser computers from zombie recruitment.
Patents Drive Free Software as Hurricanes Drive Construction Industry
First person to make a "good" BotNet where you can join and get protection for a low, low monthly subscription, makes a killing.
BotNets are obviously the only way to fight BotNets.
My blog
Like Seti@Home or Folding@home? We could have people sign up and join the Phalanx network. Or create a similar "open" network? People could then sign up for the service. I guess you could make it to where when you sign up, your computer becomes part of the network, and is also protected by the network. I don't know how feasible this is... just throwing out ideas.
Vivin Suresh Paliath
http://vivin.net
I like
You know, this could be a pretty exciting movie plot.
Or at least an episode of Battlestar: Galactica or something.
Freedom isn't free; its price is the well-being of others.
The first rule of botnets club is you don't talk about botnets club.
Hey so couldn't the evil hackers figure out there was a computer it was goin through to get to the main one, compromise it and get the list of good botnets from that one? Then just moniter all the bots and when they switch, you switch as well. I don't think you could avoid a ddos with just your own botnet. If that's the goal.
by your friendly neighborhood botnet.
alias possession='chmod 666 satan && ls
Or would this be more of the Matrix ?
Guns are for wimps... Use a crossbow.. this way you can pin them to their chair when you go postal.
aww reminds me of the days that if you tried to probe a bot server it tried to launch a DOS attack on you. had many hours of fun spoofing a nmap of a bot server's ip and watch the servers take each other out.. man i laughed for days watching bots attack each other.. aw the good-ol days.
Ok, now that I read it, it doesn't work like this, but the botnets could still get around it. For their little "computational puzzle" they would just need to know what kind of puzzle or list of puzzles and the botnet could have them already solved when time to ping like crazy. As for letting the machine work at it's own pace, it may still be able to serve info out, but only in response to that which is getting in, which will still be more than it can handle. I guess you could elect to just empty buffers on all incoming botnet sheilds, but it would accomplisgh the same thing as a ddos as valid transactions still wouldn't be able to happen. I say not impressive, unless I'm understanding it completely wrong.
But no one has pointed at this paortion: "ultimately they would like to piggyback the good-botnet functionality onto BitTorrent"
In other words, no they can not use my computer to run their botnet. I don't even let my computer play with the other botnets.
"Trust that little voice in your head that says 'Wouldn't it be interesting if...' and then do it." - Duane Michals
1) How do you detect a DDoS attack?
2) Once you detect it, wouldn't it be easier to propagate a request up your stream asking it to cut off incoming traffic from X?
For example, if I (somehow) know the IPs of people that are part of the DDoS attack, I'd send them up to my provider, and he would send it up to his upstream provider, etc until the traffic gets cut off as close as possible to the source. Everyone saves a lot of traffic and we're all happy, no?
Using another botnet to send puzzles to the first botnet before it is allowed to access the main server works on a small scale. But think about it this way. If you have two networks sending massive amounts of useless data across the interweb. The ordinary users (whether they are members of a botnet or not) will suffer. Network traffic will slow to a crawl globally (I suspect it already has due to botnet activity). This will result in a MAD scenario reminiscent of the Cold War. Global network traffic will become nothing but noise.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Oh dear. We've figured out how to provide an electronic resource in a distributed manner.
Now lets call the bloody thing a botnet and get a paper out!
Neat. I like it.
Sweet! It's about time we started seeing science fiction come to life and a battle of botnets appears to be the beginning. It's machine vs. machine.
In my left corner, weighing in at 987 KB and fighting out of Unknown, US, we have Storm "the bully" botnet!
And in my right corner, weighing in at 354 KB and fighting out of Seattle, Washington, we have Phalanx "the quicker picker upper" botnet!
Ok, let's have a clean fight. No funny stuff. Touch gloves and come out fighting.
Further reading: http://www.people.frisk-software.com/~bontchev/papers/goodvir.html
FreeBSD for the impatient.
The problem here is computers that can easily be taken over. ALL of those computers are running Windows. Almost all of those Windows systems are at home, default security setup.
