Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IBM's Billy Goat Squashes Worms

Hemos posted more than 10 years ago | from the behavior-based-activity dept.

Security 170

fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."

cancel ×

170 comments

Goat? (0, Funny)

Anonymous Coward | more than 10 years ago | (#6843951)

Oh my god. This has got to be a joke. Bring on the screenshots

FP (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6843953)

First Post

Re:FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6843965)

HAHAHA YUO FAIL IT!!!!

I wasn't even trying, and yet I beat you to it.

An elephant is a mouse with an operating system. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6843958)

An elephant is a mouse with an operating system.

Countermeasure (-1, Offtopic)

bwt (68845) | more than 10 years ago | (#6843963)

I knew something good would come out of SCO suing IBM. Darl McBride better look out now.

Billy Goat (5, Funny)

shird (566377) | more than 10 years ago | (#6843969)

This is a play on the name "Bill Gates", surely? Why else would they call it that. Interesting concept nonetheless.

Re:Billy Goat (3, Insightful)

bubbasatan (99237) | more than 10 years ago | (#6844041)

An amusing interpretation, but how about calling it a billy goat because it will eat anything?

Re:Billy Goat (1)

HeroicHorst (703375) | more than 10 years ago | (#6844100)

But the play on the name is not really funny...

(M$) Bill Goatse? (4, Funny)

VEGx (576738) | more than 10 years ago | (#6844101)

Is that a hint that Bill Gates is into Goatse? I'm a nice troll, gimme a cookie.

Re:Billy Goat (2, Informative)

Anonymous Coward | more than 10 years ago | (#6844132)

Actually, it's probably more likely they are referencing the folk tale of the Three Billy Goats Gruff [pitt.edu] .

Re:Billy Goat (4, Funny)

KoolDude (614134) | more than 10 years ago | (#6844174)


In giving out the details, the researchers mentioned that the full name is Williamy Henry Goat III. They also announced that a helper software code-named Steward "Monkey" Bawlmer will be released soon.

Re:Billy Goat (2, Interesting)

cockroach2 (117475) | more than 10 years ago | (#6844319)

funny thing is, in some swiss dialects, "geiss" (swiss-german for goat) is pronounced exactly like "gates" without the t, sort of like "gayss"...

Re:Billy Goat (0)

Anonymous Coward | more than 10 years ago | (#6844324)

Perhaps it's a derivative of the term "sacrificial goat", which is another way of saying "honeypot".

inapproporiate title? (3, Interesting)

lingqi (577227) | more than 10 years ago | (#6843970)

squashes worms?

it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...

besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.

I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?

Re:inapproporiate title? (5, Informative)

farnz (625056) | more than 10 years ago | (#6844016)

Something like Blaster scans the network for vunerable machines; some of these IPs are unassigned. Billy Goat detects the attempts to access unassigned IPs, and alerts admins/firewalls your box off/generally makes noise.

The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.

Re:inapproporiate title? (4, Interesting)

Anonymous Coward | more than 10 years ago | (#6844571)

So then we're in a situation of either

a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)

or

b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic. ...Leading to the attacker having an easy way to do a DOS attack on the entire network (by scanning every possible port on an unused ip address)

Re:inapproporiate title? (1)

farnz (625056) | more than 10 years ago | (#6844800)

I don't see the DoS attack here; as far as I can glean from the article, an attacker scanning every possible port on an unused IP address is blocked. No-one other than the attacker is blocked, so there's no DoS.

Re:inapproporiate title? (2, Insightful)

Overly Critical Guy (663429) | more than 10 years ago | (#6844637)

The result is that something like Blaster gets caught before your whole network is infested.

Instead of buying something called "Billy Goat," you could also just download the free patch that fixed it a month before...

Re:inapproporiate title? (0)

Anonymous Coward | more than 10 years ago | (#6844732)

So basically it's like the code-red tarpits.

"earlier this month" (5, Funny)

mirko (198274) | more than 10 years ago | (#6843971)

I do not want to look anal but I think the submitter meant "last month" :-)

Re:"earlier this month" (1)

barzok (26681) | more than 10 years ago | (#6844067)

He probably submitted it while it was still August.

