Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tools To Squash the Botnets

Zonk posted more than 6 years ago | from the squish-squish-little-bugs dept.

135

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

cancel ×

135 comments

Sorry! There are no comments related to the filter you selected.

SLASHDOT SUX0RZ (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21303427)

_0_
\''\
'=o='
.|!|
.| |
peace, love and goatse [goatse.ch]

Re:SLASHDOT SUX0RZ (0)

Anonymous Coward | more than 6 years ago | (#21304279)

In fact, forget the peace and love.

Tools To Squash the Botnets - Squashed (2, Funny)

wap911 (637820) | more than 6 years ago | (#21303429)

The last line says it "could soon be available commercially". Wonder if I need to start saving pocket change so I can put it on my SimplyMEPIS box? Oh, wait they must be talking about having it run along side of Redmond-warez. nothing here - move on...........

Re:Tools To Squash the Botnets - Squashed (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21303483)

This article is junk and provides absolutely no information at all save to make people feel good.

I don't see that. (5, Insightful)

khasim (1285) | more than 6 years ago | (#21303437)

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.

Re:I don't see that. (2, Funny)

QuantumG (50515) | more than 6 years ago | (#21303499)

You stop the machines becoming part of the botnet.

You'd know that if you RTFA.

You cannot do that. (1)

khasim (1285) | more than 6 years ago | (#21303677)

That would mean that the ISP's would be BLOCKING traffic based upon his system.

Yeah, like that will go over well.

Not to mention that, AGAIN, the most commonly used protocol in infecting those machines is HTTP (with SMTP being a close second).

Is this prior art? (2, Informative)

khasim (1285) | more than 6 years ago | (#21304107)

http://seclists.org/focus-ids/2003/Feb/0031.html [seclists.org]

And that is with 30 seconds of Google searching. I thought I had heard of that concept before.

Search Google with "worm 'protocol validation'".

Re:I don't see that. (5, Funny)

Anonymous Coward | more than 6 years ago | (#21303815)

I couldn't RTFA. The Slashdot zombie army killed the site.

Stop lying. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21304093)

I couldn't RTFA. The Slashdot zombie army killed the site.
You are a fucking liar. The link works fine. Please go kill yourself, you taco-eating nerd while I go have a social life.

Re:Stop lying. (0)

Anonymous Coward | more than 6 years ago | (#21304295)

Maybe he was trying to RTA FROM the zombie army, and was duly blocked.

Re:I don't see that. (1)

irtza (893217) | more than 6 years ago | (#21306249)

This guy is trying to shut down slashdot?!

Re:I don't see that. (4, Insightful)

feepness (543479) | more than 6 years ago | (#21304887)

hey chef, the tails of shrimp are not food, cut them off.
No, they're not food. They're handles.

Re:I don't see that. (4, Funny)

Penguinshit (591885) | more than 6 years ago | (#21303577)

I thought the easiest way was to link them from a Slashdot article.

Talk about a zombie army...

Re:I don't see that. (0)

ScrewMaster (602015) | more than 6 years ago | (#21304139)

Talk about a zombie army...

Hey! I resemble that remark!

Re:I don't see that. (1)

Wog (58146) | more than 6 years ago | (#21304431)

...brains?

Re:I don't see that. (1, Funny)

Anpheus (908711) | more than 6 years ago | (#21304289)

The irony is that none of us really intend to read the article anyway, we just see the underlined shiny text and click out of habit.

Re:I don't see that. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21303613)


how will any tool identify or protect you from that threat?

You don't know the power of JESUS!

I was praying to JESUS that no aliens would invade my home last night and guess what... none did!

Praise Jesus! Praise JESUS! PRAISE JESUS!

Re:I don't see that. (1, Funny)

Anonymous Coward | more than 6 years ago | (#21305089)

I was praying to JESUS that no aliens would invade my home last night and guess what... none did!
May whoever modded that down, rot in metamoderation hell.

Praying to Jesus isn't any different than praying to the company that wrote your virus scanner, except that praying to Jesus may work sometimes.

Re:I don't see that. (1)

mOdQuArK! (87332) | more than 6 years ago | (#21303833)

Zombies? You nuke them from orbit. It's the only way to be sure.

Re:I don't see that. (4, Interesting)

Sentry21 (8183) | more than 6 years ago | (#21304355)

A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.

Re:I don't see that. (1)

DigiShaman (671371) | more than 6 years ago | (#21305007)

Well, the latest Java runtime available is 1.6. So does that mean these botnets are programed in Java and are executed using this runtime?

Re:I don't see that. (3, Interesting)

sumdumass (711423) | more than 6 years ago | (#21305235)

It probably means that there is some java app that as part of it's workings, checks against whatismyip to determine an actual IP addressable from the public. That is somewhat of an issue with a useful site like that. People tend to take it for granted and end up writing programs assuming they have the ability to access it and that the site could handle any of the traffic. Dlink and a few of the home router manufacturers were defaulting their NTP clients to one server and in effect DDos'd that server when those router started selling like hotcakes.

It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.

Re:I don't see that. (1)

raddan (519638) | more than 6 years ago | (#21305959)

Yes, I remember that. The worst part is that some researchers had already set up a load-balancer for people to use, to ease the load on the stratum 1 machines: pool.ntp.org. If the people writing the D-Link software had spent a few minutes thinking about the impact of what they were doing, using this address would have been obvious. My personal opinion is that D-Link should have set up their own timeserver, and shared that out, since they should have had a reasonable expectation that any address they put in there would be hammered.

Re:I don't see that. (1)

hendridm (302246) | more than 6 years ago | (#21306403)

I remember NetGear was also guilty [slashdot.org] of this for DDoS'ing the University of Wisconsin.

Re:I don't see that. (1)

cehjohnson (798720) | more than 6 years ago | (#21305611)

If http://whatsmyip.org/ [whatsmyip.org] is his site, as indeed sumdumass thinks, according to his post, then my take on this is a variant of the aforementioned poster: there are tons of clients available for whatismyip, including ones written in Java. I can't imagine your friend is perplexed by this, since it's almost certainly a result of his site providing too good a service, i.e. servicing requests from clients (that are configured too greedily) too often. The solution is not to block Java user-agents, but to configure the site such that too frequent requests from any client are ignored.

Re:I don't see that. (1)

syberdave (658106) | more than 6 years ago | (#21305785)

Someone wrote some network program (in Java) that needs to get the computer's external IP. (Probably some P2P app.) And your friend's site is the "perfect" way to get it.

