Visual DDoS Representation and Its Ramifications 104
winterbc writes "Prolexic has a report on Zombie infections that bring a visual representation of a DDoS attack. Besides being a rather cool picture, it brings to mind a possible future of personal computing. I would love to see a real-time picture of my 'net connections as my desktop picture, allowing me to change my 'net habits based on what I see. For example, I can download new images from the OPTE Project and set my desktop that way, but a more individual pathway highlighted with my favorite color could happen someday. My point is that while DDoS are painfully ubiquitous today, tomorrow visual mapping in real-time could be a path to the source of the problem."
Visual DDoS? (Score:5, Funny)
Re:Visual DDoS? (Score:3, Funny)
Neat! (Score:5, Interesting)
Also, it's nice to see that, for once, a story on Slashdot uses "its" correctly.
Re:Neat! (Score:5, Informative)
I still wonder... (Score:2, Interesting)
Servers should get the IPs that do the most of said refreshing, and create a public Most Likely IPs To Slashdot Your Server(TM) list, so other web servers can restrict traffic a bit to them (maybe serve their pages after casual readers get them?). It's either that or sticking with no one seeing the page for a while as usual, after every hot topic...or something like that. (Of course, IPs can and often are dynamic, in which case I have no clue for a plan-B.)
Re:I still wonder... (Score:3, Informative)
it is bad enough that I get regularly banned from posting because my ISP (ntl:) uses an inline cache that reports itself as the remote address and slashcode can't differentiate between different ntl: customers. And, yes, it has been reported many times, the
Re:I still wonder... (Score:2)
Re:I still wonder... (Score:2)
Our illustrious former leader carved the country up into regions and then auctioned off the areas to act as cable TV stations to give new start up telecoms companies a boost while generating revenue for vote winning tax breaks.
Anyhoo, these days they are amalgamated into just about two big cable providers Telewest and ntl: who went on a buying spree once the statutory period of buyout protection expired.
I'm lazy. I got my 512k the day it came out and
Re:I still wonder... (Score:2)
Re:Neat! (Score:1)
Re:Neat! (Score:2)
True, but I suspect that due to the time of day it will probably not reach the hits per second that it did in the *two* other occasions that the server was stressed.
And this one wasn't associated with a post that emanated from their department. That ought to keep the admin busy for a few minutes.
Re:Neat! (Score:1)
Re: (Score:1)
Re:Neat! (Score:1)
In the future will we have net traffic reports? (Score:5, Insightful)
isn't the whole point that there's redundancy and stuff to make things reliable and invisible to the end user?
time spent visualising problems is a total waste unless you use it to stop the problem happening again. and prevention is better than cure.
Re:In the future will we have net traffic reports? (Score:3, Informative)
hah, too late.
http://www.internettrafficreport.com/ [internettr...report.com]
Re:Better (Score:2)
Funny... but don't ever link to a website that resizes your browser window again, or we'll be forced to kill you
Europe has most zombie infested networks.. (Score:4, Interesting)
Considering the PC usage in United States, versus Europe, it is really surprising that most zombie infested networks are in Europe... Is it because people in US are better at defending their PC, than Europe... ? (comparitively speaking)
Re:Europe has most zombie infested networks.. (Score:4, Funny)
Re:Europe has most zombie infested networks.. (Score:2)
Re:Europe has most zombie infested networks.. (Score:2)
Re:Europe has most zombie infested networks.. (Score:3, Informative)
Re:Europe has most zombie infested networks.. (Score:2)
The rankings are per capita, which means they're adjusted for population.
From the article: "Overall, Europe has the most zombie infested networks ranking over the United States. Hong Kong is the most infested network per capita."
So the 'Europe has more' figure is explicitly not adjusted for population.
Re:Europe has most zombie infested networks.. (Score:2)
Re:Europe has most zombie infested networks.. (Score:2)
But that doesn't prove anything. If 10% of 100 people puts LittleCountryA at the top of the list, but BiggerCountryB has 1% of 1000 and is at the bottom of the list - then out of the total population, 20 machines of 1100 people or not even 2% are infected.
So, the argument that most european countries beat out the US in the per capita ranking does not support the argument that those same european countries, taken as part of a whole will beat the US per capita. That's not to say that it proves it won't, but
Re:Europe has most zombie infested networks.. (Score:2)
TFA reports number of networks (but not how big the compared networks are, so if Europe has two networks with 10 connected PCs each that's what compared to the US with one network with 100 connected PCs, say?) and infections per capita (which is also meaningless because capita measures population size, not number of internet connected PCs. They should at least give the number of households connected to the internet in each
Re:Europe has most zombie infested networks.. (Score:1)
Re:Europe has most zombie infested networks.. (Score:1)
Relevant info missing (Score:5, Funny)
Oh, wait...
