Recruiting Friendly Botnets To Counter Bad Botnets

holy_calamity writes "New Scientist reports on a University of Washington project aiming to marshal swarms of 'good' computers to take on botnets. Their approach — called Phalanx — uses its distributed network to shield a server from DDoS attacks. Instead of that server being accessed directly, all information must pass through the swarm of 'mailbox' computers, which are swapped around randomly and only pass on information to the shielded server when it requests it. Initially the researchers propose using the servers in networks such as Akamai as mailboxes; ultimately they would like to piggyback the good-botnet functionality onto BitTorrent."

Throttled

[zedlander]

ultimately they would like to piggyback the good-botnet functionality onto BitTorrent.

Yeah, just let the ISP's bring your site to its knees instead of the botnets.

GTFO my torrents.

[snarfies]

Ah yes. So now not only do Comcast and company want to throttle my torrents, but now these yahoos want to press my computer into their vigilante posse?

Do these guys, possibly actually WORK for Comcast and are out looking for ways to make every ISP in the world, and possibly governments as well, ban torrents?

Re:

[boris111]

Ha vigilante was the first thing that popped in my head. What happens when these vigilantes feel the power in their hands and they themselves turn evil? A legitimate question would be: couldn't a black hat reverse engineer this and use it against the white hats?

Re:

[Washii]

They could make it a little like the TOR opt-in for Exit Noding...?

What kind of mental cripple thinks this shit up?

[Chas]

NO!

NO NO NO NO!

However you slice it, even if this "friendly" botnet is performing some beneficial task (such as kacking a bad botnet that's infected my machine), it's STILL bad!

It's accessing and carrying out tasks on my machine without my express permission.

HELL FUCKING NO!

This is NOT a "lesser of two evils" choice here. BOTH choices (malicious botnet or "beneficial" botnet) are evil, PERIOD!

Re:What kind of mental cripple thinks this shit up

[zedlander]

From TFA:

Their system, called Phalanx, uses its own large network of computers

Chill the flip out, man. They're not taking over your computer.

Could we have something like Phalanx@Home?

[vivin]

Like Seti@Home or Folding@home? We could have people sign up and join the Phalanx network. Or create a similar "open" network? People could then sign up for the service. I guess you could make it to where when you sign up, your computer becomes part of the network, and is also protected by the network. I don't know how feasible this is... just throwing out ideas.

Re:

[poetmatt]

I've heard of this open network based on a whole bunch of computers interconnected....I believe it was called, last I checked, the internet?

Re:Could we have something like Phalanx@Home?

[PitaBred]

Calling it Phalanx is lame. It should be called Legion.

Re:

[Ihmhi]

Is this where I make a joke about someone getting "kicked" from a server?

Re:

[BrunoUsesBBEdit]

Calling it Phalanx is lame. It should be called Legion.

Good idea, Legion as in http://www.biblegateway.com/passage/?search=Mark%205:1-10;&version=31 [biblegateway.com];

All botnets are evil. Things like Folding@Home, Seti@Home, etc. are not botnets.

Re:

[MoonlightSeraphim]

uh huh, then if I sign up for it so what is going to stop me from using this new 'good' botnet for my own not so good purposes?

Re:

[HTH NE1]

Well, for one, you won't be allowed to paint it red [badrobot.com].

Re:

[calebt3]

And ISPs won't know the difference between Phalanx computers and regular bittorrent. Perfect!

Re:

[raddan]

Good idea, but you'd want to make sure that Phalanx@Home is a securely-written (e.g., privilege-separated, full-paranoia input validation, all passed communication is unreadable by the node, etc...) application so that it cannot be taken over by a 'bad' botnet operator. Otherwise, thanks for the botnet, UDub!

Re:

[alphamugwump]

You wouldn't want an open network. The whole point is to keep the IP address of the server secret. If it's open, then everyone knows. Unless you do something like TOR hidden services.

Re:

[hesaigo999ca]

but a botnet is only a botnet if it grows in size, hence the person's initial reaction to hearing a "GOD" botnet, sort of like saying a gentle pedophile..

Re:What kind of mental cripple thinks this shit up

[erareno]

Tell that to the victims of a botnet that don't even knowo what a botnet is.

