Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worms Could Dodge Net traps

Zonk posted more than 9 years ago | from the crafty-devils dept.

Security 58

Danse writes "ZDNet reports that future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken. According to papers presented at the Usenix Security Symposium, just as surveillance cameras are sometimes hidden the locations of the Internet sensors are kept secret. From the article: 'If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.' A team of computer scientists from the University of Wisconsin wrote up the background in their award-winning paper titled 'Mapping Internet Sensors with Probe Response Attacks.'"

Sorry! There are no comments related to the filter you selected.

Conclusion = obvious (4, Insightful)

rritterson (588983) | more than 9 years ago | (#13262710)

Duh! Of course you can slowly figure out how a security system works, and then work around it. See any famous and/or talented thief for such an example. The real threat, I suppose, is that these worms can do it automatically and on a larger scale.

Solution: Don't open holes and then fill them with trip wires. Just fill up the hole (via patch or otherwise) in the first place.

Re:Conclusion = obvious (1)

TheSloth2001ca (893282) | more than 9 years ago | (#13262745)

Its so obvious it will never happen

Re:Conclusion = obvious (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13262803)

Something is seriously wrong, the first few posts of a front page story should be trolls. I'm something of a traditionalist, so let me be the first to say that Micro$oft fucking suck.

Re:Conclusion = obvious (3, Insightful)

aussie_a (778472) | more than 9 years ago | (#13262888)

You obviously seem to have all the answers, why don't you go and code these magic patches for them?

Security isn't easy, and fixing holes with patches isn't easy. It takes time, skill and money. Placing a trip wire as a stop-gap measure is helpful, especially if the hole takes years to fix (without creating more holes).

If you can do better, then by all means do so. But the security war will never be won by those securing the systems.

But... (2, Insightful)

TheOtherAgentM (700696) | more than 9 years ago | (#13262720)

This still doesn't protect the users that are spreading the worms in the first place. So you make an announcement about a worm on the loose? They don't even know what the updates do, and don't patch themselves. The early warning has protected itself.

Re:But... (1)

Baddas (243852) | more than 9 years ago | (#13262990)

hopefully people at the core level of system administration (backbones, major isps, etc) will become clueful enough to shoot these packets to the local equivalent of /dev/null

Quick Summary (4, Interesting)

Shadowlore (10860) | more than 9 years ago | (#13262744)

Maintaining sensor anonymity is critical because if the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.'

So basically: "Security through Obscurity is Bad." combined with "We found a way to eliminate the obscurity.".

Re:Quick Summary (2, Informative)

aussie_a (778472) | more than 9 years ago | (#13262908)

"We found a way to eliminate the obscurity.".

Sorry, but I'm not seeing where the obscurity is eliminated. The entire article basically says "It's easy to make Internet Network Sensors not work by easily identifying them (can be done in a week) and then avoiding them." The only solution the article offers is:

The threat could be diminished, both studies said, if the information in the networks' public reports was less detailed.

Which to me is saying "If the network's public information was obscured a bit more, it'd work better." So they're saying obscurity through security would work better then the current system.

I wonder how long before... (4, Insightful)

Biomechanical (829805) | more than 9 years ago | (#13262751)

...We have roving Intrusion Countermeasures (Or IC) inside our system. Not just passive measures, but semi-autonomous active measures.

We already have a form of White IC - simple detection, non-aggressive measures. How long before we have more active Grey IC - Tar Babies (similar to today's honey pots), Tar Pits, Blaster - and ultimately, Black IC - seeking out the source of the intrusion and in turn, destroying the origin of attack?

Would a big, multi-national corporation get punished for "accidentally" frying the computer of someone who was thought to be intruding into the corporation's computers? I seriously doubt it.

Re:I wonder how long before... (1)

NitsujTPU (19263) | more than 9 years ago | (#13262763)

Somebody's been reading too much Gibson :-D

However right you might be :-D

Re:I wonder how long before... (1)

Biomechanical (829805) | more than 9 years ago | (#13262832)

Actually I nicked them from Shadowrun. :)

Even if you're not into Role Play Games, in particular pencil and paper ones, check out the section on the Matrix in Shadowrun - no, it's not a knock-off of the movie, Shadowrun was first written some time in the early to mid eighties.

Despite the computer models being very different from real life, a lot of the ideas for security and counter-security are things that seem to be popping up these days.

Apologies for bad definitions. It's been a while since I played SR.