Re:"earlier this month" (5, Funny)

F452 (97091) | more than 10 years ago | (#6844104)

I do not want to look anal but I think the submitter meant "last month" :-)

Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

Re:"earlier this month" (0, Offtopic)

G-funk (22712) | more than 10 years ago | (#6844238)

Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

[ insert ontopic goatse link ]

In case you don't get the names... (3, Insightful)

Vexar (664860) | more than 10 years ago | (#6844381)

short for anal-retentive, a 'clever' way of articulating someone has a detail-oriented obsession or obsessive-compulsive behavior. It describes the person as unable to relax, or constipated.

Sadly, people just know 'anal' these days. Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.

I can now imagine that this sort of intrusion detection software will be known only as Billy Goat, just as so many use 'trojan' and 'virus' when such terms are far from inappropriate to describe a specific piece of software with destructive intent. Why, just this morning, an interview with the prosecutor of Blaster.B accused author Jeffrey Lee Parsons, yielded such terms as "cyber-hacker." Since when did "cyber" need to be prefixed? I'm waiting for someone in the legal profession to butcher that term, and vomit terms like Cyber-goat.

IBM was foolish to announce this so early. I just know they will get targeted by the crackers out there for it (note, that's criminal-hacker, not ebonic-slang/slur for white peson), and then the crackers will roast the billy goat over IBM's own firewall!

For those who aren't well-educated on nursery rhymes, go read up on Three Billy Goats Gruff. You will find the proper origin of the software name there, trade-related double-entendre's notwithstanding.

Re:"earlier this month" (1)

Ambush (120586) | more than 10 years ago | (#6844111)

I do not want to look anal but I think the submitter meant "last month"

You obviously haven't noticed how long the editors take to accept a story, have you? ;-)

Re:"earlier this month" (0)

Anonymous Coward | more than 10 years ago | (#6844137)

So you think the submitter meant "last year"?

Re:"earlier this month" (1)

b!arg (622192) | more than 10 years ago | (#6844855)

No...only how quickly they reject mine...

Umm (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6843973)

informationweek is a spoof website, where is the foot icon ?

What's the point? (5, Insightful)

mOoZik (698544) | more than 10 years ago | (#6843974)

Detecting potential attacks is one thing and preventing damage and slow-down of the internet is another. Even now we can somewhat predict them before they begin to slow the entire net down. But seeing how something akin to these last two worms will slip right by even with our knowledge, this technology becomes rather redundant. Eventually, educating the end-user will be a greater force than some goat.

P.S. any coincidence it is named "Billy"?

Re:What's the point? (4, Interesting)

KrispyKringle (672903) | more than 10 years ago | (#6844200)

I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).

On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.

This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.

Re:What's the point? (3, Insightful)

mOoZik (698544) | more than 10 years ago | (#6844261)

All good points, but I was actually referring to the many worms which dwell in os holes. If users were educated enough to know why a patch is useful, then the effects of the last two (or three?) worms, for example, would be nulled. The warning and patch predated the swarm by 3 weeks. Even for someone on 56K and even with assumed problems with the windows update site, 3 weeks is plenty of time to avoid such a mess. Granted, it wouldn't solve all the problems, and a heavy fist on the side of the ISP's would alleviate the problems, but something like billy goat just doesn't solve them.

A computer system to seek out worms? (5, Funny)

zippity8 (446412) | more than 10 years ago | (#6843977)

So you're turning on a computer system thats intended to be intelligent enough to seek out and erradicate computer worms?

Did you NOT see Terminator 3?

- Those that do not learn from history are doomed to repeat it.

Or, in this case, those that don't learn from crappy movies. =P

Re:A computer system to seek out worms? (3, Funny)

Psiren (6145) | more than 10 years ago | (#6844053)

There was a story a while back (not sure if it was on /.) about a whole load of traffic on the net that no-one could account for or trace. Makes you think...

I believe Skynet went online August 29th 1997, but software is always late, no? ;)

Re:A computer system to seek out worms? (0)

Anonymous Coward | more than 10 years ago | (#6844351)

Skynet has stolen SCO's IP.
hence the time travel and general bad attitude.

Re:A computer system to seek out worms? (1)

Skater (41976) | more than 10 years ago | (#6844446)

Didn't you see T3? Judgement Day is inevitable. :)

--RJ

Re:A computer system to seek out worms? (0)

Anonymous Coward | more than 10 years ago | (#6844290)

T3? Crappy movie? Talk to the hand!!