Re:What kind of mental cripple thinks this shit up

[GroeFaZ]

Uhm hyperventilating much? This is /. after all and we don't need to RTFA, but please at least cut down the unwarranted profanity. FTA:

"Rather than using an ill-gotten botnet, Phalanx would use the large networks of computers which companies currently use to serve massive amounts of content," says team member Colin Dixon."

Flame where warranted, but please, please, don't rely on /. summaries to form your opinion. *sigh*.

Re:What kind of mental cripple thinks this shit up

[whm]

Did you even read the summary?

It's not an offense, it's a defense. A protected server has all traffic routed to members of large cluster of helper machines (the "good botnet"). The protected server then contacts and collects the content as it is able. Instead of a DDOS attack being able to shovel data down on the target, the data is distributed to the cluster of helper machines. The recipient server then deals with the traffic at a pace it is able.

The article is short, but it kind of sounds like each node in the "good botnet" is serving as a sort of per-connection proxy to the destination server.

Maybe that clarifies things a bit?

Re:

[ShiNoKaze]

Hey so couldn't the evil hackers figure out there was a computer it was goin through to get to the main one, compromise it and get the list of good botnets from that one? Then just moniter all the bots and when they switch, you switch as well. I don't think you could avoid a ddos with just your own botnet. If that's the goal.

Re:

[ShiNoKaze]

Ok, now that I read it, it doesn't work like this, but the botnets could still get around it. For their little "computational puzzle" they would just need to know what kind of puzzle or list of puzzles and the botnet could have them already solved when time to ping like crazy. As for letting the machine work at it's own pace, it may still be able to serve info out, but only in response to that which is getting in, which will still be more than it can handle. I guess you could elect to just empty buffers

Re:

[Anonymous Coward]

From TFA, it looks like Akamai or CoralCDN with HashCash and endpoint-initiated throttling.

Nice, but I'm failing to see where the "bots" are in this net.

misused buzz word alert

[BrunoUsesBBEdit]

It's not a botnet, but if they hadn't inappropriately used that buzz word, would we be talking about it?

It's frustrating the way our terminology continues to get diluted to where everything becomes ambiguous because you must assume that the majority of the people out there don't know the meanings of the words.

A good off topic example is "stereotype, bigotry, and racism" through related, these three are distinct but everything is now just rolled up into racism. This makes it difficult to express that a pers

Re:

[Shotgun]

Which does no good for anyone.

So the phalanx stands in front of the server and only hands it as many requests as the server can handle. My request is still sitting behind a huge queue.

The whole point of a "distributed Denial of Service" is ... wait for it... Denial of Service. It doesn't matter if the bottleneck is shifted. If the server can't handle the traffic, then my request won't be serviced.

The same kind of mental cripple who doesn't RTFA?

[Len]

They are NOT talking about "accessing and carrying out tasks on my machine without my express permission."

"Rather than using an ill-gotten botnet, Phalanx would use the large networks of computers which companies currently use to serve massive amounts of content," says team member Colin Dixon.

Re:The same kind of mental cripple who doesn't RTF

[dbIII]

Similar to the mental cripple that unfortunately decided to call a distributed service a "good botnet". Because of that we are discussing a bad analogy instead of the actual idea.

who flagged this post insightful O_o

[someone1234]

The problem with this approach is not because they 'take over' your machine (by consent).
This is just a treatment of the symptom. The cure would be to sanitize and shield luser computers from zombie recruitment.

I've always wondered...

[neokushan]

I've always wondered why botnets always seemed to be created by black hats. I think it'd be cool to have a competition where some whitehats try to exploit a vulnerability in some software in order to patch it FROM that vulnerability.
Even if it just forced a windows update, it'd still be quite useful, but it seems nobody with the skills to pull off such a feat can be bothered to do it.
Surely there's some benign genius out there who could exploit an existing botnet to send it a shutdown command, rather akin to how captain Picard defeated the Borg after he was captured by them, once again proving that Star Trek has given us great insight into the future and, of course, that Picard is better than Kirk will ever be?

Re:I've always wondered...

[CogDissident]

Because, a white hat could do it for free, and it'd be cool, but they'd risk being sued into a smoking crater if they told anyone.

By contrast, a black hat, stands to make thousands and thousands of dollars by just exploiting that vulnerability.