Passive security measures, IC, such as Barrier can be seen in simple password prompts and other methods of identifying those who wish to enter a system. Tar Babies are similar to Honey Pots, delaying the attacker in an area where they can scanned and identified.

We don't yet have the whole Direct Neural Interface Data Socket, or Jack yet, but Black IC in the game - killing the hacker themselves - and Grey IC such as Blaster - just disabling or destroying a Decker's (SR Hacker) computer - could be equated to something in real-life infecting the attackers computer with a nasty, possibly hardware-destructive virus.

The interesting thing is that IC in Shadowrun was developed as a by-product of re-creating our modern day internet and, initially, having the Hacker use the new, prototype Decks by way of being in a sensory depravation tank with various electrodes connected to their body to detect input, and wearing headsets and visors for output.

FASA raised some interesting questions for me when I was first playing the game because at the time, I was using a 386sx based machine with MS-DOS and Windows 3.11wfw. Just imagining the three-dimensional, semi-realistic (realism in the SR Matrix relies on the server's power, not the clients) Matrix of Shadowrun got me right into working and playing with VRML a couple of years later.

Re:I wonder how long before... (1)

NitsujTPU (19263) | more than 9 years ago | (#13262859)

Ahh, I'm familiar with Shadowrun, however, heres some trivia for you. The Matrix was nicc'ed from Gibsons novels :-D

I don't know what the timeline is, but Gibson is creditted with it first, and talks about Black ICE attacking hackers in Neuromancer and several other novels, where it can also kill people in the matrix. The system then goes on to follow a hacker around the physical world through various mechanations.

Re:I wonder how long before... (1)

Biomechanical (829805) | more than 9 years ago | (#13262875)

I'm familiar with Case, I've got Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome. I did have All Tomorrow's Parties too but it disappeared one day from my flat.

It didn't click that FASA used Gibson's Matrix. They're similar, but I never thought to piece them together because Gibson's is more vague than the FASA extrapolation - but of course FASA's going to expand on it, they're making it into a "real" thing. :)

Here's a funny co-incedence (sp?). I was watching a documentary today on the Alien Series, and, during a piece of film-splicing with scripts floating across the screen, you see an Aliens (3 I think) script with "Story By William Gibson" on it.

Re:I wonder how long before... (0)

Anonymous Coward | more than 9 years ago | (#13262923)

Joss Whedon of btvs fame wrote it!!!!

Re:I wonder how long before... (1)

Biomechanical (829805) | more than 9 years ago | (#13262956)

I said `an Aliens (3 I think) script with "Story By William Gibson" on it.'

During the documentary, called Alien Saga btw, you hear that there were a number of writers who submitted scripts, as well as William Gibson, and the man who's script was used, Joss Whedon.

Re:I wonder how long before... (0)

Anonymous Coward | more than 9 years ago | (#13263273)

oops, it was alien 4

Re:I wonder how long before... (0)

Anonymous Coward | more than 9 years ago | (#13262849)

Gibson calls them ICE, intrusion countermeasure electronics, in his novels. Classic acronym first situation.

Re:I wonder how long before... (1)

jamesh (87723) | more than 9 years ago | (#13262925)

"someone who was thought to be intruding" is the killer though. Would it be easier to attack Microsoft directly, or to make eBay think they were being attacked by Microsoft and let their countermeasures attack Microsoft?

Re:I wonder how long before... (1)

renoX (11677) | more than 9 years ago | (#13263175)

> Would a big, multi-national corporation get punished for "accidentally" frying the computer of someone who was thought to be intruding into the corporation's computers? I seriously doubt it.

It makes for a nice story, but how do you find the cracker's computer?
If you fry the computers who attack you, you have 99% of chance of frying the computers of guys who are only guilty of not having secured their PC enough..
And this *would not* be without consequence (assuming the corporation get caught).

Re:I wonder how long before... (1)

Biomechanical (829805) | more than 9 years ago | (#13263259)

That's one of the things I've been thinking about - unsecured, remotely controlled or pre-scripted drones being used as launch points for an attack.

Seriously, a corporation such as Monsanto, Microsoft, IBM, Nestle, Douwe-Egberts, wouldn't give a shit about who's attacking them, just stopping the attack.

If something comes to the publics attention, "It's jonesy's fault! He took personal, unauthorised measures to retaliate."

As a whole, The Corporation doesn't give a shit. It will "live on", so to speak. Employee's can be replaced, and Customers will forget about problems they've had in the past, smiling with wonder at the marketing for the future.

