Forgot your password?
typodupeerror
Security The Internet IT

Visual DDoS Representation and Its Ramifications 104

Posted by Zonk
from the seeing-things-helps-to-understand-them dept.
winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."
This discussion has been archived. No new comments can be posted.

Visual DDoS Representation and Its Ramifications

Comments Filter:
  • by Anonymous Coward on Sunday May 29, 2005 @12:29AM (#12668102)
    Is the a new programming language from Microsoft?
  • Neat! (Score:5, Interesting)

    by failure-man (870605) <failureman@@@gmail...com> on Sunday May 29, 2005 @12:30AM (#12668103)
    Can it build a map for a /.ing?

    Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.
    • Re:Neat! (Score:5, Informative)

      by geomon (78680) on Sunday May 29, 2005 @12:40AM (#12668147) Homepage Journal
      Not exactly a map, but a nice graph [smu.edu]of a site getting slashdotted.
      • I still wonder... (Score:2, Interesting)

        by game kid (805301)
        ...which exact people/bots do the most requests.

        Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)
        • Re:I still wonder... (Score:3, Informative)

          by DrSkwid (118965)
          please, no more IP based filtering

          it is bad enough that I get regularly banned from posting because my ISP (ntl:) uses an inline cache that reports itself as the remote address and slashcode can't differentiate between different ntl: customers. And, yes, it has been reported many times, the /. attitude is : if you're such a geek, sort yourself another proxy (which I do but it is still a pain).
          • Inline cache? Forget getting another proxy, get another ISP!
          • The actual term is a 'transparent web cache'. What happens is the ISP proxys all traffic on port 80 outbound through a machine on their network running squid. To the end user, the effect is the same as if they were connecting directly to the destination web server, but they're really connecting to this squid proxy. That way if two of their customers request the same page, the squid machine only has to fetch it once (assuming it's cacheable) and it can then send it to both customers. It's a bandwidth-sav
      • Thanks to you we can all watch it happen all over again!
        • Thanks to you we can all watch it happen all over again!

          True, but I suspect that due to the time of day it will probably not reach the hits per second that it did in the *two* other occasions that the server was stressed.

          And this one wasn't associated with a post that emanated from their department. That ought to keep the admin busy for a few minutes.
          • I can't believe the graph doesn't show how long it takes for the increased activity to fall off! It would show the "attention span" of /.
      • WTF? No "funny" mod yet? It sure deserves one :P
      • Nice... now they can have history repeat itself.
        :)
  • by rokzy (687636) on Sunday May 29, 2005 @12:32AM (#12668118)
    I hope not!

    isn't the whole point that there's redundancy and stuff to make things reliable and invisible to the end user?

    time spent visualising problems is a total waste unless you use it to stop the problem happening again. and prevention is better than cure.
  • by guyfromindia (812078) on Sunday May 29, 2005 @12:38AM (#12668142) Homepage
    From TFA, Overall, Europe has the most zombie infested networks ranking over the United States.
    Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)
  • They forgot to list zombies per operating system.

    Oh, wait...
    • by trelanexiph (605826) on Sunday May 29, 2005 @02:53AM (#12668549) Homepage
      I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.
      • If somebody takes the time to 0wn a server, it's likely because that server is on a fat pipe. If the purpetrator throttles his network usage it could go undetected and have much more serious reprecussions than a dozen infected desktop PC's on DSL. Then again, not all computers on fat pipe's are non-windows boxes... I had to clean up a Serv-U hack on our T1. =/
      • I've seen dosnets on IRIX, Linux, SCO Unix/Openserver, and Solaris. Windows users are not the only ones running infections. Ooh yeah, the guys hitting unix are usually far more skilled than those using cookie cutter exploits to mass-infect windows machines, meaning that though they don't hit harder, they may hit smarter.

        go on then trelanexiph u cheeky little chappie, tell us about one of these linux dosnets you've seen.... how did you learn of it? exactly