Obvious joke! (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#6843980)

Can it defend off the billy goatse(.cx) worm?

too easy (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6843984)

too easy.

Interesting technique (5, Insightful)

farnz (625056) | more than 10 years ago | (#6843985)

It sounds like a nice extension of egress filtering; you know which of your IPs are unassigned, and so you assume that boxes trying to access unused IPs are up to no good, and act accordingly (firewall the affected box off, and investigate). Slows worm propagation, and discourages people from scanning your entire address space unnecessarily.

Nice naming... Billy Goat or Billy Gates? :-) (-1, Redundant)

vierja (632250) | more than 10 years ago | (#6843988)

Nice naming... Billy Goat or Billy Gates? :-)

pure genius... (0, Redundant)

DrStrangeLoop (567076) | more than 10 years ago | (#6843990)

...with connotations of both the young William Gates and the goatse.cx dude, i predict this meme to become quite popular here at /. and in IT at large.

strangeloop.

Re:pure genius... (0, Redundant)

The Cydonian (603441) | more than 10 years ago | (#6843996)

Yes. I, for one, welcome our new goat overlords!

Re:pure genius... (-1)

Anonymous Coward | more than 10 years ago | (#6844297)

In Soviet Russia, goats detect YOU.

Well... (2, Insightful)

Kai_MH (632216) | more than 10 years ago | (#6843998)

You can always depend on IBM. They contribute to Linux... help Windows users... make awesome products, even if they do cost too much... But, hey, IBM is great.

Re:Well... (0)

theTerribleRobbo (661592) | more than 10 years ago | (#6844339)


Until they turn on us. :-)

Re:Well... (0)

Anonymous Coward | more than 10 years ago | (#6844641)

"Pointless" or "Mumbling to self" I could see, but "Troll"?

I think the poster just didn't have a point to make and wanted to post for the sake of posting...

hey, kinda like me!

Re:Well... (2, Insightful)

alangmead (109702) | more than 10 years ago | (#6844823)

I'm sorry. I remember too much of the antitrust suit [lib.de.us] against IBM to fully trust them. I'll thank them for each thing they do to help advance free software, and the computer industry as a whole, but I reserve the right to examine each decision individually.

Important announcement (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6844000)

The herbal medicine I bought over the net is now finished and I am proud to announce that my penis is now a whole 1/2" longer!

Re:Important announcement (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6844109)

Did you not read the part that reads:
Don't take a measurement directly after rubbing it in.

Re:Important announcement (0)

Anonymous Coward | more than 10 years ago | (#6844519)

Actually there is a damn good reason why they say "gain three inches in length" and make no mention of how many millimetres that is.

All nations that are signatories to the treaty that established SI have legislation requiring that measurements in SI units are required to be accurate to a certain standard. The measurement does not cover non-SI units. Which is why monitor manufacturers will quite happily give you 22mm. on the inch and marijuana dealers will quite happily give you 24g. on the ounce.

It would be illegal for them to say "gain 75mm." unless the stuff actually made you gain 75mm. But, they can say "gain 3 inches" and they are NOT making a claim, because non-SI measurements have no legal standing. This is how, BTW, you can often get around a school or workplace hair-length, heel-height or skirt-length dress code regulation ..... if it only says how long in inches, not in metres, then you can simply redefine an inch to be however many millimetres it would take to get you within code. {'These shoes would be acceptable if there were 40mm. in an inch; therefore, I claim that there are 45mm. in the inch and my shoes are now legal.'} Now it's just your word against theirs. The rule will at least have to be debated before it can be amended, and may be rejected {especially if you can influence enough voting members before the EGM}.
Ting! Next please.

As in "Billy Goat Gruff"? (5, Funny)

Black Parrot (19622) | more than 10 years ago | (#6844005)


Will it butt trolls off the net too?

In version 3 (0)

Epeeist (2682) | more than 10 years ago | (#6844021)

This will be in version 3, aka "Great Big Billy Goat Gruff".

issues with this (4, Interesting)

segment (695309) | more than 10 years ago | (#6844007)


IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.

Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.

It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.

This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.

Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.