And if company's end up fighting other company's through the Internet, so what? We're heading for an electronic arms race anyway, we may as well be entertained as we journey in this hand-basket to IT hell.

Re:I wonder how long before... (1)

renoX (11677) | more than 9 years ago | (#13263328)

>"It's jonesy's fault! He took personal, unauthorised measures to retaliate."

And why would jonesy accept to be a scapegoat in the ensuing trial?
If he has a brain, he kept traces of what he was ordered to do, for his own protection.

Plus you underestimate the effect of that bad publicity may have on companies.

Re:I wonder how long before... (1)

patio11 (857072) | more than 9 years ago | (#13263837)

Would a big, multi-national corporation get punished for "accidentally" frying the computer of someone who was thought to be intruding into the corporation's computers?

I'm sure McDonalds wishes every time they spill coffee on someone that the "It was an accident!" and "I'm a big, multi-national corporation! Haven't you read any cyberpunk? We're above the law, and have private armies!" mattered a hill of beans to an ambulance-chaser with a license to sue. Or see burglers who sued after being injured in an attempt to burgle the restaraunt, etc.

Re:I wonder how long before... (1)

geefunk (637003) | more than 9 years ago | (#13283108)

How long before we have more active Grey IC - Tar Babies (similar to today's honey pots), Tar Pits, Blaster - and ultimately, Black IC - seeking out the source of the intrusion and in turn, destroying the origin of attack?
Is that name serious? "Tar Babies"? I ask because it is also a racial slur intended as a play on the dark skin of black people. An older slur, but nonetheless still used (my redneck former boss used it frequently.)

Call me a p.c. asshole if you want, but if you grew up in the south you'd understand... I'm sure this use of the name has nothing to do with that, but yikes. That's a horrible choice.

Again?! (4, Interesting)

Arkan (24212) | more than 9 years ago | (#13262754)

Is it just me, or are we again speaking about security through obscurity (albeit I have to admin that it's in a slightly different way, this time).

How long will it take for people involved in computers and networks security that "secret" has no virtually no meaning in the field?

A private key is the only exception I can see at the moment: it is kept secret because nobody has any use of it except its owner, a noone will ever need access to it.

But how long a "secret" early-warning network will remain so... when its primary function is to be contacted by the worms that try to evade it?


Re:Again?! (3, Interesting)

jd (1658) | more than 9 years ago | (#13262845)

AFAICT, you are correct - the private key of a private/public key pair is about the only true secret, as virtually all other information is shared at some time or other.

I suppose it is arguable that load-balancing and fail-over systems are "secrets" in a sense, as external users aren't supposed to see that information, but I'd call them "null secrets" in the sense that they have no value even if you DID know them.

Presumably these early-warning systems are some kind of a mix of honey-pots and passive sniffers. If the worm is actually any good, it should be able to infiltrate a honey-pot and become stealthy (thus undetectable to anything inside the honey-pot). In that case, the system running the honey-pot would be able to detect an infection occured, but would NOT have reliable data on how or when.

As for passive sniffers, a polymorphic worm that can vary the loading code as well as the payload, OR a worm that is encrypted and can hijack some OS internal decrypt code, would get past such a sniffer. There'd be nothing the sniffer could identify.

The "ultimate" in malware would be some sort of hypervisor - similar in idea to Xen - that could "run" the host OS on top of itself. That way, nothing inside the OS could see it and all calls to the hardware that would reveal the malware could be trapped. Some early DOS boot sector viruses did something similar, copying the original boot sector to an empty sector somewhere else and then marking it bad to safeguard it. Any time a call was made to look at the boot sector, the call was trapped and the copy was returned instead of the real one.

The "ultimate" transport mechanism for malware would use a decoder built into the OS. The LZW code for GIF images, perhaps. Just something that would make it impossible for virus scanners in a mail server, or sniffers on a network, to use simple pattern recognition to identify it. You'd then need a buffer overflow you could exploit to take your newly decrypted malware into the system itself.

Image decoder exploits and buffer overflow exploits are well-known and have certainly been utilized in the past, though I'm not sure if in this way. Polymorphic code, designed to make identification strings next to impossible, has also been around a long time. I think the first polymorphic viruses appeared in the late 1980s and were certainly a significant cause of concern in the early 1990s.

