Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NETI@home Data Analyzed

timothy posted more than 9 years ago | from the sharpen-your-knives dept.

Security 155

An anonymous reader writes "The NETI@home Internet traffic statistics project (featured in Wired and Slashdot previously) has a quick analysis on the malicious traffic they observed. It's a rough world out there." Perhaps not suprising, but still disheartening, the researchers find among other things that a large portion of typical end-user traffic consists of malicious connection attempts.

Sorry! There are no comments related to the filter you selected.

But did they find intelligent life? (5, Funny)

miracle69 (34841) | more than 9 years ago | (#12339301)

That's what we need to know.

Re:But did they find intelligent life? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12339325)

no, but at least they're pretty sure there are no intelligent life in the bosses' office.

Re:But did they find intelligent life? (5, Funny)

eobanb (823187) | more than 9 years ago | (#12339334)

Well, they found people with a bunch of Windows Services on and all their ports open. Does that answer your question?

Re:But did they find intelligent life? (0, Troll)

Anonymous Coward | more than 9 years ago | (#12339404)

and all their ports open

Excellent. But are they female?

Re:But did they find intelligent life? (0, Troll)

Donald Ferrone (863523) | more than 9 years ago | (#12339466)

Irrelevant, we're faggots posting on Slashdot.

Re:But did they find intelligent life? (4, Funny)

netcrusher88 (743318) | more than 9 years ago | (#12339432)

Coming soon: NETI@home discovers sentient penguins and daemons... "Penguins were seen to be working alongside daemons, cultivating apples and mischievously breaking windows..."

In Soviet Russia... (-1)

Anonymous Coward | more than 9 years ago | (#12339477)

Intelligence finds you!

Intelligent life? On the internet? Ha! (0)

Tropaios (244000) | more than 9 years ago | (#12339595)

hahahahahahaha
lmfao
rofl :D
ttyl

warning (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12339323)

Warning: article my bore you to death.

Considering.. (4, Insightful)

Renraku (518261) | more than 9 years ago | (#12339338)

Considering these malicious programs aren't following any kind of 'standard' to reduce bandwidth utilization when checking over entire subnets of IPs that have been checked by 100000x other copies of the virus, it doesn't suprise me one bit.

It would be like setting up a massive feedback loop on a mail server. When user X gets message X, he passes message X to user Y, who upon receiving message X sends it back to user X.

Re:Considering.. (2, Interesting)

Nos. (179609) | more than 9 years ago | (#12339410)

Oh, so there should be a central hub where the virus/worm can talk to other copies of itself. Any place it could talk to itself would quickly be located and shutdown. Besides, I don't think the writers of these kinds of programs are really concerned with your network utilization.

Most of the malicious type traffic I'm seeing lately (aside from SPAM) is ssh worms trying to log into my boxes. Most boxes are set to only allow ssh from a few IPs or subnets, but I have one that I block class A's anytime I see a worm trying to get in. I've got about 1/2 the IP space blocked right now.

It would be like setting up a massive feedback loop on a mail server. When user X gets message X, he passes message X to user Y, who upon receiving message X sends it back to user X
I remember a Banyan mail system I worked with. In the event that you set up a vacation (while I'm out) type mail minder and we're near your mailbox limit, it was possible to start and endless loop of a mailbox full notifications (mailbox full notifications were allowed even if the limit was reached).

Re:Considering.. (2, Funny)

TheOtherChimeraTwin (697085) | more than 9 years ago | (#12339453)

Considering these malicious programs aren't following any kind of 'standard'

Not true! For example, they follow RFC 3514 [faqs.org]

Standards for viruses? (4, Insightful)

MarkByers (770551) | more than 9 years ago | (#12339465)

You can't impose a standard upon viruses. What will you do if a virus doesn't follow the standard? Find the author and punish them unless they fix it and release a new version that fully supports the standard?

The only way viruses will ever get standards is if the authors agree that they will get a considerable benefit by working together. I can't see that happening.

DSL/modem/router (4, Insightful)

FidelCatsro (861135) | more than 9 years ago | (#12339536)

Its insane the ammount of bandwidth this is sucking up (i remember a time when virus's and worms were relativly well programed, still as bad but less collaterol dammage).
I would like to see more ISP isntead of suplying basic DSL modems with those overpriced sign up deals but instead a proper firewall/router/Dsl modem.
This would save us all alot of pain in the long run .