Which would you choose? Honestly?

Re:I've always wondered...

[sm62704]

Not to mention that using someone's computer without their permission is unethical. Black hats don't have to bother with ethics or morals.

GP: Even if it just forced a windows update

The first Windows update after I installed XP hosed my network drivers. If I hadn't given permission for that update I'd have seen a lawyer about the matter.

If you don't have permission to be in a computer STAY THE HELL OUT OF IT. It's unethical, it's illegal, and it's BAD MANNERS.

Re:

[What Would NPH Do]

If I hadn't given permission for that update I'd have seen a lawyer about the matter.

Yeah, and you would have been subsequently laughed out of court as your case was dismissed. You'd also would have most likely been held accountable to pay Microsoft's attorney's fees.

Re:

[sm62704]

So, YAL? Then please explain to my poor fucktarded brain why they should have a legal right to hack into my computer without permission?

Re:

[What Would NPH Do]

Then please explain to my poor fucktarded brain why they should have a legal right to hack into my computer without permission?

Who said they did? You were talking about how you would have sued Microsoft had someone forced your computer to do a Windows Update and something had broken a driver on your system. The fact of the matter is that Windows Update would have no clue one way or another whether you, a virus, or some remote entity had allowed the update to be installed and as such you'd have no basis to sue Microsoft. Hence why I said your case would have been dismissed.

Re:

[Torvaun]

He didn't say he would have sued Microsoft, he said he would have called a lawyer. Microsoft was never specified as the target of said lawyer. Basically, he's saying that if someone breaks his computer without permission, he's holding them liable, even if they were trying to be helpful.

Re:

[BlackSnake112]

Who trusts microsoft to write the correct hardware driver? Microsoft doesn't make the hardware, let the people who make the hardware write the drivers. I would hope that they know more about how their product works then microsoft does.

Re:

[sm62704]

Agreed, since Microisoft's driver hosed the system. I didn't even know it was updating a driver; I'd left automatic update on. That was the last time I let it do an automatic update! Had a hell of a time figuring out what was wrong with the computer. First I thought I broke the modem (it fell off the table(, the ISP's tech confirmed that he could see the modem so I thought cable. Almost bought a new LAN card when I reinstalled XP because it had disabled Roxio CD software's drivers and wouldn't let me uninst

Re:

[Deuterium224]

Yeah, and if your computer wasn't part of a botnet, I'd be inclined to agree. The only reason this hypothetical White Hat would be accessing your computer is to fix the problem you haven't noticed in the first place... what makes you think you'd notice the fix?

Re:

[sm62704]

What if my computer was a honeypot as part of a honeynet?

Re:

[ma1wrbu5tr]

Then you'd have a problem with bears in your office. ;)

Re:

[SScorpio]

The only reason it's not already down is due to legal issues. Back in 2000ish there was an exploit for I believe IIS. Someone made a Perl module people put on their Linux Apache servers in the location of the exploit on the Windows box. When the exploit was trigger, the Linux box connected to the Windows Server using the same exploit, patched the box, and removed the worm, and forced a reboot.

This never caught on though because people were too worried about getting sued for hacking a server. The best so

Re:

[Tenebrousedge]

But aren't we always up in arms about ISPs monitoring and altering internet traffic? Seems like a double standard. Give me my BitTorrent, but other things that generate lots of traffic are harmful to the network? And with increasing levels of encryption, how do you tell the difference?

Re:

[drewish_princess]

I think you're referring to the fix for Code Red 2 written by Sam Phillips. This article makes passing mention of it: http://www.securityfocus.com/infocus/1515 [securityfocus.com]

Google for http://www.dasbistro.com/default.ida [dasbistro.com] and you'll see it referenced a few places.

Re:

[SScorpio]

Thanks, that would be it. It was too many years ago to remember exactly.

Re:

[techno-vampire]

what makes you think you'd notice the fix?

I was about to say that he'd notice when it suddenly rebooted for (apparently) no reason at all. Then I remembered that this is Windows we're talking about; that's just normal activity.

Re:

[ma1wrbu5tr]

"The first Windows update after I installed XP hosed my network drivers."
Complete BSOD for me. Apparently the patch didn't like my SATA controller. What a headache.