Re:issues with this (3, Informative)

mOoZik (698544) | more than 10 years ago | (#6844043)

Actually, some of the worst worms have used random IP's. The worms you mentioned only use the emails from the address books, as there is no way to get IP information from it. Therefore monitoring which IP's are fake will provide a method of early warning. Though that's all it'll do.

Re:issues with this (2, Informative)

tesmako (602075) | more than 10 years ago | (#6844404)

Repeat after me: Sobig is *NOT* a worm, it requires the user to execute the attachment. It relies on somewhat crude social engineering, absolutely not a self-replicating worm.

Detects port scans? (2, Interesting)

twelveinchbrain (312326) | more than 10 years ago | (#6844008)

TFA isn't very clear, but it sounds like the only thing unique about Billy Goat is that it detects port scans. I can't believe it would take a bunch of PhD computer scientists to figure out how to do that. Anyone else know what makes this thing special?

BOYKOTT KDE! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6844017)

The kde organization is a Euro terrorist operation, more details kan be found here [members.shaw.ca] .

Support Gnu/GNOME, its for your own kood!

Re:BOYKOTT KDE! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6844036)

Gnome sucks goat's penis, especially after the HIG-fascists took over.

Slashdot Rule #1 (5, Funny)

imadork (226897) | more than 10 years ago | (#6844018)

Never click on a link with the word "goat" in it.

Re:Slashdot Rule #1 (-1, Troll)

twoslice (457793) | more than 10 years ago | (#6844098)

yeah, I totally agree - especially goatse [goatse.cx] .

Re:Slashdot Rule #1 (0)

Anonymous Coward | more than 10 years ago | (#6844304)

Billy Goat? (-1, Offtopic)

Pig Hogger (10379) | more than 10 years ago | (#6844023)

Bill Gates should start shaking in his boots!!!

Re:Billy Goat? (1)

WindBourne (631190) | more than 10 years ago | (#6844269)

Actually, he is probably thankful. This is exactly what MS needs to overcome their deficencies until they can get LongHorn designed and developed.

Will _he_ sue IBM now? (0, Troll)

geek2003 (699792) | more than 10 years ago | (#6844040)

IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market... Will Billy Gays ,er Gates, now sue IBM for illegally using his name to make money. After all TIBCO sued Apple on Friday for using the term Rendezvous!!

Re:Will _he_ sue IBM now? (1)

FxChiP (687923) | more than 10 years ago | (#6844586)

And Spike Lee sued TNN for trying to call themselves Spike TV! :P

Wow (0)

AnonymousCowheart (646429) | more than 10 years ago | (#6844046)

"...that slowed Internet traffic earlier this month."
Posted by Hemos on Monday September 01, @09:02AM
Wow, they're have already been worms this month???

Goycott Gnu/Gnome! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6844066)

Ghe Gnu/Gnome (stallman owns it, hence the gnu/) organigation is a Gerrorist opegation, gore getails gan ge gound here [filedialogporn.com]

Gupport KDE, its gor gour gwn Good!

Dumb Name (5, Funny)

Kaz Riprock (590115) | more than 10 years ago | (#6844072)


If you built a software package that catches worms...why wouldn't you call it "Early Bird"?

Re:Dumb Name (1)

secolactico (519805) | more than 10 years ago | (#6844316)

Somebody beat them to it.

Early Bird Intrusion Detection [treachery.net] aims to catch the NIMDA worm.

Re:Dumb Name (1)

OpenSourcerer (515213) | more than 10 years ago | (#6844340)

May be it should be Darl the Early Bird!

Re:Dumb Name (1)

Paradise Pete (33184) | more than 10 years ago | (#6844750)

If you're a bird, be an early bird
and catch the worm for your breakfast plate.
If you're a bird, be an early, early bird...
but if you're a worm, sleep late.

Silverstein

Useful tool to have in an emergency (5, Interesting)

mikem170 (698970) | more than 10 years ago | (#6844096)

The network at the company where I work took a beating from the blaster worm - especially the D varient. We spent a week "quarantining" sites that had infected PCs. We blocked outbound port 135 and ICMP.

The volume of traffic put on the network by these worms threatened to saturate the hub circuits at the data center. A pentium 3 PC on 100MB ethernet can fill up a good part of a T1 with ICMP traffic pretty easily. Multiply that by 100 sites!!!!