Re:DSL/modem/router (0)

Anonymous Coward | more than 9 years ago | (#12340227)

good lord man, learn how to spell

Re:DSL/modem/router (0)

Anonymous Coward | more than 9 years ago | (#12340306)

Simple awnser , i already know how . Im just lazy :P and like iritating people like you..

Umm.... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12339354)

This is Slashdot. Nobody here has the time to read a multi-page densely worded PDF. Cue all the uninformed comments by people who didn't RTFPDF (yeah, I didn't either).

Not surprising (0, Redundant)

NinjaFodder (635704) | more than 9 years ago | (#12339364)

Is this really news?

Don't get me wrong. I dislike the idea that people are doing things like this, but I can't say that I'm surprised.

-"You seem a decent fellow. I hate to kill you."
-"You seem a decent fellow. I hate to die."

RBL of infected/malicious sites? (4, Interesting)

nizo (81281) | more than 9 years ago | (#12339379)

Does anything like this exist already? It would be nice if I could filter, say, ssh traffic coming from "known" naughty sites, and report sites that portscan me, though probably I should look at using smartcards or something more secure at this point. I can't just restrict the ssh port at the firewall, since people could be coming in from pretty much anywhere because of travel to remote sites. Aside from complaining to upstream providers (which so far has yielded zero responses) when I see people banging away at ssh, I don't see much else I can do.

Re:RBL of infected/malicious sites? (2, Informative)

14erCleaner (745600) | more than 9 years ago | (#12339452)

It would be nice if I could filter, say, ssh traffic coming from "known" naughty sites

From the abstract of their paper:

Finally, we look at activity relative to the IP address space and observe that the sources of malicious traffic are spread across the allocated range.

So the answer is no, you can't filter effectively for bad sites.

Re:RBL of infected/malicious sites? (2, Interesting)

Nos. (179609) | more than 9 years ago | (#12339497)

It might be worthwhile to look at setting up some sort of a webbased authentication system that would dynamically allow an IP address or subnet for a certain amount of time. Block everything, but if your customer/employee/whatever needs in, they can authenticate via a webpage which would then update your firewall rules.

Re:RBL of infected/malicious sites? (4, Insightful)

delirium of disorder (701392) | more than 9 years ago | (#12339525)

Why can't you restrict access to ssh from the firewall? One solution could be port knocking. You only let your firewall open up ssh after a series of connections on pre-defined parts are made. So say you choose "233 457 69 876 2094 576" to be your "password". You would make a client that would connect to those ports in that order and only after that initiate an ssh connection on port 22.

Time to drag out this old chestnut (5, Funny)

This Old Chestnut (759273) | more than 9 years ago | (#12339574)

"Those willing to give up a little security by using a little obscurity deserve neither security nor root privileges".

-Benjamin Franklin

Re:RBL of infected/malicious sites? (0)

Anonymous Coward | more than 9 years ago | (#12339602)

Just move the SSH service to a non standard port. The SSH scan zombies you're referring to only scan on port 22.

Re:RBL of infected/malicious sites? (1)

BannedfrompostingAC (799263) | more than 9 years ago | (#12339608)

A great idea, but I have an even better one: you can instead secure your network and servers to ensure that no malicious connect attempts succeed! No blacklists to maintain, no fuss!

Don't use SSH password authentication (4, Insightful)

SIGBUS (8236) | more than 9 years ago | (#12339663)

You really should be using RSA or DSA keys instead of passwords. Hardly a day goes by that my systems don't get at least one script-kiddie SSH password guessing scan. Since I'm requiring keys for authentication, they're wasting their effort; if someone manages to crack a public key, we have far worse problems than password guessing.

Re:Don't use SSH password authentication (1, Insightful)

suitepotato (863945) | more than 9 years ago | (#12340002)

You really should be using RSA or DSA keys instead of passwords

Exactly right. It's almost trivial even under Windows to do it. Two factor should have been a standard years and years ago but as long as people can have four to eight digit passes which are easy to break, we keep seeing problems that shouldn't be there.

Anyone notice that PGP has passphrases of quite possibly insanely large size? It's hard to remember some farked and leeted phrase chosen to confound brute force and guessing when you have ten different ones. It is not hard to remember verbatim a passage from your favorite book. What's the mathematical difficulty in breaking a password with over one hundred digits? I can type a forty digit pass right 99.9% of the time if it is a passage of meaning to me.

Combine strong passwords and two-factor and you eliminate the bulk of these amature breakers from contention. Now if only end-users couldn't do their work for them by running their trojans from e-mail attachments and bouncing pop-up windows. "Win a compromised box! Click now! Crackers are standing by!"