Re:

[sm62704]

If your personal / company PC got noticeably hacked on a regular basis even a joe regular user would do something about it.

Most peple don't even worry about it until it's almost bricked.

Re:

[ShiNoKaze]

Psh, if they're so benign they can't be that smart... It's the Evil genius that gets all the credit.

Re:I've always wondered...

[ChenLiWay]

It's been done http://en.wikipedia.org/wiki/Welchia [wikipedia.org] with mixed results.

Re:I've always wondered...

[Orinthe]

I seem to remember that back when the Blaster worm was a big deal, someone did just this. Thing is, everyone complained and said it was terrible and irresponsible to patch peoples' computers without their permission, potentially causing instability, especially in the enterprise where patches have to be thoroughly vetted before being applied, even if they are for critical vulnerabilities. Someone else pointed this out, too, with an appropriate link to http://en.wikipedia.org/wiki/Welchia [wikipedia.org]

Re:

[hesaigo999ca]

The best would be to have an ISP filter that blocks anyone using an unpatched computer, this would force them to figure out why they would want to run without patching, and make the necessary arrangements for bringing their pcs up to speed

SELECT Me = Max(quote)+1 FROM you WHERE attribute witty

Re:I've always wondered...

[witherstaff]

I remember one of my boxes was compromised in the 90s through a POP3 exploit. The kid patched the hole after he gave himself an ssh account. He poked around the pr0n site hosted on it, then sent me a talk request to tell me what he did. I miss the old days of polite crackers.

Re:

[ArsonSmith]

White hats just use the basic social engineering technics of hacking. See Seti, RSA, etc...

Re:

[prennix]

There are lots of great things we could do for humanity with your computer. Please send me your login credentials. We'll be glad to let you know what great things we've done with your computer in a few weeks. I'll leave a note on your desktop.

Re:

[ma1wrbu5tr]

There I was, reading your reply and thinking about adding you as a /. friend.

Then I saw this...

"that Picard is better than Kirk will ever be?"

A flying drop kick and a judo chop from Kirk; and Picard would be whining like the aristocrat
panzy he is. :P


"Surely there's some benign genius out there who could exploit an existing botnet to send it a shutdown command,"

Jesus doesn't have a computer.

This will never work

[Anonymous Coward]

The researchers are so ignorant of history. All the malware writers have to do is to create a Legion botnet. The Legion defeats a Phalanx every time.

At least watching this in action would be cooler than playing Rome: Total War.

My botnet....

[Anonymous Coward]

can beat up your botnet

Future of Botnets

[pieterh]

First person to make a "good" BotNet where you can join and get protection for a low, low monthly subscription, makes a killing.

BotNets are obviously the only way to fight BotNets.

Re:

[H0p313ss]

First person to make a "good" BotNet where you can join and get protection for a low, low monthly subscription, makes a killing.

You mean... you won't make us an offer we... we can't refuse?

Re:

[flaming error]

So if we pay "protection" money, our network won't be taken down.

  > You mean... you won't make us an offer we... we can't refuse?
Somebody "makes a killing". That's all he's saying.

Internet insurance?

[samwh]

Neat. I like it.

Re:

[Thelasko]

I doubt you would actually get protection by joining a good botnet. The bad botnet will likely attack the good botnet and take out at least a few of the machines (temporarily). A machine in a good botnet is about as secure as any given fish in a school of fish.

Re:

[BetterThanCaesar]

It sounds to me like paying protection money to a botnet would be like paying protection money to the mafia.

Re:

[Shotgun]

It sounds to me like paying protection money to a botnet would be like paying protection money to the mafia.

Or the police?
Government officials force money out of you at the point of a gun (they call it 'taxes'), so that they can hire 'policemen' to protect you.

Just sayin'.

Re:

[m0i]

It already exists and is bigger than any other, it is called windowsupdate and it is included with your XP license (or keygen..). Why would one try to do better than Microsoft at fixing their own OS is beyond me.

Re:

[prennix]

it's called Windows Update... but I don't like the word "good."

Re:

[sharp-bang]

We have those already, except for the "protection" part. It's called AV.

I for one...

[Cctoide]

... look forward to Battlebotnets.

Re:

[nfk]

where you can join and get protection for a low, low monthly subscription

Sounds like the mafia.