Next week we will be bringing an automated system online that will do the following:

- snort portscan preprocessor will look for port scanning (with a list of exceptions for data center servers)

- a perl script will have the alerts piped to it and know when a new scan has started

- the perl expect mod will be used to put a null route in the network (on a cisco device) for the host that is doing the scanning. No return packets will make it back to the infected box.

- We will also be rate limiting ICMP at all sites, to 8kb/s.

My biggest worry is some billigerant spoofing server addresses to set off false alerts, that's why we will program in an exception list for the mission critical stuff.

I might not run this thing all the time, but it is a great trick to have in the bag. We will lift the blocks at sites that look clean next week and I can rest easy knowing that any wormed PCs that crop up will not be able to spread (because of the automatic null route) nor will they be able to bomb the hub site (because of rate limited ICMP).

Re:Useful tool to have in an emergency (0)

Anonymous Coward | more than 10 years ago | (#6844607)

not a bad idea. although, patching would be a good step to throw in before going to the batbelt.

Re:Useful tool to have in an emergency (1)

mikem170 (698970) | more than 10 years ago | (#6844839)

I agree! But in the environment we are in at the moment it (patching) just was not made a priority until the issue was forced. I don't envy the desktop support people their jobs. In a big organization it's not an easy task to keep up with and do right.

Um, innovative? (4, Funny)

Rogerborg (306625) | more than 10 years ago | (#6844113)

if(>X packets received from ip
&& !reverse dns for ip)
block ip

Do I win $10?

Re:Um, innovative? (1)

AArmadillo (660847) | more than 10 years ago | (#6844522)

Do I win $10?

Unfortunately, you failed to come up with such a creative name as "Billy Goat" for your project. Who can resist software called "Billy Goat"? Perhaps you can call your project "She-Buffalo" and you'd have a chance!

Missed it by THAT much! (3, Insightful)

The Monster (227884) | more than 10 years ago | (#6844847)

block ip
So close. Instead of blocking the IP, tarpit it! Force the attacker to
s l o w . d o w n
while keeping the rest of the network moving right along while emailing the admin about it.

needs to be renamed (1)

linuxislandsucks (461335) | more than 10 years ago | (#6844120)

needs to be renamed to :

Billy we got Your Goat

Re:needs to be renamed (1)

MrHanky (141717) | more than 10 years ago | (#6844689)

...or Billy, get your goat before you walk through that door.

Allright, I'm going back to bed now. Shouldn't post to Slashdot while having fever.

A better mousetrap, perhaps (3, Insightful)

Mostly a lurker (634878) | more than 10 years ago | (#6844122)

I have two immediate reactions. The first is that, on the face of it, there is nothing very revolutionary here. On the other hand, maybe all that is needed is a high quality implementation of techniques that are already known. I have read in several places recently that (excluding false alarms) rapid detection of attacks was not actually that difficult.

My second reaction is that the focus needs to be at the level of the ISPs. To expect all users to reliably protect themselves against attacks is just naive. Technology that could immediately detect attacks and prevent their propogation to individual users in the first place seems to me feasible and desirable.

What gives!?? (-1, Redundant)

Trolling4Dollars (627073) | more than 10 years ago | (#6844130)

If the average Slashdot poster with an innocuous name like say... "Trolling4Dollars" where to use the words 'Billy' and 'Goat' in an article refering to the whole Linux vs. Windows issue, he'd surely get modded down to "Troll -1" Mod the post down to -1!! :))))

Honey, I'm home (2, Interesting)

Alejo (69447) | more than 10 years ago | (#6844164)

The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others.

and then
IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

Doesn't this sound like honeyd [umich.edu] ?

Re:Honey, I'm home (0)

Anonymous Coward | more than 10 years ago | (#6844859)

Well, there are many similar ideas floating around.

The Honeyd [umich.edu] people just added a section on how to automatically disable [umich.edu] the blaster worm. It seems that open source is ahead again of industry. You would just wish that more people were running such a setup.

LaBrea (5, Informative)

MoogMan (442253) | more than 10 years ago | (#6844198)

LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/

Re:LaBrea (1)

Uberdog (73274) | more than 10 years ago | (#6844827)

Actually LaBrea is a honeypot that refuses to release connections once they're open. So, it's not really the same at all, but it might slow down some worms if they were poorly coded.