Re:Don't use SSH password authentication (1)

sys49152 (100346) | more than 9 years ago | (#12340332)

I've only recently started worrying about this regarding my own hosted server (i.e. not corporate, just little ol' me.) I have no problems creating certs and configuring sshd, but my reading suggests that sshd will accept certs fine, but if they're not presented it will fallback to password mode. Is my understanding correct? I'd rather have it not ask for passwords at all. Any pointers?

Re:Don't use SSH password authentication (1)

XanC (644172) | more than 9 years ago | (#12340435)

In /etc/sshd.conf, you can tell SSH which authentication methods to use, and in what order. Simply remove password from the list, and no more password authentication!

Re:RBL of infected/malicious sites? (3, Informative)

glesga_kiss (596639) | more than 9 years ago | (#12339930)

There are some. This site [bluetack.co.uk] has several different blocklists, such as ad-hosts, anti-p2p bodies, spyware companies, hackers, trackers, trojans etc. The link above lists what's available. Sure, the lists aren't 100% acurate, but they are a lot better than nothing.

Very highly recommended. With the case of p2p, it's good to keep your head down. It's the tall ones that get their heads chopped off...

They also have software to convert the lists to various formats for use in different firewalls. iptables fans should check out "linblock". Beware though, a large list can take an hour to parse on your typical recycled firewall box, but the tool merges the ranges to keep the tables as short as possible.

Re:RBL of infected/malicious sites? (1)

_iris (92554) | more than 9 years ago | (#12339938)

As far as I understand, the main reason more worm-cleaning worms aren't written is that the people who would write them find it unethical to 1) infect any machine and 2) clog more networks with the scanning the "good" worms would need to perform. This list could be used to get around #2.

More malware, slower computer and net connection.. (1)

the_sidewinder (850641) | more than 9 years ago | (#12339387)

Hmmmm, must be time for a new computer and a better ISP

Re:More malware, slower computer and net connectio (0)

Anonymous Coward | more than 9 years ago | (#12339746)

And I'm sure it was meant to be spelled properly...

Not necessarily a Bad Thing... (3, Insightful)

KC7GR (473279) | more than 9 years ago | (#12339425)

ISPs could use this data to great benefit, if they'd put out some effort.

Assuming that the statistics show which IP address ranges are the worst offenders for malicious traffic, the ISP(s) responsible could simply shut down the outbound connection(s) of the "problem" users until they de-virus their systems and KEEP THEM THAT WAY.

Perhaps that will help to finally clue people in that having Internet connectivity is a privilege, not a right, just like driving. If you're going to enjoy an Internet connection you need to show some responsibility for making sure your own system isn't going to be a problem to others.

I -still- think there should have been Internet user licenses, just like we have driver's licenses...

Keep the peace(es).

Re:Not necessarily a Bad Thing... (2, Insightful)

eheldreth (751767) | more than 9 years ago | (#12339480)

The problem is a large portion of those IPs are home users with dynamic addresses which means when if I am the next to get the IP my outgoing ports will be blocked because thelast person ran windows, er, I mean because they could not keep there pc's clean. And I am assuming the last part about internet usage licenses is troll baiting so I don't think I'll respond to that one.

Re:Not necessarily a Bad Thing... (4, Interesting)

Mr.Sharpy (472377) | more than 9 years ago | (#12339707)

The ISP KNOWS the physical addresses of the cable/dsl modem a home user has. It's not like the ISP has no idea which ip addresses are home user or account is using at any given time. How do you think they can reliably (for the most part) identify people for the likes of the RIAA when they ask. Likewise, with modern hardware and software its a pretty trivial task for an ISP to turn your internet access down to a crawl or off with the click of a button. They can do this, they just don't want to.

Maybe it would be a good idea to throttle the users down to a bare minimum and redirect all http traffic to a gateway page to tell them they have a problem with their computer they need to correct. It seems to work for wireless access points in hotels/airports/coffeeshops. Why can't big ISPs do the same thing?

Re:Not necessarily a Bad Thing... (2, Insightful)

Brushfireb (635997) | more than 9 years ago | (#12340308)

Would you really want to piss of 40% of your client base in one swoop? Average joe doesnt care about thsi kind of crap, and he doesnt want his ISP forcing him to care either. He will cancel his account, and move to someone else, or he will drive up support calls by calling to complain about the change.

