Visual DDoS Representation and Its Ramifications 104
winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."
Neat! (Score:5, Interesting)
Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.
Europe has most zombie infested networks.. (Score:4, Interesting)
Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)
And what is being done about this? (Score:5, Interesting)
From that, you can find the ISP
From that, you can find the machine
From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
Where is the Spinning Cube of Potential Doom? (Score:4, Interesting)
http://developers.slashdot.org/developers/04/06/0
It seems the source for this is still unavailable.
Does anyone know where to get binaries or a similar program?
The concept is fantastic and would certainly help in security.
Although, I'd prefer to have a text version similar to how Nethack displays in text mode.
Call me old school, can't shake my affinity for text only Linux.
I still wonder... (Score:2, Interesting)
Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)
Re:And what is being done about this? (Score:5, Interesting)
I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.
Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.
Re:Do the numbers... (Score:2, Interesting)
Re:Where is the Spinning Cube of Potential Doom? (Score:3, Interesting)
The visualisation supports a "darknet" mode where it can show all traffic that isn't being responded to by internal machines, showing scans on other useless traffic (on our capture point it shows up heaps of NTP traffic going to an old NTP server that has been decommissioned).
The visualisation is fully customisable by a series of plugins for things such as layouts (for the left (internal) and right (external) networks), and colours (letting you colour traffic based on the type of traffic).
You can see infected machines on it as a cone of traffic, port scans as a sparkling of different colours to one machine. You can see that different parts of the Internets address space have different protocol mixes (P2P and HTTP interestingly don't have the same patterns). You very quickly get a feel for what "normal" traffic looks like, and can see at a glance if something on the network isn't working right. It's fascinating to watch, and even a layperson can easily see what's going on and understand what's happening. It makes great eyecandy for investors and managers too
We're almost ready for a new release supporting a lot more really cool features, including the ability to choose colours based on BPF expressions, tonnes of performance improvements, new plugins such as a geoip layout module.
Download it and it a go (the URL is in the parent post), and let us know if you have any suggestions, we're really keen on new ideas to extend it with.