Of course, if Cisco doesn't fix that IOS bug soon, it'll all be moot anyway. If you can just capture one Cisco router at a time, in a chain, you can set up tunnels to carry whatever you damn well feel like. An IPSec tunnel would be utterly opaque to any monitoring system anyone cared to deploy, no matter how sophisticated.

All in all, security through hidden monitors - security through several layers of obscurity - is no security at all, as it is simply too easy to bypass the layers involved and therefore the monitors, without having to know a damn thing about where the monitors are or even how they do the monitoring.

ouch. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13262766)

This really doesn't help the idea of having all of us cowards rising up as one.. and well spamming instead of slaying. you get the idea.

Passive scanning? (1, Informative)

Anonymous Coward | more than 9 years ago | (#13262768)

If these are used solely for detecting, rather than taking action and blocking traffic, why on earth aren't they located passively? By that I mean a ethertap [] . rather than having a device sat on the line that responds to traffic.
That would essentially make the device invisible - all you'd then have to do is have your network of passive detectors inform you when odd traffic passes through.

Re:Passive scanning? (2, Informative)

Mnemia (218659) | more than 9 years ago | (#13262786)

These are passive sensors.

What the paper refers to is sites that publish information about network traffic they see. Some print tables with statistics and others generate graphs of network traffic levels. Their technique is basically a way to map where the passive listening points are based on the traffic reports these sites create. They strategically generate traffic which creates measurable spikes, and these show up in the reports. They use this information to determine where the listeners are.

Re:Passive scanning? (0)

Anonymous Coward | more than 9 years ago | (#13262871)

Ah right. I was under the impression that the information that came from them was closed and used by a few people to determine a threat, rather than open and freely available for all. It seems a bit like having criminals freely see transcriptions of their monitored conversations.

Re:Passive scanning? (1)

surprise_audit (575743) | more than 9 years ago | (#13263218)

Maybe I just haven't woken up fully, but I don't see why a passive sensor would be generating any traffic visible to the outside world...

Re:Passive scanning? (1)

fbjon (692006) | more than 9 years ago | (#13263456)

No, the attackers are generating the traffic spikes, the sensors passively pick it up. Then the attackers can lurk on the public stats and logs to find out the locations of the sensors.

Re:Passive scanning? (1)

surprise_audit (575743) | more than 9 years ago | (#13263546)

Yeah, I get that. But why are the sensor owners making the data public?? Trying to puff up their own importance, maybe?? Should we be accusing them of generating the traffic spikes, just we sometimes accuse anti-virus companies of manufacturing viruses to keep themselves in business??

I wonder if they're reporting all the traffic?? Maybe they're not, in order to funnel attackers into supposedly unwatched areas?? Heh, tinfoil hat time again...:)

Re:Passive scanning? (0)

Anonymous Coward | more than 9 years ago | (#13263631)

if you really care, checkout ForeScout ... they have killer passive worm detection technology - the technique is clever and patented and very hard to detect (ie for evasion or mapping purposes).

DSheild Discussion (3, Informative)

tjohns (657821) | more than 9 years ago | (#13262798)

A similar article by was brought up a few days ago on the DShield discussion list [] . One choice quote is from Johannes Ullrich, a member of the SANS Internet Storm Center [] and the developer of DShield:

We do receive reports from about 500-700k IP addresses each day.
Including the full list would be hard (or make for a very large worm).
In addition, many of these IPs are dynamic, so you have to exclude
networks rather then individual IPs.

To put it down bluntly: If every IP is a sensor, there is nobody left to
attack ;-)

For those of you who don't know, DShield [] is precisely one of the 'early-warning sensor' networks the article is talking about.

Re:DSheild Discussion (1)

MathFox (686808) | more than 9 years ago | (#13263322)

The ususal botnet configuration is such that bots get their instructions to scan IP ranges from a central place. It isn't too difficult to add a "sensor database" to the botnet infrastructure.

Dynamic IPs and computers entering and/or leaving sensor networks complicate the case of mapping out the sensor network. Furthermore, in the real world not every probe package will be reported. Mapping out a subset of the sensor network and pollute it with false data is pretty easy. Mapping out the full network to avoid detection of a your next worm attack: close to impossible.

Like in Zulu! (0, Offtopic)

putko (753330) | more than 9 years ago | (#13262812)

If you've seen Zulu!, this attack will make a lot of sense.

In the movie Zulu!, the Zulus first attack, from many different sides. Not too heavy, but from all sides.

The British guy's troops repel them, with guns. Quite a few Zulus get shot and killed.