Any ISP who puts something like what you described in place is likely to lose customers in a hurry. Hotels/Airports/Coffeeshops have transient, non-recurruing customers, or the customers are there for something else other than internet, so its not as big of a deal there.

Re:Not necessarily a Bad Thing... (4, Insightful)

Anonymous Coward | more than 9 years ago | (#12339537)

I'm pretty sure internet connectivity is neither a privilege nor a right. It's just a service, plain and simple. You pay ISP, they provide internet connectivity. You don't pay, you don't get internet. No rights or privileges involved.

Re:Not necessarily a Bad Thing... (1)

xgamer04 (248962) | more than 9 years ago | (#12339989)

One problem with your argument is that the Internet is more or less a public thing, originally funded by the US government. Another problem is the design of the Internet itself. Many different companies and people with different policies and wants/needs are giving the OK to be connected to each other, and this complicates things like "quality of service" and "acceptable use". There is more to it than just paying money.

Re:Not necessarily a Bad Thing... (0)

Anonymous Coward | more than 9 years ago | (#12339627)

In keeping with your driving analogy, what is really needed is some form of "vehicle" inspection system whereby computers are not allowed to "drive" on the internet until they pass inspection and must have that inspection renewed at regular(frequent) intervals

Re:Not necessarily a Bad Thing... (0)

Anonymous Coward | more than 9 years ago | (#12339721)

In keeping with your driving analogy... it is more like you are trying to control speeding by inspecting cars.

Re:Not necessarily a Bad Thing... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12339803)

I -still- think there should have been Internet user licenses, just like we have driver's licenses...

Stupid elitist fascist. You're an idiot.

Re:Not necessarily a Bad Thing... (1)

sznupi (719324) | more than 9 years ago | (#12340005)

If some ISP would be doing this, the customers would simply flew to another...

malicious traffic? (0, Offtopic)

Virtual Karma (862416) | more than 9 years ago | (#12339428)

malicious traffic? You mean computer virus is not a myth? Duh!

In other news... (5, Funny)

Anonymous Coward | more than 9 years ago | (#12339429)

Yeti@home [phobe.com] has yet to yield conclusive results.

Re:In other news... (1)

WwWonka (545303) | more than 9 years ago | (#12339701)

Yeti@home has yet to yield conclusive results.

Obviosuly the results of my in home Yeti program hasn't logged yet the hairy beast I woke with up with on Sunday morning post a drunken night at the bar.

Although he/she and I did have a great time.

Re:In other news... (0)

Anonymous Coward | more than 9 years ago | (#12340444)

wow.

Root of the problem (5, Insightful)

SamMichaels (213605) | more than 9 years ago | (#12339431)

Ignoring all complaints about Windows, the root of the problem goes back to having access to the network in the first place. If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick. Why do we have all these piracy probes going on to sue people and no infected probes going on to cut people's access?

Now, stepping back to the Windows complaints...wouldn't the ISP turning off your access motivate you to get a BASIC education in computing and maintain your PC?

To make an analogy, in most states you need to have your car inspected (and some require emissions inspection, too). PUBLIC roadways means you share it with other people...an unsafe car affects more than just you. When you're connected to the net, your PC affects everyone else. I'm not suggesting the ISPs make an inspection system or a law passes to force ISPs to monitor traffic, but the same logic applies....someone should be doing checkups and flagging the offenders.

THANK YOU (2, Insightful)

liquidpele (663430) | more than 9 years ago | (#12339467)

Exactly right, but furthermore, I think an ISP should be held liable for bad traffic comming from their networks *if they don't do anything about it in a fair amount of time (like a day).

No thank you (0)

Anonymous Coward | more than 9 years ago | (#12340105)

Just what we need more monitoring of traffic. Let's make a passive monitor that looks for phrases like "Terror", "WMD", "Bush sucks", "Bit-Torrent", "porn", etc. That way we can snoop on dissidents and turn off their internet connection making America a safer better place.

Re:Root of the problem (3, Informative)

Wolf2989 (783737) | more than 9 years ago | (#12339483)

Ahh but herein lies the problem. As a previous employee of an ISP we'd be willing to bend over backwards to make a customer happy. This means NOT turning off their access when we detected a worm/trojan etc. Sure, we would null route their IP's if they were partaking in a DDOS or something, but a simple virus we'd *help* them by informing them. You don't make money in this world by shutting people off. I for one say null route them, but you have to think of it from a reality standpoint (Regardless of how askew that standpoint may be).