Translation: (4, Insightful)

rtechie (244489) | more than 6 years ago | (#21303455)

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

Re:Translation: (1)

crowbarsarefornerdyg (1021537) | more than 6 years ago | (#21303471)

A politician started this company?!

Not only that, but there are NO details. (4, Interesting)

khasim (1285) | more than 6 years ago | (#21303731)

I can accept an ad that describes the advances. This article says NOTHING.

And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

I'm thinking "snake oil" here.

Re:Not only that, but there are NO details. (5, Funny)

skoaldipper (752281) | more than 6 years ago | (#21304301)

A huckster in our midst? Let's see.

"Botnets represent a convergence of all of the other threats that have existed for some time,"
Scared of rickets? You, sir. Step right up here.

One of the most menacing aspects of botnets is that they can go largely undetected by the owner of a personal computer.
Folks, you might not feel sick today, but that's no guarantee you won't feel sick tomorrow.

Nemean is based on four distinct patents that are either filed or are in process with the Wisconsin Alumni Research Foundation (WARF).
No matter what ails ya, Professor Nemean's original. medicinal, remedial, compound exlixir is patented and irrevocably guaranteed to...

The innovation with Nemean is a method to automatically generate intrusion signatures, making the detection process faster and more precise.
boost your bends, target your temperature, and positively palliate your particulars. Yes, folks...

"The technology we're developing here really has the potential to transform the face of network security,"
this age-defying, mystifying, wiz bang fandangle will cure everything from flakey skin to original sin.

Only two bits a bottle. Worth a dollar a drop! Step right up! Step right up!

Re:Translation: (2, Insightful)

sumdumass (711423) | more than 6 years ago | (#21305249)

This isn't as much a blatents ad but a cover your own ass thing. The guy supposedly making this product realizes that if he can think of it, anyone can. He thinks that it might not be his superior intellect but the circumstances of the times pointing to an obvious solution.

SO he gets the word out that he is on top of this. Going to release a product and Blah Blah Blah. What it does is show that the obviousness was because he pointed it out. This makes it unique that he might obtain a patent and so on. In 5 years when the USPTO gives him a patent and 25 competing companies want prior art, the searches show up that he is his own prior art. That he was working with and on the stuff before anyone else.

So it is basically a CYOA with a little Bragging mixed in.

So in other words... (5, Insightful)

Icarus1919 (802533) | more than 6 years ago | (#21303457)

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?

Re:So in other words... (1)

QuantumG (50515) | more than 6 years ago | (#21303515)

Nope. It's an IDS. The ISPs would run it and either inform subscribers that their machine is owned or block the attack traffic.

Not that this is a very easy sell.. but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.

Re:So in other words... (1)

Joebert (946227) | more than 6 years ago | (#21303553)

So we just have to randomize what the attack traffic looks like ? Doesn't sound too hard.

Re:So in other words... (4, Insightful)

QuantumG (50515) | more than 6 years ago | (#21303639)

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

          220 foo.bar.baz.MIL (Well hello there)
          EHLO so.i.say.mil
          250-foo.bar.baz.MIL offers THREE extensions:
          250-8BITMIME
          250-PIPELINING
          250 DSN
          RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
          # id
          uid=0(root) gid=0(root) groups=0(root)
          # cd /home
          # ls -l
          drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
          drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
          drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
          drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

pretty obvious that the server didn't reply to the RCPT request correctly isn't it?

Re:So in other words... (3, Insightful)

FooAtWFU (699187) | more than 6 years ago | (#21303773)

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.
Snooping all your outbound SMTP (+etc) traffic to validate that it's conforming to a certain protocol is somewhat resource-intensive. The protocol validation would need to be very, very, very good, or it would be liable to catch all sorts of garbage: there's no shortage of slightly-wrong products out there. (It's not just Microsoft either). Not all communications that you expect to be a certain protocol actually are - and they may be some extended version of the protocol. (Watch WebDAV over HTTP.) Not all protocols are trivial to validate in this manner. Not all exploits require a breach of a certain protocol. (Watch for some of the PHP exploits that you can send in a perfectly valid HTTP POST). Not all exploits are synchronous like this one. And, finally, privacy can be an issue.

It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.

Re:So in other words... (1)

db32 (862117) | more than 6 years ago | (#21306119)

Somewhat resource intensive mattered 10 years ago. When my phone has the same processing power that an F-16 uses to fly...well I think the resource intensive debate is getting silly. Yes it is intensive, but the machines we have today aren't exactly short on the resources to make this extremely capable. In fact Sidewinder firewalls already do a good deal of this type of stuff. To the best of my knowledge they are the only proxy based firewall floating around commercially right now. Packet Inspection took off because it took less resources...and now they just slap more wizbang nonsense feature on top of these types of firewalls to make use of the excess resources. Now we have those resources and so many people are still trying to make packet inspection better rather than going back to the better design that we now have the resources to effectively implement.

Re:So in other words... (1)

Joebert (946227) | more than 6 years ago | (#21303787)

Aren't exploits crafted to conform to protocols though ? Seems that untill the screener knows the application can not handle certain instances of a protocol, it would assume they're safe.

Getting installed on the system isn't the hard part, people willingly listen to Britney Spears for cryin out loud.
Once on the system, multiple communication applications could be used to communicate from zombie to zombie. Why would anyone suspect that the random person sending them an IM was actually a front for zombie communication ?

Let's look at this logically. (3, Insightful)

khasim (1285) | more than 6 years ago | (#21303867)

Someone who isn't going to patch his mail server is going to install this new IDS? Correctly? And keep it patched?

Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?

If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?

Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.

That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.

Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?

Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.

Re:So in other words... (1)

mcrbids (148650) | more than 6 years ago | (#21305133)

Obvious to us, with our incredibly powerful pattern-matching brains. But while it's easy to write a program to look for this specific example, programming a machine to recognize this without some kind of advance programming/configuration is nothing less than AI.

It will, I'm sure, be done/possible eventually. But based on my understanding of the field, we aren't there, yet.

Re:So in other words... (2, Insightful)

penix1 (722987) | more than 6 years ago | (#21303689)

but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.


You seem to be of the impression that ISPs care about bandwidth. Here's a clue-by-four for you...

They don't.

In fact, they want as much bandwidth being eaten up as possible to support their claims of "teh tubes are clogged!!!111!!! We need to get evil Google (YouTube) to pay more since they are obviously the cause!" to Congress.