      • Wowie, you saw ENTIRE dosnets on IRIX? You might come up with a 'proof of concept' thingie which 'might' work on a completely defenseless machine, but i doubt you'll find so many of them on the net to build a net. How many IRIX is still on the net? One would believe dosnets are viable only on an OS (aside from OS vulnerabilities) with a large and ignorant user base. Maybe in the future you'll see linux dosnets but i guess they are only in your fantasy.
      • And lets face it any Unix/Irix/Non-Windows operating system is going to have access to a much fatter pipe then your average windows system.
      • the guys hitting unix are usually far more skilled than those using cookie cutter exploits

        I've been called in after a couple of *nix machines were rooted, and in both cases it was simple rootkits run by people who didn't appear to have the slightest ability to cover their tracks, who left dos commands like "dir" in the history. Whoever put together the rootkits did appear to have a clue, so the only answer is to reformat, re-install and be sure the data files restored from backup are what they are suppos

  • by FireballX301 (766274) on Sunday May 29, 2005 @12:51AM (#12668195) Journal
    For all intents and purposes, that could just be a list of largest ISP networks. Large ISPs generally don't have the time to perform broad sweeps against zombie computers.

    What is surprising is the European zombie count is higher than that of the United States. I wonder why.
    • by HermanAB (661181) on Sunday May 29, 2005 @01:44AM (#12668385)
      Why?

      EU population is 460 million, US population is only 300 million.

      No surprises there - more people, more PCs.
      • Also, consider that some European countries are quite Internet-crazy. IIRC, German is the second most frequent language spoken on the Internet, even before Franch, Spanish and Mandarin. Note that outside of Europe, German is not quite as common as the other three languages.
        As of 2004, 47% of all German households had Internet access, versus 43% in 2003 - and the number is still growing (source: German Federal Statistical Office (destatis.de)).
    • what's important is per capita. US isn't the worst offender, but the krauts could improve.
    • "What is surprising is the European zombie count is higher than that of the United States. I wonder why."

      If I may hazard a guess...and that's all these are.

      I think three reasons.

      1. There are a couple of very big and completely clueless ISPs in Europe (blueyonder, tiscali, wanadoo). You think Comcast is bad? You have no idea...

      2. Some of the national ISPs in a lot of the European countries have a much larger percentage of users within their countries than any US ISP. If that ISP happens to be one of the
  • The site is short on details. I'm kind of curious how their DoS filtering systems work. How can you detect the difference between a valid client and one that that's just part of an attack?
    • it's not the single challange/response that's identifiable but the fact that seldom is an attack a single transaction, by monitoring the stream of activity both signature and learning filters can do a good job. Config-free IPS's are not impossible.
  • by khasim (1285) <brandioch.conner@gmail.com> on Sunday May 29, 2005 @12:51AM (#12668200)
    From TFA:
    The primary attack of choice in the first half of 2005 was an advanced full connection based flood. This particular attack exposes the real IP address of the attacking bot/zombie, however, the sheer number of IP addresses that must be blacklisted places overwhelming load on mitigation hardware, ACLs, and web services farms.
    Okay, so you hve the IP address of a cracked machine ...

    From that, you can find the ISP ...

    From that, you can find the machine ...

    From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

    Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

    • From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
      Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?

      Several reasons.
      First off, a lot of the zombies are in countries different from the person controlling them, making it tricky to pass information, and get search warrants(for the sniffer). A lot of people use proxies, which also complicates things.
    • by Anonymous Coward
      It's not quite that easy. There is no such thing as a 'sniffer' you can put on an internet connection.

      Odds are these bots will all be logged on to an IRC channel somewhere. You can track it back to that by simply monitoring the network activity of the machine. After that, you can monitor that channel and find the user who is directing the botnet. Unfortunately, the best you are going to get - unless the botnet operator is an idiot - is the last proxy in a chain of four to eight, each of which is located in
    • by plover (150551) * on Sunday May 29, 2005 @01:20AM (#12668301) Homepage Journal
      Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.

      I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.

      Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.

      • So, what you're saying is that current botnets function like the prayer chain of Satan, the Lord of Spam?
    • by rhizome (115711)
      Okay, so you hve the IP address of a cracked machine ...

      From that, you can find the ISP ...

      From that, you can find the machine ...

      From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.

      Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?


      "In America, first you get the sugar, then you get the power, then you get the women."
    • I don't think that the person controlling the botnet sends out a "do ddos now" command to all of his owned hosts from home.