Re:Root of the problem (0)

Anonymous Coward | more than 9 years ago | (#12339490)

Actually, a number of ISPs do just that. I know somebody who it happened to, their computer had been zombie-fied.

Re:Root of the problem (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12339912)

Yeah, but what ISP was it? Was it a good ISP, like Speakeasy, a small local outfit, or one of the biggies who thrive on the "don't know any better" crowd?

I know Speakeasy polices their network for open SMTP relays, because I see it in my server logs. I don't know if they actively look for zombied machines, but I can tell you that they've pretty quickly shut off the connections of customer machines on their network that I've brought to their attention when I've seen obvious worm-related connection attempts in my firewall logs.

I also know that the bigger ones, like Comcast and Verizon, don't really give a shit about that kind of stuff. I've even had another large ISP flat out deny that the machine I was complaining about was on their network, despite the fact that I look up who owns netblocks in ARIN's database so I know where to direct my complaints.

And the grandparent poster is exactly right about why they don't give a shit-- because if they cut off some idiot's access because his machine got owned, that idiot is more likely to find another ISP that won't cut off his access rather than learn how to properly admin his machine. The big ISPs would rather let all their customers lose bandwidth to a zombied machine than risk losing the money they make from the guy who owns that zombied machine.

Re:Root of the problem (1)

MankyD (567984) | more than 9 years ago | (#12339529)

Do you want to be the state-registered Computer Inspector? Note also that computers break down a lot faster than a car. Cars wear out over time, with some exceptions. Computers work (in theory) perfectly until one or two mistakes are made that bring the system to its knees - be it crash it, or zombify it, etc.

I do entirely agree with the idea of passive analyzers and filters, as long as they don't inhibit legit traffic. Put the burden on the ISP in this case.

Cheap access means unsafe computing (4, Interesting)

jfengel (409917) | more than 9 years ago | (#12339588)

Sadly, while some customers might get motivated to learn something, others would just be motivated to switch ISPs. Which costs the ISPs money, which means that they won't do it.

At least such is their thought process as often presented. I suspect it's bad cost-benefit analysis; if your dumber customers leave, it's probably a net win for you. Smarter customers mean less bandwidth (at least, they don't act as spam zombies maxing out the bandwidth) and fewer tech support hours explaining how to fix the cup holder.

The big players (AOL, Comcast) are the best targets for this logic, but they live for those left-side-of-the-bell-curve customers. They're the "default" ISPs that people get because they're so readily available, so they get all the customers who don't know better. (Hell, I don't know better; I use Verizon for my DSL but I don't let them do anything but provide me bits.)

So AOL and Comcast are in a bit of a bind; they don't want these customers, but they don't want to lose them, either. I think that they're probably going to have to use gentle persuasion to say, "Hey, it looks like you've a spam zombie. Please call your cousin's best friend to clean the crap off your computer again and give you a stern talking-to. And please stop downloading Bonzi Buddy."

Re:Cheap access means unsafe computing (1)

Abel29A (598776) | more than 9 years ago | (#12339825)

In Norway the leading ISP has started with a similar scheme. They do passive searches on traffic from customers - if anything gets flagged as viral or malicious they will cut access to sending email, or even to transmit data at all. Then a email is sent to the customer explaining the problem and he can then call Tech Support to get it fixed.

This is mostly considered a benefit since it helps the customer in keeping his PC operational. My father lost access to sending mail for a couple of days after getting flagged for spreading virii - in his case it was a false alert and they quickly lifted the ban. So it isnt a failproof system but its a first step.

Of course if my ISP did something similar I'd be outraged :)

Re:Cheap access means unsafe computing (1)

That's Unpossible! (722232) | more than 9 years ago | (#12340456)

Sadly, while some customers might get motivated to learn something, others would just be motivated to switch ISPs. Which costs the ISPs money, which means that they won't do it.

Another thing that will cost the ISPs money? Lawsuits. Class action lawsuits from people that experience damages from zombie PCs and virus infected spew-factories that could EASILY be shutdown by an ISP with a minimal effort of outbound scanning.

Re:Root of the problem (2, Insightful)

Politburo (640618) | more than 9 years ago | (#12339599)

To make an analogy,

You should have just stopped there. Analogies are fucking stupid. Car analogies even moreso. Just stop it.

The reason why your analogy doesn't hold? Computers with viruses can't kill people. Cars with bad brakes can.

someone should be doing checkups and flagging the offenders.

If you want to pay for it, go right ahead. I don't experience any significant negative effects from zombie machines, so I am not willing to pay for such a system.