Re:So in other words... (1)

cp.tar (871488) | more than 6 years ago | (#21305015)

Besides, even if we got rid of spam, and the bandwith was freed, we normal users wouldn't see a bit of difference.

Re:So in other words... (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21303557)

My cousin Kristie and I attended a family reunion this past fall. We'd avoided going for a few years but we went this time because some of our relatives are getting on in years. We figured the word about us had gotten around about us. We don't flaunt our incestuous relationship, but we don't lie about it or go out of the way to hide it. We love and care for one another despite our age difference and the fact that we're first cousins. After all, this is almost the 21st century and first cousins have been getting married since Old Testament times.

I figured a hush would greet us at the picnic area when we showed up together. I was wrong. People seemed non-plussed and as friendly as ever. I was a bit surprised and, of course, relieved, when nothing negative happened. But it was an elderly great uncle who broke the silence.

Uncle Zack maneuvered me out of anyone's earshot. He looked into my eyes and grinned.

"Dave, word is that you're puttin' it to Kristie real good. Can't nothin' beat pussy that's family, huh?" He lightly punched me in the shoulder then put his arm around me. "Look, I used to give it to some of the women in this room besides Ellie." (Aunt Ellie was his wife.) "My sister liked it and so did your Aunt Shirley." One of Shirley's brothers was my father. Kristie's father was her other brother as well. So family fucking wasn't so unusual in our own family, either.

Not long after Uncle Zack talked to me, Aunt Shirley cornered me. She's 52, petite, with light brown hair and she looks a lot like an older Kristie.

"Dave, I understand you and Kristie are living together," she said quietly. "I'm assuming your sharing more than a roof, right? Like maybe the same bed? Oh, don't be embarrassed! Our family loves sex and we're pretty loving within the family, too." She leaned close to me and breathed in my ear. "Do you have the trademark big dick?" she asked. No one could see her hand slip between my legs and take hold of the hardening cock inside my pants. Her wet tongue darted into my ear and the stimulation made my cock spring to its full length.

"Oh, yes-s-s," she whispered. "How about giving me some of this? Or maybe I should ask Kristie. And maybe Kristie will give me a taste of her love nest, do you think?" My Aunt was a very attractive woman. She lives in another state so we don't see her often and I'd never thought of getting it on with her. Till now, of course. Would Kristie be interested, I wondered. I was imagining seeing Aunt Shirley bouncing up and down on my cock, or entangled with Kristie in a sweaty, Sapphic 69, tongues wildly exploring each other's feminine charms.

I wasn't surprised when Kristie told me that Aunt Shirley was going to come to the house a bit later. Kristie's brown eyes had that horny twinkle that let me know she was excited. And whenever she gets aroused, so do I.

"And she's bringing Debra!"

Now let me explain about Debra, Shirley's daughter. Debra was born beautiful By the time she was eighteen, she had won scores of beauty pageants, appeared in over a dozen television commercials, had a brief role in a network soap opera and had appeared in a couple of low budget feature films. She was and is one of the most beautiful women I've ever laid eyes on, and she has never had plastic surgery. She is 5'9" tall, thick blonde hair, an absolutely gorgeous figure (she was once a calendar girl in a bikini) and with legs that would give hard-ons to impotent men.

According to the family grapevine and an occasional little blurb in a supermarket tabloid, our cousin was something of a sexual wild woman, some said "kinky degenerate," one tabloid called her a "lesbo nympho pervo on Rodeo" Drive. But Debra never visited us and we hadn't seen her in person in over 12 years. Aunt Shirley hadn't mentioned her to me, but the possibility of sexing it up with Kristie and Aunt Shirley and Debra had me wired all afternoon. By 7:00 I had a bulge in my pants that Kristie kept rubbing gleefully.

The doorbell rang and Kristie jumped up to open the door while I stood and struggled to conceal my aroused condition. In came Aunt Shirley, smiling and looking sexier than I'd ever seen her, wearing a short, tight dress. I saw Kristie's body seem to go limp and I knew why before I saw the vision that caused her to react.

Trumpets should have announced Debra's entrance. Maybe they did, I don't think I would have heard them. Debra walked into the room, her long blonde mane perfectly wild, her blue eyes flashing. She was wearing an overcoat which she was opening and removing as she walked in the door. Underneath she wore only a bustiere and stockings, a Madonna-type outfit. But on Madonna it looks cheap and sleazy; on our cousin Debra, it was tres magnifique. Her breasts seemed barely contained and her legs seemed to go on forever.

Kristie closed the door, unnerved by Debra's overwhelming presence, let alone that she was looking at Kristie ravenously. She hugged Kristie tightly and I supposed she gave her an un-family-type kiss. I couldn't see because Aunt Shirley was giving me a very intimate greeting, rubbing her pussy mound against my bulge and swabbing my tonsils with her tongue.

"Hmm, Deb, he's nice and hard," Aunt Shirley said as she unbuttoned my shirt. "And he seems to be carrying the traditional big gun." Debra, though, seemed to be absorbed in Kristie.

"Mamma, I had no idea cousin Kristie was so fucking cute. Hmm, looks so good, good enough to fucking eat, which I plan to do, doncha know?" She had put her hand under Kristie's skirt and was cupping her pussy mound, which, judging from the way Kristie was breathing, just had to be swampy with her desire. Her other hand was rubbing Kristie's small tit mounds. Debra seemed truly hot for Kristie.

"Mamma, let me say 'Hi' to Dave properly and you can help Kristie here." Aunt Shirley left me standing shirtless, almost breathless, and with an enormous bulge beneath my fly. She shrugged her dress off as she went to Kristie and she wore only her high heels and a gold chain around her waist when she reached her. By then, Kristie's skirt was off and Debra had pulled Kristie's shirt over her head and left her naked for her mother to enjoy.

Then Debra headed in my direction. My knees got shaky because this drop-dead beauty was oozing sensuality and was headed toward me with her eyes staring below my belt.

"Hello, Dave," she said, her right arm going around my shoulder, her left hand cupping my swollen cock. "Hmm, a woman likes to know she's welcome and appreciated. Thanks for the welcome, cousin." Her Chanel No. 5 overwhelmed me even as she locked her lips onto mine and sent her tongue darting into my mouth. She squeezed and rubbed my confined cock and I was almost afraid I'd sperm my shorts right there. I thought I'd died and gone to heaven.