Quite smug, the British commander asks the Boer what he thinks of it all. The Boer explains that that's a Zulu tactic: attack lightly from the various sides to draw the fire. Then the Zulus know where the guns are, where the defenses are hard, where they are soft. The Zulus aren't going anywhere, this is just the beginning. After this, the Brit looks a lot less smug.

Zulu! is a fantastic movie, by the way.

Re:Like in Zulu! (1)

Baddas (243852) | more than 9 years ago | (#13263057)

I concur, this is actually quite relevant.

One could easily see a worm being released as a probe for a future zero-day worm, leading to a more robust worm archetype in the future.

After all, bagle/beagle went through multiple revisions, presumably each one drawing on the knowledge learned from watching the impact of the last one.

After all, if the "good guys" (white hats) can set up a honeynet, perhaps the "bad guys" (black hats) can send out a honeyworm to find said honeynets.

I can also think of several ways to deal with worm size in terms of exclusionary lists of ~500k+ hosts/subnets. Simply store the actual list out on the internet somewhere (multiple would be good, or perhaps a worm that exploits a torrent?) and query it when propagation begins.

Re:Like in Zulu! (1)

sarasinclair (414156) | more than 9 years ago | (#13263896)

After all, if the "good guys" (white hats) can set up a honeynet, perhaps the "bad guys" (black hats) can send out a honeyworm to find said honeynets.

Sort of like Strider HoneyMonkeys [] , only working for the Dark Side. (This was a Work In Progress report at USENIX).

Re:Like in Zulu! (1)

sarasinclair (414156) | more than 9 years ago | (#13263926)

(Note, you should grep through this page to find the abstract on HoneyMonkeys. Slides should be up soon, I hear.)

Oh, yay. (1)

West VA Flamer (638423) | more than 9 years ago | (#13262825)

Awesome, another cat and mouse game.

wow (2, Insightful)

eight and a quarter (904629) | more than 9 years ago | (#13262840)

a really good read. i knew it would be a matter of time before something like this can be thwarted, basically attacks are slowly evolving. would it be easy for them to change to different unused IP addresses?

i know an easy fix.. i see in the paper "bandwidth for the fractional T3 attacker and the OC6 attacker could be achieved by using around 250 and 2,500 cable modems".. i wish more cable ISPs were responsive to abuse complaints, or would notice certain bot-like activity like many DDoS attacks coming from their network. hell i've read my sshd logs and was amazed at the amount of US cable/dsl scans. you know that's a bot at work.

Re:wow (1) troll (593289) | more than 9 years ago | (#13265028)

Bandwidth is a lot cheaper than all the hardware and staff costs to get a system like that working. Why should the isp have ot fork out a ton of money to deal with stupid users?

Re:wow (1)

eight and a quarter (904629) | more than 9 years ago | (#13265096)

ok maybe then they should monitor their abuse@ address when i e-mail them about botnets on IRC. when are ISPs going to start doing thier jobs?

U of W; more than Cheese... (1)

wilsoniya (902930) | more than 9 years ago | (#13262843)

Shout out to the my boys and girls at the U-Dub. I'm gonna go strap on my kevlar so i survive being shot down for off-topic.

That is to be expected (4, Insightful)

jurt1235 (834677) | more than 9 years ago | (#13262857)

A biological virus adapts to its environment too, a worm too, so why would the digital variant not adapt. And since the main platform clearly suffers from an immune deficiency syndrom, just kept alive by their doctors and creators by means which are always to late to stop the newest infection but just on time to save most patients, it is pretty easy for the virusses to stay alive, and adapt to a point where the immune system will completely fail.

Solution: Needs more sensors. (2, Insightful)

Geeselegs (905363) | more than 9 years ago | (#13262866)

Solution: Needs more sensors.

If the number of sensors is brought to the point where it becomes impractical to map them, voila no more sensor evasion.

This obviously would be harder to impliment than spoken. Maybe if a sensor implimentation came as an optional standard with server software.

Heh, I can speculate.

Re:Solution: Needs more sensors. (1)

Donny Smith (567043) | more than 9 years ago | (#13263034)

> Maybe if a sensor implimentation came as an optional standard with server software.

Sounds good until you consider that with massive deployment of sensors (especially those bundled with OS) it'd be impossible to manage them properly.

We could easily end up with compromised sensor network, hacker-induced fake alerts and god-know-what.