Security cannot be added on or patched in after the OS is implemented, so fixing Windows to be secure is completely hopeless.
Spend your time making it easy for individuals to stop using Windows, not doing elaborate systems to counter a symptom of the problem.
From TFA, it looks like Akamai or CoralCDN with HashCash and endpoint-initiated throttling.
Nice, but I'm failing to see where the "bots" are in this net.
... look forward to Battlebotnets.
"Let's face it, it's a good story. Accuracy would kill it."
Americans always try to over-engineer solutions. Just look at how the Russians handle it. Have a problem with a spammer? A man, a gun, and one bullet later, problem solved. Fancy counter-botnets? Nyet, comrade. Now let me tell you how it goes for journalists in Putinist Russia...
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Just because you're taken over by a Good BotNet instead of an Evil one, that doesn't mean that it's a good thing in the grand scheme of things.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If your server is hit by a DDoS, the pipe is full of malicious traffic, leaving no room for the good traffic. If this is the case, how are you supposed to communicate with your "good botnet"? Is there a step I'm missing in all this? Do protected servers require a second "secret" connection to the Internet, using a completely separate provider?
ON DELETE CASCADE
If you have two networks sending massive amounts of useless data across the interweb.
They're called Facebook and MySpace.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
So maybe I'm just misreading the article, but it sounds like: requests go to the mailbox server, when the "protected" server is ready to handle requests it talks to a random mailbox, and then sends a response. So the way I read that, you request a page/info/whatever and then sit at the mailbox waiting for a response. That seems like a lot of inefficiency/lost time just sitting there... If you've already got all these servers sitting here, how is this complicated clustered mailbox defense system better than just turning these servers into a distributed server farm? If you're already using all these extra servers why not just use them as mirrors for your content in the first place... Can someone enlighten me as to what I'm missing here?
Rule 11 lives? OMG, the system might start working.
It's not a botnet, but if they hadn't inappropriately used that buzz word, would we be talking about it?
It's frustrating the way our terminology continues to get diluted to where everything becomes ambiguous because you must assume that the majority of the people out there don't know the meanings of the words.
A good off topic example is "stereotype, bigotry, and racism" through related, these three are distinct but everything is now just rolled up into racism. This makes it difficult to express that a person holds the particularly nasty belief that a certain race is genetically inferior to others.
The only stable state is the one in which all men are equal before the
It seems like their behavior can be pretty easily identified.
Why don't ISPs just block all ports but 80 and all traffic there except for standard HTTP--leave a little notice saying that they are restricted until they get their shit together? I'd even volunteer part-time to join a crew to help people fix their computer and get back online.
All you'd really have to do is find one machine under a DDOS and log as many unique IPs as possible, then start flicking switches.
I mean, they are already identifying bit torrent traffic and treating that differently, is this really reaching that much further?...
So much for slashdotting a website
You still have to have a server or servers somewhere which still have to serve content. This system would require changes to the client, breaking backward-compatability and limiting access. Their idea of using hashcash-style computational sacrifice will be ineffective against large botnets with massive total computational power but will effectively block any form of crawling/spidering service. If they have no other means of distinguishing between real clients and attackers then this will not work anyway - the server still has to serve the content on request.
For goodness' sake, get real! What we need are (1) better on-demand computing grids, (2) better infrastructure and (3) people able and licenced to attack computers participating in a botnet to shut it down. If a person is allowing a criminal to use their computer then I would regard it as ethically appropriate to mount an offensive defence to prevent that computer from carrying out criminal actions.
This is similar to what good bacteria and viruses in our bodies are doing to the bad bacteria and viruses. If the good are winning we are well and alive but if the bad are winning are sick and dying.
However we need to learn the lesson from the Blue Security which they were counteract spam with their "unsubscribe" messages. Bad guys have alot up their sleeves so we need to be careful and have fall back plans before we go after these badbots.
http://www.securityfocus.com/news/11392
http://en.wikipedia.org/wiki/Blue_Frog
Should have called it Wetlands. When a Storm (or Kraken) sends a surge of water your way, it's the wetlands that absorb it and protect the town. Much more appropriate than Plalanx.
did somebody just use "whatcouldpossiblygowrong" where appropriate? ZOMG!