When her lips left mine, I realized she had my pants undone and my cock was out, wrapped in her loving grip. "I just adore a nice, big, firm dick, Dave," she cooed. "Especially if it's family." I glanced across the room to see Kristie in a soft chair holding her legs up and spread wide. Aunt Shirley was kneeling in front of her, fingers busy in Kristie's quim and her tongue buried in Kristie's ass.

Debra pushed me back into a chair and looked at her mother and Kristie. "Let's get fucking naked, too," she said. In seconds, the bustiere was lying in the floor along with her shoes and stockings. My gorgeous cousin was naked except for a tatoo of a small red rose she wore on her left breast. My cock felt larger than it had ever felt before, threatening to explode. Pre-squirt was flowing from it as Debra grabbed hold of it and bent her head into my lap as she knelt in the floor.

"Fuck juice," she murmured. "Fucking love it!" Then her mouth engulfed my cock and I knew that I was getting my cock sucked by a woman that millions of men wanted. My cousin! My cock in her mouth! Talk about dream come true!

Debra sucked on my cock like she was born to it. I looked at Kristie and Aunt Shirley and Kristie was dreamily enjoying the reaming she was getting from our aunt. Her eyes fluttered as she looked to see Debra wantonly nursing on my nozzle and she looked at me, smiled, winked and blew me a kiss. She was close to cumming, thanks to Aunt Shirley's fingers in her cunt and tongue in her ass.

As much as I wanted to cum between Debra's lips, I didn't want to miss out on other action because of a drained dingus, so I reluctantly stopped her. I pushed her head away from my cock and told her that I just had to taste her pussy.

"Hmm, all right!" she said as we swapped positions, "Eat me out, cousin!" Her labes were swollen with excitement, red and wet from her secretions. And the smell of her made my mouth water. When my tongue made contact with her raw flesh, Debra grabbed my head and pulled me hard into her furrow. Her tanned, well-toned thighs held me in place and I could hear her as she called to her mother and Kristie.

"Hey, why don't you two come here and let's fucking party hardy, okay?" I couldn't see but I soon felt Aunt Shirley behind me. She licked the crack of my ass and fondled my full balls and excited cock. Her tongue wiggled into my asshole even as my own tongue dipped into her daughter's well. I sensed that Kristie managed to stand on the chair's arms to give Debra access to her cunt.

The four of us were really having a good time, but I still wanted the Ultimate fantasy--to actually fuck Debra. Reluctantly I pulled away from eating her juicy box and I asked Aunt Shirley to hold off on her reaming, as good as it was. I managed to stand, my cock vibrating and leaking a long string of sticky pre-cum. I tapped Kristie's back and suggested that the four of us go to the bedroom where we could be a bit less gymnastic. As she climbed off the chair, she reached over an snagged the juice dripping from my cock and licked it from her fingers.

"She's gonna love being fucked by you, Dave," she said. "Almost as much as I love it!" Kristie took Aunt Shirley's hand and Debra and I followed their pert buns down the hallway. "Kristie, I want some more of that fucking good pussy cream of yours," Debra said as we got on the bed. "Why don't you lay yourself out and I'll give you head while Dave fucks me doggie style?" That's just what we did, too. Debra got between Kristie's thighs and her lovely ass stuck out, the thick, wet lips peeking from between her thighs, just itching to welcome my hard-on. And the way her puckered sphincter winked, I just knew that I'd have to try that hole, too.

Aunt Shirley insisted on holding my cock and guiding it to her daughter's waiting fissure. She sighed as my knob split Debra's lips and glided inside the hot cunt. Debra made some muffled sounds into Kristie's pussy as I invaded and stretched her insides.

"Ooh, she likes your cock, Dave," Kristie giggled. "I just knew she would! And she can tongue pussy, too!" She was squirming and squealing and sweating and clutching Debra's head as our starlet slut relative slurped sauce and fucked cousin cock. And my Aunt, who obviously has an anal fixation, kept her lips on my ass and her tongue kept drilling into my rear.

We made quite a scene, I'm sure. Four family members fucking and reaming and sucking. Aunt Shirley was squeezing my aching balls as she tongue-fucked my ass, preparing me to unleash a load of love liquid into her daughter's waiting channel. And believe me, cumming inside Debra's pussy was a fantasy I had wanted to turn into a reality for years.

I let out a primal roar when my juice exploded into Debra's pussy. I could feel every drop as it rushed up the length of my cock and exploded deep inside of her.

"Fuck, yeah, Dave!" Debra shouted, her voice barely muffled in Kristie's swampy slit. "Gimme your spooge! Let me feel every goddamn glob!"

I could feel her cunt muscles milking and squeezing my cock, pulling my juice out and into her steaming vagina. Aunt Shirley squeezed hard on my balls to empty them and two inches of her squirming tongue tickled my asshole and pressed against my spasming prostate.

I was half-dazed and I collapsed on the bed. I watched Aunt Shirley hurry to the living room and return with a small leather case, which she handed to Debra. Then Debra took Kristie into the bathroom and . . . well, judging from the screams of pleasure, I'll only say that what they did in there was quite kinky but enjoyable. And Aunt Shirley and I kept busy, of course. I feasted on her spicy pussy and she sucked my cock, still coated with her daughter's secretions.

Kristie's eyes were glazed when she wobbled out of the bathroom after half an hour. Her face was flushed crimson and she had a dreamy, satisfied smile on her face. Debra followed, leather bag in hand, and she looked at my hard-on as her mother worked her tongue around the head.

"Well, looks like you're 'up' to fuck my sweet brown-eye." She turned around and grabbed her butt cheeks, bending at the waist and spreading her buns. Her puckered anus winked invitingly and a small dribble of juice oozed from my cock onto Aunt Shirley's tongue. We arranged a new scenario with Debra on her back and Kristie sitting on her face, bending so that Debra could tongue-fuck Kristie while our anal aunt reamed Kristie's sensitive rectal portal.

I filled Debra's bowels with a load of cum that left me drained. I got to watch Aunt Shirley siphoned my deposit out of her daughter's ass and then they grabbed a pair of dildoes from the leather bag and double-teamed Kristie, making her the middle meat of a lesbian sandwich. Kristie impaled her pussy on Debra's dong while Aunt Shirley skewered her asshole. Kristie loved it, of course, and even insisted that I be involved. She licked my cock and balls while Debra sucked and reamed my ass.