Or alternatively (3, Insightful)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13262870)

Could certain software companies start spewing out secure software, so worms don't have much of a chance to exist in the first place?

The number of companies getting fat over those needless insecurities is just gross...

You would like them to be that advanced (2, Insightful)

pe1chl (90186) | more than 9 years ago | (#13262953)

For a long time I have forwarded all 419 scams to abuse addresses at all their involved mailbox hosters.
In some cases (not always, unfortunately) this causes them to lose their account and thus their way to get replies and possible revenue.

What I would have liked is that they detected "when we send mail to this address we lose our account" and put that address on some blacklist to send no more scams.

But, this has not happened. So, I don't think there is any cleverness behind it, they just scatterbomb and hope the don't hit a whistleblower.

Internet-2 (1)

xcentrics (903559) | more than 9 years ago | (#13263284)

I want to suggest one thing ,in my opinion very important..

We're talking all the time about security of internet,about net-monitoring ,packets filtering, and what really irritates me IPv6 security.
Please note that nobody complain about such solutions everyone believes that they're (or will be) elegant and helpful.
My questuion is..what do you think goverment(NSA) will do with such 'security tools' ha?
So we're not talking about security but we're also talking about Privacy and Freedom of internet-2.

Someday we will wake-up with all-monitored-internet-2 ..and it will be too late.


Or maybe I'm just paranoid? ha?

Honeypot@home for distributed detection (1)

G4from128k (686170) | more than 9 years ago | (#13263316)

What about creating an ad hoc distributed network of sensors (versus a fixed network). If thousands or millions of people downloaded a worm monitor application, then the sensor network would be very fluid and span IP space in a less predictable way. An ongoing P2P cross-comparison of the signatures of unsolicited packets could also provide distributed detection of novel worms. When too many sensors see the same anomalous thing, the alert propagates across the network.

Done well, it would create an internet immune system in that sensors that had seen the worm would alert machines that hadn't seen the worm. Those machines would then automatically filter for the new pattern while watching for confirming evidence that a worm was loose. If the download also provided a protective feature, then more people would download it and that the network would become more sensitive and valuable.

The idea may have some minor problems. First, security vulnerabilities could be introduced by the monitoring package itself (e.g, the Witty worm targeted vulnerable firewall software). I'd recommend that if a buffer overflow or malformed command exploit were ever discovered in Honeypot@home code, then all the developers would have to be shot immediately. Second, I see some but no great problem of worm writers trying to subvert the network because it would be hard for them to register enough machines (and replace the code to mute the alert signal triggered by their worm) to swamp the alert signals generated by legitimate nodes of the network.

I'm sure someone is working on this very thing.

Re:Honeypot@home for distributed detection (1)

awkScooby (741257) | more than 9 years ago | (#13264611)

If wanted to attack such a system, I would flood it with so much false data that you couldn't tell the fake from the real. If people fed the data from such a system into an IPS, where they take actions to block "suspect" packets, it would make for a great DoS tool. Think of it -- use your bot-net to fake reports of attacks from port 80 from

Use a Self-Defending Cisco System, a la "24" (0)

Anonymous Coward | more than 9 years ago | (#13263365)

Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers.

Buchanan: Could this just be high network load?

Chloe: No, it's definitely a denial of service attempt. What do you want me to do?

Buchanan: Did it do any damage yet?

Chloe: No, the Cisco system is self defending.

Video at []

minus 5, TroVll) (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13263412)

which aalows are the important myself. This isn't benefits of being to keep up as part of GNAA if We strongly urge bombshell hit the numbers. The the most. Look at came as a complete Towel under the dim. If *BSD is Philosophies must

My brain is not working properly... (1)

Kippesoep (712796) | more than 9 years ago | (#13263950)

When I saw the thread title, I only thought of real worms (you know, the squirmy squishy things in that big blue room that has way too few accessible electrical outlets) and fishing nets.

let's hope worm writers will adopt the techniques (1)

cahiha (873942) | more than 9 years ago | (#13264277)

Basically, they are saying that by probing ports in particular patterns, and then looking for mention of their probes in published summary reports, they can determine the identity of systems contributing to the reports. (If a trivial idea like that manages to get the USENIX best paper award, then it's no wonder computer security is so bad.)

I, for one, hope that these kinds of techniques will be widely adopted by worm writers. Why? Because it sets up an incentive system to have systems monitored and contribute to public interenet statistics: you contribute monitoring and statistics information, and worms won't attack you.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?