Visual DDoS Representation and Its Ramifications

winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."

Neat!

[failure-man]

Can it build a map for a /.ing?

Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.

Europe has most zombie infested networks..

[guyfromindia]

From TFA, Overall, Europe has the most zombie infested networks ranking over the United States.
Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)

And what is being done about this?

[khasim]

From TFA:

The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.

Okay, so you hve the IP address of a cracked machine ...

From that, you can find the ISP ...

From that, you can find the machine ...

From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

Where is the Spinning Cube of Potential Doom?

[qualico]

This story reminds me of the Spinning Cube of Potential Doom.
http://developers.slashdot.org/developers/04/06/01 /1747223.shtml [slashdot.org]

It seems the source for this is still unavailable.
Does anyone know where to get binaries or a similar program?

The concept is fantastic and would certainly help in security.
Although, I'd prefer to have a text version similar to how Nethack displays in text mode.

Call me old school, can't shake my affinity for text only Linux. :P

I still wonder...

[game kid]

...which exact people/bots do the most requests.

Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)

Re:And what is being done about this?

[plover]

Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.

I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.

Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.

Re:Do the numbers...

[DrSkwid]

Botnets used to be found mostly on infected redhat and solaris boxes infected by trinoo [washington.edu]

Re:Where is the Spinning Cube of Potential Doom?

[Isomer]

The WAND visualisation (lovingly called BSOD by the people who use it) is very interesting to watch. We use it on the Universities /16, and we see all kinds of neat patterns ranging from background scans from viruses, to highly sophisticated scans obviously looking for infectable machines.

The visualisation supports a "darknet" mode where it can show all traffic that isn't being responded to by internal machines, showing scans on other useless traffic (on our capture point it shows up heaps of NTP traffic going to an old NTP server that has been decommissioned).

The visualisation is fully customisable by a series of plugins for things such as layouts (for the left (internal) and right (external) networks), and colours (letting you colour traffic based on the type of traffic).

You can see infected machines on it as a cone of traffic, port scans as a sparkling of different colours to one machine. You can see that different parts of the Internets address space have different protocol mixes (P2P and HTTP interestingly don't have the same patterns). You very quickly get a feel for what "normal" traffic looks like, and can see at a glance if something on the network isn't working right. It's fascinating to watch, and even a layperson can easily see what's going on and understand what's happening. It makes great eyecandy for investors and managers too :)

We're almost ready for a new release supporting a lot more really cool features, including the ability to choose colours based on BPF expressions, tonnes of performance improvements, new plugins such as a geoip layout module.

Download it and it a go (the URL is in the parent post), and let us know if you have any suggestions, we're really keen on new ideas to extend it with.