It was certainly a memorable visit we had and Debra insisted that we visit her out in Los Angeles.

"Now that is Fuck City, USA," she said. She promised to show us some of the wild, kinky sides of "El Lay" only and insider knows. "Some of the big names in Hollywood do some stuff that even the tabloids can't hint about. Hell, incest, butt-fucking, you name it, if it wasn't invented in "Holly-weird," it was probably refined and perfected there." She mentioned a couple of familiar celebrities to tease us.

Naturally, that's one trip we're really looking forward to.

Re:So in other words... (1)

ILuvRamen (1026668) | more than 6 years ago | (#21304195)

that's exactly why I like my idea better. Get all massive ISPs in the US to get in on this one so no home user has to do much preventative. You find out what just got attacked by let's say the storm botnet. ISPs check their logs and see who tried to contact the victim IP more than 100 times in a minute. Then send em a warning e-mail telling them they're infected and give instructions on what to do to fix it. They could even e-mail them popular removal tools. If they don't do it, disconnect their internet. The only apparent problem is massive fake warning e-mails with virus attachments posing as removal tools but there are ways around that too.

Re:So in other words... (1)

xactuary (746078) | more than 6 years ago | (#21304469)

That brings up a point for me, which I've always wondered about. Couldn't someone release a virus that fixed everybody's PC? Somehow I don't ever expect to hear myself saying "I, for one, welcome my PC-fixing viral overlords!"

All it needs is just one bit. (4, Funny)

140Mandak262Jamuna (970587) | more than 6 years ago | (#21303465)

All packets originating from botnets must set the malicious bit to 1. That is all. Then the system is 100% foolproof.

Talk by Paul Barford (5, Informative)

QuantumG (50515) | more than 6 years ago | (#21303485)

Title: Toward Self-directed Network Intrusion Detection and Prevention

Abstract:

Network attacks and intrusions have been a fact of life in the Internet
for many years and continue to present serious challenges for network
researchers and operators alike. The objective of our work is to develop
tools and systems that automate or otherwise enhance key activities of
network security analysts. In the first part of this talk, I will describe
our malicious traffic assessment activities using our Internet Sink
(iSink) system for dark address space monitoring. iSink is a highly
scalable system that includes both passive packet capture and a set of
stateless active responders that enable details of exploits to be
captured. Our results illustrate the variability in the traffic on dark
address space and the feasibility of efficient classification of attack
types. I will also describe how data from dark address space monitors can
be used to provide near real time network "situational awareness" for
security analysts. iSink data is also the basis for our Nemean system that
automatically synthesizes signatures for intrusion detection. Unlike
standard intrusion signatures, Nemean's signatures are protocol aware
which we show greatly enhances their resilience to false alarms. I will
describe Nemean, and conclude with a brief description of our current
activities in adapting Nemean into a real time intrusion prevention
system.

Where: Grad. Lounge

When: Thursday 27th Oct 2005 11 am.

2 years from lab to startup, not bad dude.

Re:Talk by Paul Barford (1)

44BSD (701309) | more than 6 years ago | (#21303651)

The article touts Barford, but it looks as though this is one example of similar work that various researchers have been pursuing for years. Folks at CAIDA, Arbor, and Team Cymru have been talking about darknet design, construction, and use for a long time. This project seems to fit into that space quite nicely, but TFA is a damn press release, so naturally it is useless and devoid of context.

Re:Talk by Paul Barford (1)

shmlco (594907) | more than 6 years ago | (#21304595)

Worse, it looks like they formed the spinoff company AFTER doing most of the developmental work while at the University. To quote, "Nemean was developed and tested on the Wisconsin Advanced Internet Laboratory (WAIL), a unique test bed for examining complex behavior on the Internet."

Your public tax dollars at work once again.

Re:Talk by Paul Barford (1, Informative)

Anonymous Coward | more than 6 years ago | (#21305973)

In fact, this behavior is encouraged by UW--Madison, and rightly so.


UW--Madison allows the researcher to own the patents, and in essentially all cases, the licensing proceeds and some profits are voluntarily donated to the Wisconsin Alumni Research Foundation (WARF), a 3rd-party organization founded and maintain by researchers at the university for exactly this purpose.


This attitude can be summarized as "We trust our researchers, and we want to see their research become useful outside the ivory tower."


The WARF generates a huge amount of money which is then donated back to primary research at the university. It is the single reason why UW--Madison is consistently a leader in biotech, especially compared to other big state universities.

Re:Talk by Paul Barford (1)

Harmonious Botch (921977) | more than 6 years ago | (#21303693)

It only took a month of work, but this is the first we've heard from them because the've been DOSed to oblivion by botnets for the last two years.

doomed to failure (0)

Anonymous Coward | more than 6 years ago | (#21304057)

Apple is going to rape them.

It's called... (2, Funny)

Eevee1 (1147279) | more than 6 years ago | (#21303529)

Hello Slashdotters! I have made a new invention as well! It's called "Removing Plug from Wall!" With my new invention, nobody will have to worry about botnets, spammers, trolls and those pop-up ads ever again! Until you plug it back in!

One more thing (3, Funny)

Anonymous Coward | more than 6 years ago | (#21303535)

How about certain thing named Common Sense to be added to the list?

Oh teh irony (1)

Edie O'Teditor (805662) | more than 6 years ago | (#21305183)

Commmon sense suggested by someone who's reading a Roland article.

Screw that! (0)

Anonymous Coward | more than 6 years ago | (#21303607)

This is the problem with the education system in the US... This guy can use public funds and time at school to come up with something that he will then sell commercially. Bullshit - it should be open-sourced. Why should people at university get the benefit of tax-payer funding and turn it into self-gain? While I hate big government, regulation in this are is a must. Any developments coming out of tax-payer funding should be free and open to all. It disgusts me to see universities patenting things or doing things like this. Just like any government subsidized company (drug industry, transportation, etc) - should all be non-profit, for the good of all, not just the good who can afford it and the exclusion of those who paid for it thru taxes and now cannot afford it.

Re:Screw that! (1)

PopeRatzo (965947) | more than 6 years ago | (#21304257)

I agree with the sentiment, but I don't believe that any idea that someone has while they're in school has to be open source. If the federal government is funding a research project, then yes, it should be open source. But it would be a bit restrictive to force every student who comes up with a bright idea to give his work away.

I wrote a book when I was a grad student. Should I have been forced to give it away? I was in a state grad school at the time and the bulk of the cost of my education was indeed funded by the public, but I did the work.