I'd have to opine that this system is flawed in concept, using both a dedicated swarm and especially a P2P-volunteer swarm. In the case of the volunteer swarm it would be fairly trivial for an attacker to join the swarm, discover the address of the central server and any keys needed to access it, and bypass the swarm to attack directly. However, even if the swarm were composed of dedicated machines, all that would be necessary would be to craft a seemingly-legitimate access request, and flood the central server with forwarded requests. This would tend to be worse than a direct attack due to a limited capability of forwarding attack information between peers in the swarm; a botnet member could make several access requests through each peer in the protecting swarm before it was detected and locked out; any attempt to improve the performance would require bandwidth usage within the swarm that increased exponentially with the number of peers in the swarm. A server that was attacked directly could at least quickly discover the source and filter it.
Similar to the mental cripple that unfortunately decided to call a distributed service a "good botnet". Because of that we are discussing a bad analogy instead of the actual idea.
It seems to me that passing all incoming connections through a distributed proxy network and having the server request connections at the rate that can handle them doesn't solve the problem. Its still going to prevent or cause severe delay for the majority of legitimate user accessing the site if the vast majority of requests are coming from bots.
The server is still effectively DoS'd, it just isn't consuming the same level of resources that it otherwise would.
So you make a cluster and a load balancer and call it a bot net? A bit tacky.
LISA
But isn't that a bit short-sighted? What happens when we're overrun by lizards?
SKINNER
No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.
LISA
But aren't the snakes even worse?
SKINNER
Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
LISA
But then we're stuck with gorillas!
SKINNER
No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Life is just nature's way of keeping meat fresh.
but a botnet is only a botnet if it grows in size, hence the person's initial reaction to hearing a "GOD" botnet, sort of like saying a gentle pedophile..
I don't see how this helps. The 'recipient server' will still not be able to keep pace with traffic and a large number of customers will have their access to the service denied. How is this really different than the typical response to a DDOS attack?
Also, it's pretty standard to throw up a load-balancing routing layer between clients and servers, so it's not like this is a new concept.
Which does no good for anyone.
... wait for it... Denial of Service. It doesn't matter if the bottleneck is shifted. If the server can't handle the traffic, then my request won't be serviced.
So the phalanx stands in front of the server and only hands it as many requests as the server can handle. My request is still sitting behind a huge queue.
The whole point of a "distributed Denial of Service" is
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Even good SkyNet, er, I mean, botnets, could become self aware and attack us.
Synopsis: Corporations can use parts of their networks as gatekeepers using technology similar to botnets to validate and forward requests to the server, weeding-out bad requests. If it works, the implications could be that home users could possibly volunteer to take part in similar shields (and maybe form bulkheads between some routers?) in order to stop botnet traffic on a larger scale. This isn't about exploiting folks' machines to create an anti-botnet botnet.
Along the same lines of what this proposes for DDoS attacks, Blue Security had their ill-fated Blue Frog opt-in distributed solution that combated spam and disrupted the commercial operations of spammers. And it was only ill-fated because it apparently worked too well and made spammers turn their botnets against Blue Security in an attempt to kill the service, which resulted in that massive DDoS that disrupted Six Apart (because they were on the same host or used the same nameservers) for a few days too. If users don't take the initiative in enforcing some sort of order on the lawless internet, then it will continue to be a cesspool of spam, DDoS attacks, and the other malicious usages of botnets.
It's clearly not the best paper I've ever read. The assumption is not at all modest. It says that the Swarm capability exceeds that of the botnet. Well, considering how many ISP must be gathered to defense against Storm. First of all, ISPs are always known for not liking each other very much. Unless there is an international treaty, it's for me very difficult to gather enough ISPs to defense against large botnet such as Storm. Secondly, it mentions sometimes about using Bittorent and relying on normal PCs instead of ISPs. You must have more number of such innocent machines than number of machine in the botnet. Notice i said "innocent" machines here. Now another fundamental question is how to make sure the machines in such systems are free of malware themselves.