Re:Root of the problem (1)

YrWrstNtmr (564987) | more than 9 years ago | (#12339677)

If you want to pay for it, go right ahead. I don't experience any significant negative effects from zombie machines, so I am not willing to pay for such a system.

How do you know? Are you connected through some different internet than the rest of us. Some magical place where a goodly percentage of the traffic isn't malicious?

What if everything were all of a sudden faster, because there wasn't that stuff sucking up bandwidth?

Re:Root of the problem (2, Insightful)

nagora (177841) | more than 9 years ago | (#12339684)

Computers with viruses can't kill people.

Oops! Someone hasn't noticed the number of trains and ships running Windows. No danger of a virus killing anyone there, then.

I don't experience any significant negative effects from zombie machines, so I am not willing to pay for such a system.

Someone also hasn't noticed the amount of effort that goes into protecting his system from zombie machine. Perhaps he thinks firewalls were a gift from unknown stellar travellers and spam filters require no effort to create and update.

Perhaps someone is a troll.

TWW

Re:Root of the problem (1)

telecsan (170227) | more than 9 years ago | (#12340077)

Not to mention the electricity blackout in the eastern US a couple years ago...more than a couple elderly persons expired due to lack of air-conditioning caused (in part) by 'My Doom(tm)'.

Besides, you're paying for the spam/virus bandwidth in your monthly fees. Which is more expensive, bandwidth or forcing spyware-checks?

Re:Root of the problem (4, Funny)

EvilTwinSkippy (112490) | more than 9 years ago | (#12339724)

Amen to that. Car analogies have just plain run out of gas. People get too much mileage on them. They start more flamewars than a Pinto.

Re:Root of the problem (1)

stud9920 (236753) | more than 9 years ago | (#12339975)

Car analogies are the Canyonero of rethoric.

Re:Root of the problem (1)

Dun Malg (230075) | more than 9 years ago | (#12339941)

To make an analogy, in most states you need to have your car inspected (and some require emissions inspection, too). PUBLIC roadways means you share it with other people

Here is an additional error in your analogy. PUBLIC does not simply mean you share it with other people. Rather, it means "Maintained for or used by the people or community". Internet access is not a public utility (to wit. ISP's vs. municipal broadband), it's more like a toll road. There's nobody on the internet who doesn't directly pay to connect someone else. If I were able to build a network of roads on my own private property, I could allow rocket powered bicycles and require all people on my roads have cracked windshields and no license plates. Take a look at NASCAR races. Are those cars inspected and licensed? Internet? Same thing.

Re:Root of the problem (4, Insightful)

glesga_kiss (596639) | more than 9 years ago | (#12340061)

If ISPs would spent a few bucks on implementing passive traffic analyzers to search for the viral/trojan patterns and null route offenders, we'd clean things up pretty quick.

Bollocks.

The aren't running a network in their parents basement you know. Their networks are massive, with nodes LITERALY spanning thousands of miles. The volume of traffic they deal with is HUGE. They use cutting-edge routers just to keep up with the demand.

How on earth do you do traffic analysis on that level? You might be able to catch some of the more obvious spammers, but how do you differentiate (on the IP level) between: a) a residential user b) a commercial user who maildrops willing customers c) a zombie d) a community group or e) blah. Blocking someone based on traffic is not possible, unless you want to lose your valid customers.

What they should do is be more responsive to complaints. If a customer of theirs is a zombie spambot or acting as a stepping stone for some script kiddie, they should have their connection suspended until it is remedied. But they can only do this based on a complaint.

Besides, what's the profit in spending any resource on the problem in the first place? Until that is affected, they won't care about it.

In a few minutes... (4, Funny)

vectorian798 (792613) | more than 9 years ago | (#12339464)

...they will realize that there isn't anything more malicious than the traffic from Slashdot.

Re:In a few minutes... (0)

Anonymous Coward | more than 9 years ago | (#12340003)

bet that's gonna make a big fat line on port 80

malicious? (2, Informative)

delirium of disorder (701392) | more than 9 years ago | (#12339473)

I've only scimmed the paper, but from the looks of it, a lot of not all that harmful trafic could be labeled "malicious", for example nmap port scans. I use them all the time, not to find valunerable services, but for more general sysadmin stuff.

Re:malicious? (0)

Anonymous Coward | more than 9 years ago | (#12340025)

I've only scimmed the paper, but from the looks of it, a lot of not all that harmful trafic could be labeled "malicious", for example nmap port scans.