As far as technical advances go, I have no problem with universities patenting the results of their research. In an age of shrinking public funding for higher ed, it's one way to pay the bills.

Ultimately, it's up to the person who came up with the idea whether or not to release it as open source.

On the other hand, I think patents should be for a much shorter period, non-renewable, and non-transferable to anyone but the person or organization that made the innovation. They'd still have plenty of incentive to create, but important technologies (or IP) don't get locked up forever.

Re:Screw that! (0)

Anonymous Coward | more than 6 years ago | (#21304427)

No, I meant that when the government on any level is funding, in whole or in part, a project of any type, the results should be open and free. Your book is your's unless you did it on governmental paid/sponsored time at university.

And patenting them - not if they are funded by the government. Unless they offer free and unrestricted access to that tech to anyone - private citizens and corporations both pay taxes and should stand to gain equally. I would say in the case of a funded advance, the patent would be more to protect it from other private entities from patenting it after the fact.

Yes, patents are way to long. But that's another issue that won't be solved in our lifetime.

This whole system is f*cked. If RMS wants to do some good, he'd tackle stuff like this. I wholey believe in capitalism, but this has nothing to do with capitalism - more a broken loophole that the government needs to close for the good of it's people - the ones paying for that research and paying again for the results. Like double-dipping taxation. Up for another Boston Tea Party anyone? ;-)

See spot run. Run Spot! Run! (4, Insightful)

buss_error (142273) | more than 6 years ago | (#21303661)

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

Re:See spot run. Run Spot! Run! (1)

martin-boundary (547041) | more than 6 years ago | (#21303823)

You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.

Re:See spot run. Run Spot! Run! (2, Interesting)

buss_error (142273) | more than 6 years ago | (#21304101)

You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.

.

Well, Darl is a bit short of cash right now, seeing how he's busy transfering a patent to cattleback and all. And, oh, My, we forgot to pay anything for that transfer! Ooops! OUR BAD! Please let us make it right and do it now we've filed for bankrupcy! We'll just move anything of value out of SCOX and leave it with nothing but the bills while we move anything of value out to other subsideries.

About as obvious a a cat trying to cover up "business" on a tile floor. Problem is that the cat's business is far more honest than SCOX's "business", and about as transparent. The problem with stupid people is that they think we are dumber than they are.

It's always such a shock to them when they find out others are more intelligent than they are. Why, they are simply INDIGNIGANT and DEMAND we dumb ourselves down to their level. I'd oblige, but I don't have that nifty little MP3 player on my hip with the endless loop of "Ok, now INHALE......OK, now EXHALE.......INHALE........EXHALE......"

Sadly, this estimation of common IQ really isn't all that far wrong. As evidence, I submit the 2004 "elections".

Re:See spot run. Run Spot! Run! (0)

Anonymous Coward | more than 6 years ago | (#21303943)

Is there anyone that can tell me excactly how technology that allows for 99.9 percent accuracy with zero false positives actually works?

Sure. You start by asserting that it's never wrong, then you arrest anyone that it fingers. Anyone who manages to escape conviction did so because they had an expensive lawyer get them out of it on a technicality. See, no false positives!

Coming soon to a wiretap or grocery store near you!

Re:See spot run. Run Spot! Run! (1)

Alari (181784) | more than 6 years ago | (#21304407)

> is there anyone that can tell me excactly how technology that allows for 99.9 percent accuracy with zero false positives actually works?

As a thought exercise I tried to figure out how. This is what I came up with: Set up a secure monitoring server on some random isolated IP address, no DNS name pointing to it or anything. If something connects it's probably malicious, especially if it tries to get all gay with the various known-to-be-vulnerable ports. Propigate that IP to the ISP/company routers' blacklist.

commercially. (3, Interesting)

memnock (466995) | more than 6 years ago | (#21303675)

if the botnet thing is that serious, wouldn't it be a better solution if it was free?

i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.

Snort! (1)

khasim (1285) | more than 6 years ago | (#21303783)

I use Snort on our company network and I have absolutely no problems with it. I don't see how anything else could be better.

But then ... I also do things like block out-bound SMTP from anything other than my mail server and check the logs to see if anything is happening.

There's not enough info in that "article" ("ad") to say whether his work is even as good as Snort. Let alone better.

Re:commercially. (1)

PrinceOfStorms (568367) | more than 6 years ago | (#21304605)

Not necessarily. If the solution was free, some (and I'm not saying all) users/managers wouldn't take it seriously. Charge them for it, and they'll want it, install it, run it, update it, whatever in order to justify spending money on it. Make it free and for some of them they'll consider installing it, and if they get that far, forget about ever running or updating it. For these people, free=worthless.

Re:commercially. (1)

memnock (466995) | more than 6 years ago | (#21306071)

i see your point.

Just install VISTA! (1)

The Bandit (17525) | more than 6 years ago | (#21303705)

I though some of the hype Micro$oft was chattering about was how secure Vista was. Shouldn't the maker of the operating system take some steps to secure their product before calling it secure? Or maybe the real problem is in the routing. Can't routers become more smart to know what packets are real vs packets from botnets?

Life just seemed so much simpler back in the good old Commodore days.

Let me see if I've got this straight. (1)

rindeee (530084) | more than 6 years ago | (#21303711)

I buy Windows AND this new stuff (developed at a publically funded U.), and THEN I'll have a safe PC that I can utterly neglect and still feel responsible? Great...fantastic.

I have an idea! (4, Insightful)

jhfry (829244) | more than 6 years ago | (#21303719)

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

Re:I have an idea! (4, Insightful)

fireboy1919 (257783) | more than 6 years ago | (#21303819)

Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

They could up the bandwidth and do it that way.

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

I wonder why they don't do that?

Re:I have an idea! (1)

feepness (543479) | more than 6 years ago | (#21303893)

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.
Cheaper for who? You gonna take the tech support calls? ;)

Seriously, have them change the default password first and put it on a sticker on the box.

Re:I have an idea! (1)

fireboy1919 (257783) | more than 6 years ago | (#21303999)

I will be more explicit. It is much cheaper to put per-user routing restrictions into the DSL or cable modem than it is to put it in the neighborhood level or higher level routers.

Whether that saves enough bandwidth to be cheaper TCO, I'm not sure, but that's not really what we were discussing. I get the feeling you were talking about implementing versus not rather than the type of implementation, since the support calls would be about the same whether you went to a website that's actually running on your router to do the admin or one that's actually on the local network router.