Re:Relevant info missing (Score:4, Insightful)
Along that same line of thought... (Score:3, Insightful)
provocative, tasty little parent (Score:1)
go on then trelanexiph u cheeky little chappie, tell us about one of these linux dosnets you've seen.... how did you learn of it? exactly
Re:Relevant info missing (Score:1)
Re:Relevant info missing (Score:2)
Re:Relevant info missing (Score:2)
I've been called in after a couple of *nix machines were rooted, and in both cases it was simple rootkits run by people who didn't appear to have the slightest ability to cover their tracks, who left dos commands like "dir" in the history. Whoever put together the rootkits did appear to have a clue, so the only answer is to reformat, re-install and be sure the data files restored from backup are what they are suppos
What's the surprise? (Score:3, Insightful)
What is surprising is the European zombie count is higher than that of the United States. I wonder why.
Re:What's the surprise? (Score:4, Informative)
EU population is 460 million, US population is only 300 million.
No surprises there - more people, more PCs.
Re:What's the surprise? (Score:2)
As of 2004, 47% of all German households had Internet access, versus 43% in 2003 - and the number is still growing (source: German Federal Statistical Office (destatis.de)).
Re:What's the surprise? (Score:2)
Re:What's the surprise? (Score:2)
If I may hazard a guess...and that's all these are.
I think three reasons.
1. There are a couple of very big and completely clueless ISPs in Europe (blueyonder, tiscali, wanadoo). You think Comcast is bad? You have no idea...
2. Some of the national ISPs in a lot of the European countries have a much larger percentage of users within their countries than any US ISP. If that ISP happens to be one of the
Details (Score:1)
Re:Details (the devil always lurks there) (Score:1)
And what is being done about this? (Score:5, Interesting)
From that, you can find the ISP
From that, you can find the machine
From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
Re:And what is being done about this? (Score:2, Informative)
Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
Several reasons.
First off, a lot of the zombies are in countries different from the person controlling them, making it tricky to pass information, and get search warrants(for the sniffer). A lot of people use proxies, which also complicates things.
Re:And what is being done about this? (Score:3, Informative)
Odds are these bots will all be logged on to an IRC channel somewhere. You can track it back to that by simply monitoring the network activity of the machine. After that, you can monitor that channel and find the user who is directing the botnet. Unfortunately, the best you are going to get - unless the botnet operator is an idiot - is the last proxy in a chain of four to eight, each of which is located in
Re:And what is being done about this? (Score:5, Interesting)
I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.
Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.
Religious Botnets (Score:3, Funny)
Re:And what is being done about this? (Score:2)
Remember, there are over 10,000 bots in a typical professional extortionist or
Homer (Score:2)
From that, you can find the ISP
From that, you can find the machine
From that, you can put a sniffer on the line and trace the communications to find the person running the botnet.
Yet I'm not hearing any stories about these botnets being broken by the cops. Why not?
"In America, first you get the sugar, then you get the power, then you get the women."
Re:And what is being done about this? (Score:2)
You will trace it from the zombie to the controller then it's off back to court, possibly in another country, to get another warrant to monitor the controller. Then you trace that back to another controller ad nauseum.
Re:And what is being done about this? (Score:3, Insightful)
Finding out who these pe
Re:And what is being done about this? (Score:4, Insightful)
we often know who they are, and even where they live
Easy. Make a public list.
Put up a description of all incidents and all related information (IP-Address -> ISP -> personal info) that you have gathered.
The kids don't like to read their real name on a website.
Re:And what is being done about this? (Score:3, Funny)
Argh, do I even need to talk about the futility of publicly posting the authors of DDOS attacks on a website? This calls for good ol' vigilante justice. When the law doesn't suffice to cover your needs, or hasn't gotten that far in terms of enforcement, you need to take it into your own hands. Yes yes, I know all the arguments against that, but they all fall flat; the law is unwilling or unable to help where you have a legitimate greivance, therefore you become the law.
There should be an agency or group
Re:And what is being done about this? (Score:2)
I really think just posting these names will be enough. Not so that people can go and beat the kids up (I doubt anyone would bother anyways!) but more as a blunt message to the DDoS kids saying "We are paying attention and we know who you are".
Once your name shows up on such a list you'll probably re-think whether your hobby is really worth the potential backlash.