Calling Hollywood

[amplt1337]

You know, this could be a pretty exciting movie plot.

Or at least an episode of Battlestar: Galactica or something.

And the day was saved...

[electricbern]

by your friendly neighborhood botnet.

And thus, Skynet is born

[UberHoser]

Or would this be more of the Matrix ?

awwww

[umbl3r]

aww reminds me of the days that if you tried to probe a bot server it tried to launch a DOS attack on you. had many hours of fun spoofing a nmap of a bot server's ip and watch the servers take each other out.. man i laughed for days watching bots attack each other.. aw the good-ol days.

People are missing a portion

[kaosfury]

I keep seeing people quote this: "Initially the researchers propose using the servers in networks such as Akamai as mailboxes"

But no one has pointed at this paortion: "ultimately they would like to piggyback the good-botnet functionality onto BitTorrent"

In other words, no they can not use my computer to run their botnet. I don't even let my computer play with the other botnets.

Question

[cowwoc2001]

1) How do you detect a DDoS attack?

2) Once you detect it, wouldn't it be easier to propagate a request up your stream asking it to cut off incoming traffic from X?

For example, if I (somehow) know the IPs of people that are part of the DDoS attack, I'd send them up to my provider, and he would send it up to his upstream provider, etc until the traffic gets cut off as close as possible to the source. Everyone saves a lot of traffic and we're all happy, no?

Re:Question

[What Would NPH Do]

1) How do you detect a DDoS attack?

There are various ways. Activity profiling, sequential change point detection, wavelet analysis, etc. Here's a good page on different techniques: http://dsonline.computer.org/portal/site/dsonline/menuitem.6dd2a408dbe4a94be487e0606bcd45f3/index.jsp?&pName=dso_level1_article&TheCat=1001&path=dsonline/2006/01&file=w1spot.xml& [computer.org]

Re:

[umbl3r]

1)manyways, like stated below 2)yes it would be, but whats the fun in that. lol

Not the Solution

[Thelasko]

Using another botnet to send puzzles to the first botnet before it is allowed to access the main server works on a small scale. But think about it this way. If you have two networks sending massive amounts of useless data across the interweb. The ordinary users (whether they are members of a botnet or not) will suffer. Network traffic will slow to a crawl globally (I suspect it already has due to botnet activity). This will result in a MAD scenario reminiscent of the Cold War. Global network traffic w

Re:

[Thelasko]

But it is the solution! If an internet protocol is developed that requires each machine that wishes to connect to a website to use a few computing cycles to do something constructive, like BOINC, we could make massive advances in science and technology in no time! By doing so we could harness the power of the botnets to do good.

Re:

[techno-vampire]

Besides, botnets are hosted on legitimate (albeit poorly managed) machines - these machines which are already crawling would have to start to be measured in FLOPD (per day)..

So? That would have two results: first, it would make the botnet itself slow down to a crawl and second, it would (one would hope) make the poor luser trying to run the box realize that there's Something Wrong and get help.

Re:

[nuzak]

You activate the system when a DDOS attack starts. The network traffic at that point already is almost nothing but noise. Defeating the attack reduces the noise.

Besides, what makes you think computational puzzles require massive amounts of data?

We already have that

[HangingChad]

If you have two networks sending massive amounts of useless data across the interweb.

They're called Facebook and MySpace.

stupid idea is stupid.

[discogravy]

well, sure, every single other time someone made a "good" virus to patch holes that "bad" viruses exploited, it didn't work out and in fact became a bigger problem than the original virus, but since this is about *distributed* botnets -- waaaaaayyyy more than just one or two infected machines -- *THIS* time it'll work perfectly.

Further reading: http://www.people.frisk-software.com/~bontchev/papers/goodvir.html [frisk-software.com]

Obligatory simpsons quote

[wertarbyte]

LISA

But isn't that a bit short-sighted? What happens when we're overrun by lizards?

SKINNER

No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.

LISA

But aren't the snakes even worse?

SKINNER

Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.

LISA

But then we're stuck with gorillas!

SKINNER

No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.

americans and overengineering

[jollyreaper]

Americans always try to over-engineer solutions. Just look at how the Russians handle it. Have a problem with a spammer? A man, a gun, and one bullet later, problem solved. Fancy counter-botnets? Nyet, comrade. Now let me tell you how it goes for journalists in Putinist Russia...