Network Management Software (3, Interesting)

Dionysus (12737) | more than 10 years ago | (#6844214)

Doesn't network management software like NNM and whatever CA's stuff is called, work by doing ping sweeps and other stuff to detect new systems on the network?

Won't it break those systems?

Re:Network Management Software (1)

mikem170 (698970) | more than 10 years ago | (#6844329)

Yeah, NNM software can do stuff like that. There are a number of ways to do "discovery" including brute scanning. The other extreme is to import a list of systems and do no scanning. It's usually controllable, at least by someone who read the manual.

Re:Network Management Software (0)

Anonymous Coward | more than 10 years ago | (#6844632)

"Francais" should be "francais" (lowercase and with a cedille)

How long before it's turned against file sharers (3, Interesting)

ralatalo (673742) | more than 10 years ago | (#6844222)

Seems to me that it it's aimed towards detecting sources that aren't published, that somewhere there needs to be a list of 'published sites'. If you're web, ftp, mail, cvs, filesharing software isn't on the list then it will flag everyone who connects to it for futher study.

How? With a bit of the old ultra-violence??? (1)

Mjlner (609829) | more than 10 years ago | (#6844263)

I'm wondering, oh my brothers, if "Billy Goat" is a really horrorshow name for this software. If I remember correctly, it was your humble narrator who gave most of the tolchocks, while Billy Boy was mostly on the receiving end. You might not remember the happenings all horrorshow like, oh my brothers, so let me refresh your memory...

"Well well well, if it isn't fat stinking Billy Goat Billy Boy in poison. How art thou, thou globby bottle of cheap stinking chip oil? Come and get one in the yarbles, if you have any yarbles, you eunuch jelly thou!"

All that is needed is worm called "Alex"...

A minor variation on this... (3, Interesting)

zen parse (607603) | more than 10 years ago | (#6844278)

Here's an idea I had a while ago, (probably around slammer time) but never got around to doing anything about (because I don't admin any networks).

A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.

In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.

The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.

Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.

It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents. ;/

squashes worms?? (2, Funny)

di0s (582680) | more than 10 years ago | (#6844280)

I'm reporting you to PETA!! Oh wait, you mean computer worms...

Re:squashes worms?? (0)

Anonymous Coward | more than 10 years ago | (#6844801)

I'm reporting you to PETA!! Oh wait, you mean computer worms...

There's still time left, but I'm going to flip over all the cards and declare you the winner of the 2003 Least Funny Attempt at Humor award.

Traffic Analysis and Holistic Medicine (1)

eer (526805) | more than 10 years ago | (#6844322)

For years the common wisdom has been that traffic analysis attacks were too hard to master to worry about. It's interesting that the technique is now being turned on the attackers themselves as a means of detecting infections. Makes sense in the context of IBM's auto-immune system approach to system health.

But, note - in computer security, as in human health - there are two fundamental approaches:

once well, don't get sick
and

once sick, get well fast

A hospice volunteer I talked to last week pointed out that holistic eastern philosophies of medicine offer an interesting alternative perspective on how to approach "wellness". I wonder if there's something like accupuncture we should be exploring for intrusion detection systems and anti-virus/spam filters?

Billy Goat.... (0)

Anonymous Coward | more than 10 years ago | (#6844355)

Billy Goat, why did you let this happen? Stop making money and fix your software!

attacks finished? (1)

winkydink (650484) | more than 10 years ago | (#6844557)

to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month You mean the attacks are over? The 67000 icmp probes I received yesterday are legitimate tests?

Bob Bloom sums it up... (1)

hendridm (302246) | more than 10 years ago | (#6844620)

"A powerful virus is running rampant through the world's computers throwing everything a-kilter, so the brass at the Pentagon is considering putting Skynet on line to combat the virus. Unlike the audience, they are unaware that Skynet itself is creating the virus."

Hehe (2, Funny)

orbitalia (470425) | more than 10 years ago | (#6844642)

It's not the only thing IBM are going to be squashing soon..

Let billygoat's platform of choice be Linux! (3, Insightful)

mwfolsom (234049) | more than 10 years ago | (#6844661)

Strikes me that it would be great if billgygoat was designed on top of a Linux kernel.

If it turned out to be a great product that would be a wonderful bit of irony. Linux working to say a messed up windows world.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...