      You will trace it from the zombie to the controller then it's off back to court, possibly in another country, to get another warrant to monitor the controller. Then you trace that back to another controller ad nauseum.
    • I help out on the Undernet IRC Network. We have automated tools that detect botnets, but what can we do after we've detected them? Email their ISP's? They in general don't care. Talk to the FBI? They don't care either. Ban (Gline) them from the network? We get DDoS'd for the trouble, either directly by the kiddie taking revenge, or even indirectly by just having to live with the constant synflood of thousands of DDoS drones still trying constantly to reconnect to our servers.

      Finding out who these pe
      • by Kent Recal (714863) on Sunday May 29, 2005 @06:58AM (#12669053)
        what can we do after we've detected them?
        we often know who they are, and even where they live

        Easy. Make a public list.
        Put up a description of all incidents and all related information (IP-Address -> ISP -> personal info) that you have gathered.

        The kids don't like to read their real name on a website.
        • Argh, do I even need to talk about the futility of publicly posting the authors of DDOS attacks on a website? This calls for good ol' vigilante justice. When the law doesn't suffice to cover your needs, or hasn't gotten that far in terms of enforcement, you need to take it into your own hands. Yes yes, I know all the arguments against that, but they all fall flat; the law is unwilling or unable to help where you have a legitimate greivance, therefore you become the law.

          There should be an agency or group

          • Well, while your approach sounds sensible ;-), I want to make clear that I don't encourage that way of dealing with it.

            I really think just posting these names will be enough. Not so that people can go and beat the kids up (I doubt anyone would bother anyways!) but more as a blunt message to the DDoS kids saying "We are paying attention and we know who you are".

            Once your name shows up on such a list you'll probably re-think whether your hobby is really worth the potential backlash.
        • They certianly won't when future employers grep these lists for the name of any potential employee.
      • that isn't warez, mp3, or sex-based, #chatzone, it would at least be nice if you could acknowledge the existance of certain botnets, their owners, etc. That and give -us- some level of information on what -we- can do against them.

        This isn't directly referring to those botnets used for IP DDoS'ing - UnderNET users typically have very little notice of them, I'm sorry that the UnderNET servers obviously do by sheer connection/disconnection power - but more to those used to DDoS channels and users by crapflood
  • the gibson (Score:4, Funny)

    by mnemonic_ (164550) <jamec@uWELTYmich.edu minus author> on Sunday May 29, 2005 @12:57AM (#12668222) Homepage Journal
    But have they hacked the Gibson yet?
  • On our home network I watch the infections eminating from the grandsons Windoze gaming boxen with etherape - http://etherape.sourceforge.net/ [sourceforge.net] it's not a desktop background, but it's cool (the grandson reckons its sick)
  • This story reminds me of the Spinning Cube of Potential Doom.
    http://developers.slashdot.org/developers/04/06/01 /1747223.shtml [slashdot.org]

    It seems the source for this is still unavailable.
    Does anyone know where to get binaries or a similar program?

    The concept is fantastic and would certainly help in security.
    Although, I'd prefer to have a text version similar to how Nethack displays in text mode.

    Call me old school, can't shake my affinity for text only Linux. :P
  • DDoS protection (Score:2, Insightful)

    With more and more ISP's offering DDoS protection in the cloud I have to wonder how much longer DDoS in it's current form will remain relevant. Most of the Tier I backbone providers are shutting down these things in the cloud keeping the traffic from ever reaching the customer Gateway (for customers that subscribe to this service), however these systems are looking for uncompleted TCP connections and scripted browsing sequences. So in the next round of DDoS arms escalation, any thoughts on what the next e
    • any thoughts on what the next evolution of the zombie net attacks will be?
      Ones that parse webpages and follow random links (staying on the same server, of course) so that they look as much as possible like legitimate traffic? Maybe have it emulate a Slashdotting by forging the referer headers? ; )
  • "Where do you want to go today?"
  • Yeah (Score:1, Informative)

    I've only been monitoring this sort of thing with EtherApe for about 4 years now.
    http://etherape.sourceforge.net/ [sourceforge.net]
  • Cool Picture (Score:3, Informative)

    by vga_init (589198) on Sunday May 29, 2005 @01:21AM (#12668306) Journal
    This picture is a little bit different, but this concept reminds me of the depiction of large scale computer networks given in William Gibson's Neuromancer [amazon.com].