Re:I have an idea! (2, Insightful)

140Mandak262Jamuna (970587) | more than 6 years ago | (#21303895)

The compromised computers are running malicious code installed by the bot boss. Anything doable by the user is doable by the bot boss. They probably run cron jobs to reset the router settings to disable all filtering and exposing all the ports etc. Most users of the compromised computers don't know, or they don't care their computer is running malicious software.

Re:I have an idea! (1)

fireboy1919 (257783) | more than 6 years ago | (#21303981)

Anything doable by the user is doable by the bot boss.

Not reading a sheet of paper. You know...the one that will come with the installation that has the randomly generated key for the password to access the router?

There isn't one now, but if you're going to be doing this to stop hackers, then you'd (obviously, as you point out) want to do this.

Re:I have an idea! (1)

patrikor_007 (1094491) | more than 6 years ago | (#21304189)

nah, i don't need my isp to tell me how much porn i look at ;)

Re:I have an idea! (1)

VENONA (902751) | more than 6 years ago | (#21304825)

"Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user."

At ISP scale, the vast majority of common ports are used for legitimate traffic by someone. That's what makes them common ports. :)

"It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself."

Why would you want to move this functionality from equipment under your control to something under the ISP's control? This is available on tons of broadband routers now, either cable modem, or DSL.

If you've never seen this, perhaps you have older gear, and you might want to call your ISP. I know some of them are always trying to get customers to upgrade, because the newer gear gives them more of an opportunity to sell more expensive services, whether that be higher speed, or whatever. Who knows, you might be able to upgrade at no cost. It can't hurt to check.

Re:I have an idea! (1)

jhfry (829244) | more than 6 years ago | (#21304875)

I am not thinking of myself but the neighbour who has no firewall running (unless you count XP's software firewall), no method of monitoring/restricting outgoing traffic, and wouldn't have the faintest idea what to look for to determine if her machine had been compromised.

I am more concerned about outbound traffic as it relates to the article in question... if the ISP prevented everything but http(s) traffic by default and you had to manually enable other forms of traffic by visiting a website and selecting the protocol/application in question, they could prevent your machine from sending anything OUT as well as blocking incoming garbage.

I don't know the best solution... only that ISP's COULD and probably SHOULD look at ways of making it safer to connect to their service.

As long as they don't restrict what a knowledgeable user can do of course!

Re:I have an idea! (1)

Xenoflargactian (883930) | more than 6 years ago | (#21304927)

The protocol filtering won't fix a thing, unfortunately. The bad guys will then just switch to using common ports (80, 443, 21, etc) to control their botnets. It would also create a usability for lay users. Imagine "I bought this just-released game, but I can't connect to the multiplayer system." Most users would be clueless.

I like the unusual traffic notifications. It reminds me of the credit card companies' notifications about odd purchases, except the volume of traffic to monitor would be several orders of magnitude greater than those of the CC companies. A drawback of this approach is that the ISPs would then need to keep track of which protocols each of their users used, when they used them, how often, etc. This information would be ripe for subpoena by law enforcement, effectively defenestrating [answers.com] privacy.

Ahoy! Press release! (4, Interesting)

martin-boundary (547041) | more than 6 years ago | (#21303797)

Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

Does he think slashdot readers don't read the article or something?

Re:Ahoy! Press release! (1)

Brian Gordon (987471) | more than 6 years ago | (#21303909)

Apparently you didn't..

it has zero false positives when commercial systems have high numbers
Heh

Mod parent up! (1)

martin-boundary (547041) | more than 6 years ago | (#21303965)

I'd mod you up myself, but I've already commented today!

Re:Mod parent up! (2, Insightful)

martin-boundary (547041) | more than 6 years ago | (#21304273)

(for the humour impaired, the comment immediately above is meant to be ironic [wikipedia.org] .) There actually are no verifiable facts in the linked to article. The quoted statement

it has zero false positives when commercial systems have high numbers
is meaningless drivel, since the commercial systems aren't named and the supposed testing procedure and experimental data is not described and certainly not controllable by others.

Instead this is a content-less advertising press release (as can be easily seen by noticing that the source is the UW-Madison "news" page, which is meant to give alumni and other potential cash donors a warm fuzzy feeling about the achievements of the university). Such press releases rarely have anything concrete in them, because that would allow competitors and critics to point out flaws and wild claims, thereby ruining the effect.

BotHunter, anyone? (4, Informative)

AgentPhunk (571249) | more than 6 years ago | (#21303949)

A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.

http://www.cyber-ta.org/releases/botHunter/ [cyber-ta.org]

From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

There's also a great PDF available showing a full dissection of a Storm variant.

Free to use, NOT open source (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21305763)

The source is nowhere to be found. Unfortunately.

false positives (3, Insightful)

1u3hr (530656) | more than 6 years ago | (#21303955)

FTFAdvertisement:

Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates. In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology.
Sure, but if his system went into use, the "hackers" would quickly adapt and it would not be any better than current systems. Lots of anti-spam ideas work fine for the originator, but when they become common enough to bother the spammers, they target them.

That's the fault of the developers. (1)

khasim (1285) | more than 6 years ago | (#21304155)

They tend to test against a VERY limited set of threats.

And since their product is based upon defeating that very limited set of threats ... it does amazingly well against that very limited set of threats. Mostly because the set of "good" is also very limited.

The concept of protocol validation is good. But not for an IDS. It is better as part of the firewall protecting that server running that service. BUT! That also means that it needs to be able to shut off access to that server when it sees ANYTHING it doesn't understand.

Can you say DoS?

Otherwise, it's nothing more than a warning AFTER you've been cracked. Because it is possible to crack with one machine and control with a different one.

Unworthy article (4, Insightful)

flyingfsck (986395) | more than 6 years ago | (#21304029)

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?

Great (2, Insightful)

causality (777677) | more than 6 years ago | (#21304235)

I love the way we keep coming up with all these band-aid solutions that attack symptoms without addressing the root cause, just because the root cause is non-trivial.