At least you admit you don't know what you are talking about. :-) From the paper:

The source of the scanning was a machine used to help secure the net- work and so was altruistic. Therefore, we do not consider these scans to be malicious in nature.

Re:malicious? (1)

WillAffleckUW (858324) | more than 9 years ago | (#12340336)

I've only scimmed the paper, but from the looks of it, a lot of not all that harmful trafic could be labeled "malicious", for example nmap port scans. I use them all the time, not to find valunerable services, but for more general sysadmin stuff.

If you had RTFP, you would have noticed they actually tracked a lot of that down and counted it as benign, not malicious, since they could ID the IP at their university.

Do they care? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12339481)

Part of the problem is that the Windows users emitting all this traffic just don't care, which is why these botnets just stay up. "It doesn't affect me! Why should I bother scanning for malware?"

What really ought to happen is that lusers who don't secure their boxen should be held liable for all the damage they cause through their reckless irresponsibility.

All my boxen run Hardened Gentoo (http://www.gentoo.org/proj/en/hardened/), and I'd be willing to take the responsibility. Let's see what would happen to the 'net if everyone else did.

I agree! (0)

Anonymous Coward | more than 9 years ago | (#12339702)

What really ought to happen is that lusers who don't secure their boxen should be held liable for all the damage they cause through their reckless irresponsibility.

Especially if their boxen have virii!

Re:Do they care? (0)

Anonymous Coward | more than 9 years ago | (#12340215)

Problem is Windows for all it's flaws is an OS. Gentooo is an experimental buggy strain of a thing called Linux which is a plaything of hobbyists and masochists and which has no application or meaning for 99% of people in everyday life.

Flow observation conclusions... news u can use (3, Interesting)

GPLDAN (732269) | more than 9 years ago | (#12339508)

It's good to know the IP addresses of machines active searching dark IP space. If you can see those statistics in real time, you have useful information.

ISPs are already starting to work together on this type of information. If an ISP sees malicious worm spreading behavior, it can upload the offending IP into a global db that all ISPs can use to block at their borders.

Again, the authors conclusions are that nothing beats having a nice dark block to trigger alerts.

Re:Flow observation conclusions... news u can use (1)

EvilTwinSkippy (112490) | more than 9 years ago | (#12339953)

Again, the authors conclusions are that nothing beats having a nice dark block to trigger alerts.

I resemble that remark. (Mmmmm, three class C's...) Benefits or working for an organization who got on the net back when Arin was handing out blocks like candy.

Next Step? (3, Insightful)

merlin_jim (302773) | more than 9 years ago | (#12339530)

Modify the Neti@Home client to do dynamic blacklisting?

The biggest problem in Intrusion Detection Systems (buzzword for firewalls with more intelligence than a typical rule-based firewall) is that metrics gathering is occuring at a specific site, making it difficult to discern malice intent from dropped packets or bad coding.

Any time the central server sees a certain threshold of malicious attempts from a single IP, it adds it to a short term blacklist... Make the term length just slightly longer than the reporting period so if it persists it'll remain on the list but if it stops, the IP is cleared in short order.

Summary? (0)

Anonymous Coward | more than 9 years ago | (#12339546)

Can someone post a resume of TFA with nice color graph? As a average /. user there is no way I will read something longer than 3 lines. Abbrev. more than welcome.

Spyware? (1)

fox9397 (873641) | more than 9 years ago | (#12339553)

To collect data, Internet users must volunteer to run the software package on their end hosts. Once the package is installed, the NETI@home client will collect net- work statistics from the end host and periodically send a report back to the NETI@home server. Volunteer by downloading the NETI@home toolbar with new "we are watching you" emoticons

Re:Spyware? (1)

enosys (705759) | more than 9 years ago | (#12339653)

Or is it researchware [slashdot.org]

mo%d Up (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12339559)

UniTed States 0f [goat.cx]

proposal (3, Funny)

ocularDeathRay (760450) | more than 9 years ago | (#12339596)

I would like to submit this proposal for your review. I am seeking funding for a new research project. Please grant me the funds needed so that I can deploy rain sensing equipment to every residence in the Seattle area.

This project will record 3 years of data and prove once and for all whether or not it actually rains in seattle.

sincerely,
Kelly H.
Head research scientist
Darington Univeristy of Heretics

Boy! If only we could only.... (1)

notherenow (860367) | more than 9 years ago | (#12339597)

...use this info to better the world, and not just bitch about it in verious blogs...