    From what I remembered, he depicted computer networks as having visual representation, describing how colors changed based on the level and types of network activity.

    What is given in the novel is more of a virtual reality type thing, though. I thought that was nifty. Now, if only we could get some diagrams like the one in the article done in 3D and rendered in real time as variables changed.

  • LOL... (Score:4, Funny)

    by d474 (695126) on Sunday May 29, 2005 @01:31AM (#12668342)
    FTFA:

    "Interesting Notes:
    AOL is the most infested network on the Internet."


    Gee. I wonder why.
    • Re:LOL... (Score:3, Insightful)

      by qualico (731143)
      too funny, I'll venture a guess... ...is it cause people on AOL are the same people who click punch the monkey ads, install comet cursor and New.net along with Gator and WebShots?
      • Re:LOL... (Score:1, Funny)

        by t0ny747 (849486)
        ...is it cause people on AOL are the same people who click punch the monkey ads, install comet cursor and New.net along with Gator and WebShots?

        I thought aol came with all that by default?
    • Re:LOL... (Score:3, Funny)

      by xenocide2 (231786)
      "So easy to abuse no wonder its number one!"
    • Maybe it's not the AOL who has the fault, but the people. Hell, I've heard people finding it nice that they have that buddy thing installed :) - oh, that's not funny

  • by d474 (695126) on Sunday May 29, 2005 @01:38AM (#12668361)
    ...they almost look like a "web" of some sort...
  • I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see.

    Try Carnivore [rhizome.org]. It's a simple sniffer that acts as a backend to any visualizer you can write (in a number of supported languages). There's a nice online library of those frontends on their site as well. The only downside is that currently there's no linux version :(.
  • It's funny just to think what percentage of these boxes are Windows machines. Has anyone ever even heard of botnet boxes being run on Linux/*BSD/non-Windows machines? I guess there's one thing Microsoft should be thanked for... Inadvertently starting a new technology market.

    John
  • by sunwolf (853208)
    Which one is the picture of the site being Slashdotted?
  • Am I going blind, or is there a color missing in the key? Or perhaps it's a firefox rendering error? At any rate, I can't find out what light blue is supposed to represent.
  • by miquong (569138) on Sunday May 29, 2005 @04:11AM (#12668716)
    Etherape is a good real-time program for visualizing connects to you and their relative traffic. While it only runs on *nixes, you can set up box for monitoring your uplink. Also check this post from last year: http://developers.slashdot.org/article.pl?sid=04/0 6/17/135220&tid=172&tid=141&tid=8 [slashdot.org]
  • but it's goddamn pointless. who gives a fuck if you have a picture of it or not?
  • OPTE is using LGL to make their graphs. Their website is at http://bioinformatics.icmb.utexas.edu/lgl/ [utexas.edu].

    I have tried to get it running on Linux and FreeBSD, but it doesn't want to compile due to mismatches in their C++ classes. This is with gcc 2.95, 3.3 and 3.4. (See http://www.mavetju.org/~edwin/lgl.fail.txt [mavetju.org] for the full log)

    Has anybody gotten LGL to compile on their machines? Or does know patches to get it working?

    Thanks in advance, Edwin
  • Thousands of ramifications [reference.com]. (quite literally).

    What it is lacking in however, is utility [reference.com]. Other than noticing that denial of service attacks use thousands of zombies all over the world, this doesn't really help you.
  • There is an audio network status tool called peep.

    http://sourceforge.net/projects/peep/ [sourceforge.net]

    Give it a try!

    Back in "the day" we used to put an AM radio on top of the IBM 1130 and listen to the resulting noise to determine if the programs were working properly. Every program had a different sound and every phase of operation of each program was usually discernible from the sound.
  • I met with them a while back and I think outsourcing the sinking and scrubbing of DOS traffic is a great idea. I'd like to hear from anyone using their service though.
  • A big thank you to the admins at TMNet. You have finally made Malaysia one of the best at something.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...