There are really only two reasons why botnets and their associated malware have become so prevalent. All other apparent causes stem from these two reasons:
  • The Windows monoculture. When this accounts for over 90% of all desktop installations, it's much easier to write a single worm/trojan/virus/etc that can single-handedly infect many thousands of hosts. This greatly reduces the number of vulnerabilities that need to be targeted and the knowledge necessary to exploit them on a large scale, which is a situation that favors the blackhats tremendously. If nature handled genetics this way, then the first lethal contagious disease to come along would destroy civilization. There are good reasons other than their business practices why the Microsoft monopoly is a bad idea. No matter how hard they work to improve security, there will be vulnerabilities, and due to this monopoly any single vulnerability will instantly affect millions of hosts. If you want the Internet overall to be a more secure place, this is not a good start. I believe this would be the case with any single vendor controlling this much of the market. Consider also that security is not the only selling point of Windows; convenience and "easier to use than EVER!" are also major factors and (especially convenience) are not compatible with security. The boilerplate nature of most commercial software is also a factor here.
  • The lack of education of the average user. I don't really know whether this is more or less difficult to address than the first item. The fact is that most users don't give a damn about security, at least not until their identity gets stolen or their data gets deleted or $AUTHORITY_FIGURE knocks on their door asking why their machine is attacking other machines. This appears to be because they don't see their security as their responsibility; they feel that this is entirely $VENDOR's problem. That they would feel this way is a foreseeable consequence of widespread "more convenient and easier to use than ever!" marketing, since this sets up the expectation that it will Just Work with no effort. While it would be easy to blame this on Microsoft since they have profited handsomely from it, I personally believe that this is an aspect of our general instant-gratification culture that effectively says nothing is worth putting any time and effort into; Microsoft merely had the business sense to realize that catering to it is the path to profit. It's difficult to seriously blame a company for doing something when nearly everyone is rewarding them for it. Because of this, if you try to educate people regarding things like system security, what you will find is that not only are most users ignorant, they don't WANT to learn. They see "all that technobabble" as an inconvenience, yet they insist on using equipment that requires some technical skill to properly maintain. This is something of a Catch-22 because Microsoft would build a much more secure Windows if no one would buy Windows otherwise, but average users with little technical skill are not going to create this kind of market.
Just like after-the-infection virus and spyware removal tools, this botnet detector is NOT a real solution, it's a form of damage control and should only be represented as such.

What I really want to see a long-term plan for dealing with those two points. Until these factors change, we are going to keep having the same kind of problems again and again as the arms race between blackhats and whitehats continues. You are never going to have perfect security, but the current situation where one piece of malware can do tremendous damage on a massive scale is a situation that many people have worked very hard to bring about. Too bad that in a superficial society like ours, we have a huge phobia of actually addressing the roots of our problems because we keep hoping to find some form of an "easy way out" of situations that took a long time to become what they are.

Don't forget lousy design... (1)

argent (18001) | more than 6 years ago | (#21306205)

It's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar class action suit over it yet. This is like Ford building autos that kick the owners out and follow you home if you wave a yellow hanky at them.

What the hell is wrong with people that anyone, for one minute, could think this is a good idea? It's not. It's so lousy an idea that it makes only moderately lousy ideas like Java's security model look good by comparison, even to people like me who know better. It's so lousy it'd still be scratching after a week in pyrethrin. It's so lousy... gah... there's not an analogy corny enough to do justice to how lousy it is.

ISPs won't implement it anyway. (1)

fluffy99 (870997) | more than 6 years ago | (#21304335)

The major ISPs do not want to implement any kind of IDS or traffic monitoring. Why? Because they really enjoy their status as common-carriers. It absolves them of any blame for how the end users use the internet. If they start examining and filtering traffic even for legitimate reasons like detecting malicious traffic, they put that distinction in jeopardy. People and potentially the civil courts would assign the Telco the responsibility of policing their traffic. People would start suing the Telcos because they didn't detect that joe-blow had his computer compromised or they didn't detect and squash the DDOS attack directed against some company. Next step is forcing the Telcos to listen to all phone calls for the words 'bomb' or "Allah is great". Afterall that's NSAs job. :}

Re:ISPs won't implement it anyway. (3, Insightful)

geminidomino (614729) | more than 6 years ago | (#21304551)

Why does this get posted in every story involving TCP/IP manipulation? ISPs do not and never have had common carrier status.

99.9% detection... until the botnet makers adjust (1)

noidentity (188756) | more than 6 years ago | (#21304571)

His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers.

Similarly, you can eliminate SPAM in the lab, but the moment you release it, the SPAM makers will adjust their strategy. That's how arms races work. So get back with us once your solution is still working 6 months from now.

Missing Tools! (0, Offtopic)

psychicsword (1036852) | more than 6 years ago | (#21305239)

I know this isn't a slashdot survey but there is a very good tool to use(no not that tool you pervert).
LINUX!

Why boycott? (1)

magnus_1986 (841154) | more than 6 years ago | (#21305303)

Seeing that I was one of those who made inflammatory comments against Roland, I want to say some things.

You should notice that he stopped hiding links to his blogs in there and his topics are now about stuff a bit more, shall we say concrete. I say we let him post (Not that I'm in a place that allows me that authority but still) and not flame his better posts.

Let the flames against Roland stop...

Re:Why boycott? (1)

cralewyth (934970) | more than 6 years ago | (#21305459)

hah, what a sig! :P

Thankyou, thankyou, I'll be here all week. Do try the fish.

Simple solution... (1)

Gordonjcp (186804) | more than 6 years ago | (#21305453)

Set your routers up to do OS fingerprinting. Drop all traffic from Windows boxes. This will have the handy side-effect of killing 99% of the spam that's out there too.

Re:Simple solution... (1)

Macthorpe (960048) | more than 6 years ago | (#21305897)

This will have the handy side-effect of killing 99% of the spam that's out there too.
And the even handier side-effect of driving away about 90% of your customers.

It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.

Zero false positives? hahahahahahahaha (1)

hal9000(jr) (316943) | more than 6 years ago | (#21306135)

Every intrusion detect vendor has hawked ways to reduce or eliminate false positives that have met with marginal success. Put that puppy in a live network and see what te fasle postivies are.

Now there are certain behaviors that bots exhibit even when they are quiet waiting for commands. So looking at network traffic alone, if you have a bunch of hosts all talking to the same server for a long, long time (days, weeks, hours), that seem to move in unison, you probably have a botnet. This is differnet than traffic where a bunch of users are hitting a popular site like Youtube or Facebook where the traffic pattern looks more like web traffic (port 80, lots of small packets to teh server, lot of bigger packets coming back, interative behavior, etc).

Don't believe the zero false positives until you see it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>