Rise of the BotNets

[Nom du Keyboard]

Just because you're taken over by a Good BotNet instead of an Evil one, that doesn't mean that it's a good thing in the grand scheme of things.

DDoS=Full Pipe

[RayMarron]

If your server is hit by a DDoS, the pipe is full of malicious traffic, leaving no room for the good traffic. If this is the case, how are you supposed to communicate with your "good botnet"? Is there a step I'm missing in all this? Do protected servers require a second "secret" connection to the Internet, using a completely separate provider?

How is this more effective...

[jlas]

So maybe I'm just misreading the article, but it sounds like: requests go to the mailbox server, when the "protected" server is ready to handle requests it talks to a random mailbox, and then sends a response. So the way I read that, you request a page/info/whatever and then sit at the mailbox waiting for a response. That seems like a lot of inefficiency/lost time just sitting there... If you've already got all these servers sitting here, how is this complicated clustered mailbox defense system better tha

Why do we tollerate botnets?

[bill_kress]

It seems like their behavior can be pretty easily identified.

Why don't ISPs just block all ports but 80 and all traffic there except for standard HTTP--leave a little notice saying that they are restricted until they get their shit together? I'd even volunteer part-time to join a crew to help people fix their computer and get back online.

All you'd really have to do is find one machine under a DDOS and log as many unique IPs as possible, then start flicking switches.

I mean, they are already identifying bit

Re:

[sophiaknows]

Well, most DDOS traffic is on port 80 and consists of an interminable series of otherwise straightforward HTTP GET requests.

The headers are typically crafted to look identical to an average user hitting the site using Win IE

But, even if you could distinguish good from bad hits, IP filtering a botnet that includes tens of thousands, hundreds of thousand or a million plus nodes is, I promise you from experience, a hopeless endeavor.

Re:

[bill_kress]

Hmm, I think you're mistaking a problem that needs a distributed one for one that needs a centralized one.

If you had a monitor or 20 at each NOC with the ability to recognize the patterns and either filter or shut down completely, it should solve the problem.

Honestly if I was part of a botnet and didn't know it, I'd be happy if they would just shut my port off then tell me why...

I didn't know that about the port 80 thing, I thought most exploits used other protocols, but I should have known better because t

Re:

[bill_kress]

So after thinking for 8 seconds (Should have hit preview), wouldn't it be easy to identify x similar packets to the same address within y seconds? Start out very loose then just tweak the variables as necessary..

Dammit

[TBerben]

So much for slashdotting a website

Good versus bad.

[Neanderthal Ninny]

This is similar to what good bacteria and viruses in our bodies are doing to the bad bacteria and viruses. If the good are winning we are well and alive but if the bad are winning are sick and dying.
However we need to learn the lesson from the Blue Security which they were counteract spam with their "unsubscribe" messages. Bad guys have alot up their sleeves so we need to be careful and have fall back plans before we go after these badbots.

http://www.securityfocus.com/news/11392 [securityfocus.com]
http://en.wikipedia.org/wiki/ [wikipedia.org]

Should have called it

[MadUndergrad]

Should have called it Wetlands. When a Storm (or Kraken) sends a surge of water your way, it's the wetlands that absorb it and protect the town. Much more appropriate than Plalanx.

Wohaaa, wait a sec..

[BlueParrot]

did somebody just use "whatcouldpossiblygowrong" where appropriate? ZOMG!

bad concept

[TheSHAD0W]

I'd have to opine that this system is flawed in concept, using both a dedicated swarm and especially a P2P-volunteer swarm. In the case of the volunteer swarm it would be fairly trivial for an attacker to join the swarm, discover the address of the central server and any keys needed to access it, and bypass the swarm to attack directly. However, even if the swarm were composed of dedicated machines, all that would be necessary would be to craft a seemingly-legitimate access request, and flood the central

How's that a botnet

[oglueck]

So you make a cluster and a load balancer and call it a bot net? A bit tacky.

Re:

[zedlander]

Heck, I do it for free [stanford.edu].

Re:

[Mark Cicero]

Psst. Altruism is dead. Didn't you get the memo?