Re:And what is being done about this? (Score:1)
As an operator in one of your largest channels... (Score:2)
This isn't directly referring to those botnets used for IP DDoS'ing - UnderNET users typically have very little notice of them, I'm sorry that the UnderNET servers obviously do by sheer connection/disconnection power - but more to those used to DDoS channels and users by crapflood
the gibson (Score:4, Funny)
Re:the gibson (Score:1)
Watch the grandsons infections (Score:1)
Where is the Spinning Cube of Potential Doom? (Score:4, Interesting)
http://developers.slashdot.org/developers/04/06/0
It seems the source for this is still unavailable.
Does anyone know where to get binaries or a similar program?
The concept is fantastic and would certainly help in security.
Although, I'd prefer to have a text version similar to how Nethack displays in text mode.
Call me old school, can't shake my affinity for text only Linux.
Re:Where is the Spinning Cube of Potential Doom? (Score:1, Informative)
Re:Where is the Spinning Cube of Potential Doom? (Score:3, Interesting)
The visualisation supports a "darknet" mode where it can show all traffic that isn't being responded to by internal machines, showing scans on other useless traffic (on our capture point it shows up heaps of NTP traffic
Re:Where is the Spinning Cube of Potential Doom? (Score:2)
Thanks for my new project.
Looks like the client will run on Windows so I don't have to setup a graphical X machine.
Let you know how it goes.
Re:Where is the Spinning Cube of Potential Doom? (Score:2)
Need to install another Hard Drive.
My 3Gb of 9 year old SCSI technology is full.
Not to the fault of a 190k BSOD, but because I need g++ version > 2.95.
And to install that version of g++ I need more space.
From the INSTALL file:
The bsod server requires:
* libtrace (http://research.wand.net.nz/software/ [wand.net.nz])
* g++-3.0 or greater (known to work with 3.0, fails with 2.95)
In the famous words of Arnold: "I'll be back"
DDoS protection (Score:2, Insightful)
Re:DDoS protection (Score:2)
brings a whole new meaning to the phrase (Score:1)
Yeah (Score:1, Informative)
http://etherape.sourceforge.net/ [sourceforge.net]
Cool Picture (Score:3, Informative)
From what I remembered, he depicted computer networks as having visual representation, describing how colors changed based on the level and types of network activity.
What is given in the novel is more of a virtual reality type thing, though. I thought that was nifty. Now, if only we could get some diagrams like the one in the article done in 3D and rendered in real time as variables changed.
LOL... (Score:4, Funny)
"Interesting Notes:
AOL is the most infested network on the Internet."
Gee. I wonder why.
Re:LOL... (Score:3, Insightful)
Re:LOL... (Score:1, Funny)
I thought aol came with all that by default?
Re:LOL... (Score:2)
Dell out of the box has Norton and AOL by default.
A winning combination.
Re:LOL... (Score:3, Funny)
Re:LOL... (Score:2)
Amazing photos... (Score:5, Funny)
You're looking for something like Carnivore (Score:2)
Try Carnivore [rhizome.org]. It's a simple sniffer that acts as a backend to any visualizer you can write (in a number of supported languages). There's a nice online library of those frontends on their site as well. The only downside is that currently there's no linux version
Do the numbers... (Score:1)
John
Re:Do the numbers... (Score:2)
windows users vs non-windows users ~= windows bots vs non-windows bots.
Re:Do the numbers... (Score:2, Interesting)
DDoS? (Score:1)
Missing Color in key? (Score:2)
Etherape/Cube of Impending Doom (Score:3, Informative)
yeah, nice (Score:1)
LGL is used, but does anybody have it working? (Score:2)
I have tried to get it running on Linux and FreeBSD, but it doesn't want to compile due to mismatches in their C++ classes. This is with gcc 2.95, 3.3 and 3.4. (See http://www.mavetju.org/~edwin/lgl.fail.txt [mavetju.org] for the full log)
Has anybody gotten LGL to compile on their machines? Or does know patches to get it working?
Thanks in advance, Edwin
lots of ramifications (Score:2)
What it is lacking in however, is utility [reference.com]. Other than noticing that denial of service attacks use thousands of zombies all over the world, this doesn't really help you.
peep! (Score:2)
http://sourceforge.net/projects/peep/ [sourceforge.net]
Give it a try!
Back in "the day" we used to put an AM radio on top of the IBM 1130 and listen to the resulting noise to determine if the programs were working properly. Every program had a different sound and every phase of operation of each program was usually discernible from the sound.
Has anyone here used Prolexic? (Score:2)
Malaysia, so small yet so vulnerable (Score:1)