Tools To Squash the Botnets 135
Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."
commercially. (Score:3, Interesting)
i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.
Not only that, but there are NO details. (Score:5, Interesting)
And the claims he is making do NOT fit with how machines are infected or how the zombies are used.
Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.
They include patterns for known exploits
But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.
Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.
I'm thinking "snake oil" here.
Ahoy! Press release! (Score:5, Interesting)
Does he think slashdot readers don't read the article or something?
Re:See spot run. Run Spot! Run! (Score:3, Interesting)
.
Well, Darl is a bit short of cash right now, seeing how he's busy transfering a patent to cattleback and all. And, oh, My, we forgot to pay anything for that transfer! Ooops! OUR BAD! Please let us make it right and do it now we've filed for bankrupcy! We'll just move anything of value out of SCOX and leave it with nothing but the bills while we move anything of value out to other subsideries.
About as obvious a a cat trying to cover up "business" on a tile floor. Problem is that the cat's business is far more honest than SCOX's "business", and about as transparent. The problem with stupid people is that they think we are dumber than they are.
It's always such a shock to them when they find out others are more intelligent than they are. Why, they are simply INDIGNIGANT and DEMAND we dumb ourselves down to their level. I'd oblige, but I don't have that nifty little MP3 player on my hip with the endless loop of "Ok, now INHALE......OK, now EXHALE.......INHALE........EXHALE......"
Sadly, this estimation of common IQ really isn't all that far wrong. As evidence, I submit the 2004 "elections".
Re:I don't see that. (Score:5, Interesting)
I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.
Re:I don't see that. (Score:4, Interesting)
It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.
Re:I don't see that. (Score:2, Interesting)
I know a few chefs and have asked them, the reasons:
1. that's how they were taught to do it
2. they think it is better "presentation"
3. it makes the shrimp look bigger
so not only are they being annoying, they're also being dogmatic, pretentious and deceitful.
Re:See spot run. Run Spot! Run! (Score:3, Interesting)
And see exactly what? That someone is running honeypots? I don't need to look to know that, I run honeypots myself. I've more than two dozen sytems running multiple VM honeypot software from home grown to open source to closed source IDS'es. Let me be clear: I currently run $many to $shitpots of honeypot systems, with Sun boxen, AIX boxen, and WinTel platforms. Mostly these are "spares" to use when a production system goes down. It's a way to keep them "warm" and tested to be sure they run correctly.
And malware authors work around it by probing. If they suspect that an address in a network is used for a honeypot to blacklist any IP that touches it, then they do a simple binary search to find out which addresses are used, then they stop hitting those addresses.
One or two MIGHT. I, however, find that those running bot hearders are not sensitive to time constrants over fifteen minutes or so. Sure, there are a bunch of spammers that react to a reject on the second spam; however, there are far fewer that react to a block that takes place after the 500th. (and 2-500 are not delivered nor bounced, but held for later review.) And this ignores the vast majority of hardend spammers that tend not to send more than one spam per IP to identifiable IP space. In my case, I have several allocations that do not obviously tie back to me, consequently, I see this more than perhaps others do.
Of course, that's only for searching out vulnerabilities with a worm that automatically propagates. How would you get the same statistical results, only when the attack vector is spam containing a link to a trojan? Read up on Storm Worm before you answer, as it works around the obvious solutions.
And just by the way, I assume you know that a TCP-RESET can be forged from elsewhere, right? And that an effective way to prevent packet exchange is with a TCP-RESET, right? I'll leave even more esoteric spoofing and devious deeds for another conversation.
You are attempting to teach grandpaw how to suck eggs. (And why would anyone want to suck an egg? Burr!) You can assume any level of incompentence and disregard to details you'd like. One thing, however, stands out. I STILL havn't heard how this most Holy IP with attendant patents will serve to protect my networks. I DO see a lot of finding of fault where my methoids are not known, assumptions of ignorance or lack of expertise, and no more hard data on what I'm doing wrong.
At this point, my sole critizism has been a lack of information. My sole observation is that a lot of vendors promise the moon and the stars, and I fail to see how this vendor distinguishes themselves from the pack of lies, smoke dancers, and vaporware peddlers out there. I'm not saying they are such scum, I'm saying I don't see anything to lead me to believe their claims from a non-biased standpoint.
I'd be wild with joy if even half of what is claimed can be proven. However, I see a lot of claims, but I don't see a lot of proof, evidence, or independant review. So while I can continue to hope for the results of the technology, don't expect me to get behind it by writing a check for it until I have some evidence I'm not buying a pig in a poke.
I alread have lots of pokes, and lots of pigs. And case after case of lipstick for the pigs. Pardon me for being a bit gunshy.