The Most Illegible Graphs. Ever. (3, Funny)

dohboy (449807) | more than 9 years ago | (#12339626)

Shouldn't there be a butt-ugly histrograph warning?

Re:The Most Illegible Graphs. Ever. (2, Funny)

UnknowingFool (672806) | more than 9 years ago | (#12339719)

Shouldn't there be a butt-ugly histrograph warning?

This is /. Pretty is for Windows users. [ducks]

Re:The Most Illegible Graphs. Ever. (1)

twostar (675002) | more than 9 years ago | (#12339751)

Why? No one RTFA anyway.

Apparently no one told the authors the second thing anyone reading a paper does is skim over the graphs and tables. I had flashbacks to a lecture from a lab professor about making clean clear graphs after trying to decode those cryptic plots.

Re:The Most Illegible Graphs. Ever. (0)

Anonymous Coward | more than 9 years ago | (#12339864)

No, then you wouldn't have anything to complain about ;) Actually, the white on black was chosen due to black and white publishing requirements and modern printer design.

Re:The Most Illegible Graphs. Ever. (1)

whitehatlurker (867714) | more than 9 years ago | (#12340347)

Not only ugly, but they aren't particularly useful. They really need to read Tufte [edwardtufte.com] .

The number of the port molested isn't really a good ordinate.

Randomly Generated Topics? (1)

qwp (694253) | more than 9 years ago | (#12339727)

This paper looks almost exactly like
one of the randomly generated research papers
i got from that MIT research groups website..
(Questions...)

I passed the randomly generated paper around campus to a bunch of C.S. kids and they all bought it without thinking.. Quite amusing...

Re:Randomly Generated Topics? (1)

Interrupt18 (839674) | more than 9 years ago | (#12340011)

While I recognize that the paper represents legitimate research, it does bear an uncanny resemblance to those produced by the automatic paper generator [mit.edu] , right down to the axis labels.

gna4 (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12339745)

steadily fucking FreeBSD used to GAY NIGGERS FROM market. Therefore

neti samples (1)

cdgeorge (775179) | more than 9 years ago | (#12339765)

From what I've seen the real challenge would be to find significant samples. I don't imagine crackers would go for the neti software.

Fi8st (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12339796)

do and doing what the future holds fly...don't fear Java IRC client prima doonas to and mortifying with any sort as it is licensed from the sidelines, It simple,

If you build it, they will portscan (1)

suitepotato (863945) | more than 9 years ago | (#12339854)

Been to Borders and seen the honeypot books on the shelves amongst the rest of the become-a-security-guru-in-$29.95-easy-steps books?

Does it prove or disprove simple A==B logic to note that these incidences of spyware and insecurity are growing at the same time as adoption of Linux variants? Just musing on the "l33t win script kiddie finds Linux religion" phenomenon I've been seeing lately.

Anyhow, this does suggest further that security is where it is at for the future skillset of interest at interview time.

Maybe analyze their own network trafic? (1)

tratten (783047) | more than 9 years ago | (#12339996)

It can't be good to have a 8731x1276 GIF as a logo [gatech.edu] on their first page, especially when being slashdotted.

Re:Maybe analyze their own network trafic? (1)

WillAffleckUW (858324) | more than 9 years ago | (#12340300)

It can't be good to have a 8731x1276 GIF as a logo [gatech.edu] on their first page, especially when being slashdotted.

Reminds me of a friend who works at Adobe, trying to get us to post a large PDF for our web page, when all we needed was a small 4k JPEG.

People who don't grok that half the Net has limited bandwidth don't deserve to ever use the Gigabit Internet we use here at universities, IMHO.

If it doesn't need formatting, sending it in clear text.

April 27th-30th? (1)

Dwonis (52652) | more than 9 years ago | (#12340058)

Look at that "Daily usage for April 2004" graph...

Apparently this site will be linked to by Slashdot in two days, but it hasn't been yet...

Re:April 27th-30th? (1)

jabber-admin (803332) | more than 9 years ago | (#12340114)

$year++

yuo Fa17 It (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12340368)

Big deal. (1)

pschmied (5648) | more than 9 years ago | (#12340404)

I've been doing neti [wikipedia.org] at home for several days trying to shake a sinus infection brought on by allergies. :-)

It remains to be seen if I'll find positive results.

-Peter

Neti? (1)

TeknoHog (164938) | more than 9 years ago | (#12340424)

I've been using neti [healingdaily.com] for years to improve my nasal bandwidth. I had no idea they made it into a distributed.project...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?