Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

Internet Providers Band Together to Fight Evil 116

A user writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"
This discussion has been archived. No new comments can be posted.

Internet Providers Band Together to Fight Evil

Comments Filter:
  • by Moskie ( 620227 ) on Wednesday March 30, 2005 @07:52AM (#12087588)
    How about: "It sounds a bit like SkyNet, doesn't it?"
  • Yeah, great, because we all know that AOL, MSN and Google are pure in heart epitomies of goodness.
  • "Evil"? (Score:5, Insightful)

    by Markus Persson ( 709555 ) on Wednesday March 30, 2005 @07:54AM (#12087604) Homepage
    DDOS attacks? BitTorrent traffic? Spam email? Slashdotting? Seems a bit too vague to be good.
    • Re:"Evil"? (Score:5, Insightful)

      by KiloByte ( 825081 ) on Wednesday March 30, 2005 @08:35AM (#12087770)
      Uh oh.
      If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting", it takes just a single trigger-happy sysadmin somewhere on the way to knock you and the rest of us from the participating networks.

      The article is pretty vague, and if I read correctly, there _is_ a human factor involved. Of course, humans are better from machines from telling apart a bone-fide Slashdotting (beh, a "bona-fide" DDOS attack :p ) from something that's meant just to destroy.

      However, our bona-fide attack just took their server down. We're entering a gray area here: is it still a legitimate flash crowd? It's often hard to tell. The problem is, until today, the one who used to lose was the affected server. If enough backbone ISPs will join this alliance, it will be us getting hurt by the collateral damage.
      • Re:"Evil"? (Score:5, Informative)

        by hal9000(jr) ( 316943 ) on Wednesday March 30, 2005 @08:55AM (#12087918)
        If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting",

        No, a denial of service against a web server such as a syn flood or a resource attack doesn't look like /.ing. When a /. event occurs, the clients actually try to complete the TCP connections and HTTP transactions. The flow of data is two way. Think about what HTTP looks like from a packet perspective. From client to server, the initiation of the HTTP session, small packets to the server signifying GETs and POSTs or TCP ACK, and more data from server to client returning pages, images, etc. It's a pretty well known behavior.

        In a denial of service like a syn flood, there are a bunch of incomplete TCP handshakes, often from the reserved address space. In a resource starvation attack, the TCP may complete, but the client doesn't actually send any traffic to the host, in the case of an HTTP transation, would be a GET or a POST--so you get a TCP set-up and then nothing else.

        In a /. event, what Peakflow will is a a spike in traffic but it will also see that clients are attempting transactions and they are coming from valid addresses (non reserved). That looks different.

        See?
        • I can make a DDOS attack will full TCP handshakes, too.
          • Yes, but if you read the whole post, you would have seen that I addressed that. But to be really clear, the product only provides an indication of something abnormal happening. It takes an admin to determine of the event is malicous or not. I am going to assume that flash traffic is not generally malicious.
        • Having multiple providers aggregating traffic info in real time would also allow for *much* better use of predictive caching, so an obscure but interesting site wouldn't be killed (or the owner bankrupted by the bandwidth bill!) when a link to their work gets posted.
        • You sound much more knowledgable than I on this subject, so I'll ask you this question: If it can be discerned by a server, then it should be dicernable further up the chain as well. Why haven't backbone providers implemented countermeasures?

          Could you set up a network where only 2 incomplete TCP handshakes per minute are allowed, all other packets from that IP ignored for the remainder of the minute? Same basic idea with a starvation attack - if you don't receive traffic within a given timeframe, that
      • Re:"Evil"? (Score:2, Insightful)

        by Woy ( 606550 )
        How long until "evil" means usage of p2p protocols? Legal, illegal, that'll be too much work to figure out. Any central point from which everyone's connectivity depends is a potential point of failure, and it will be compromised, either technically or legally and turned against, well, us. If we come to depend on it, it will be a matter of when, not if.

    • They will resque people from collapsing bridges, stop vulcano eruptions and help getting kittens out of trees even though they might get scratched.
  • Interesting Idea (Score:2, Interesting)

    by xtracto ( 837672 )
    From TFA: Arbor Networks added the Fingerprint sharing capability to Peakflow SP to allow companies to share attack fingerprints automatically without revealing any competitive information.

    The notion of "Fingerprints" is interesting, I wonder if this will really stop the spammers and other cyber-criminals.

    As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??
    • As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??

      Keeping the information non-specific protects ISPs sharing fingerprints from any privacy concerns or laws and also from giving out too much information about their own network to possible competitors. Think traffic jump X on ports Y and Z, through border router Q, with additional criteria A, B, C. It describes a type of traffic and c

  • I've always thought that seeing the world after the nuclear apocalypse done by Skynet would be cool. Post-nuclear winter. Here I come!
    • I thonk that they should start and end the entire nuclear war near the end of winter. Then we get post-nuclear spring, which is much more enjoyable.
  • hmm (Score:5, Interesting)

    by Sv-Manowar ( 772313 ) on Wednesday March 30, 2005 @07:58AM (#12087615) Homepage Journal
    This all seems to vague to work, a box that could be exploitable reporting "evil" acts to others, there's something missing here

    I can't see this working unless they make it more secure, and define what "evil" is
  • Fight evil? (Score:2, Funny)

    by Anonymous Coward
    Will they all be wearing spandex bodysuits and flowing capes to work?
    • Will they all be wearing spandex bodysuits and flowing capes to work?

      Oh god, please... NO. I have this delicate image of a 300 pound sysadmin with greasy hair and beard wearing what you described. For some reason, I have now completely lost my appetite...
  • MSIE Deletion squad (Score:5, Interesting)

    by FidelCatsro ( 861135 ) <fidelcatsro AT gmail DOT com> on Wednesday March 30, 2005 @08:02AM (#12087638) Journal
    Ok when i first read this , i had images of a bunch of guys in orange suits bursting into peoples houses and Instaling firefox and anti spyware software on windows machines, then just before diving out the window shouting "All in a days work Ma'am"

    After reading the story though , i must say "About fragleing time " .
    As the submitter mention razor ,which has been around for a good while i have been amazed how many ISPs are actualy doing very little about it , I have my theorys why some do so little (pay per bandwidth is becoming rather popular these days) though most are not like this.
    The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC ), the sooner we can start to enjoy our times online without fear of Spam or fear that our servers will be DDoS'ed into the ground.,
    • by Anonymous Coward
      90% of the DDoS problem would be dealt with if ISPs used competent edge filtering on their networks. If traffic is leaving your florida-based network addressed from China, just drop it already. That'd stop most of the script kiddies with their stupid scripts that spoof from random IPs. Likewise, don't let pings come into your network to your broadcast address. These are simple things that don't even involve examining the contents of packets or throttling bittorrent/voip/yourfavoriteapp, yet across the w
      • 90% of the DDoS problem would be dealt with if ISPs used competent edge filtering on their networks.

        Even better would be filtering as close to the customer as possible - if your DSL connection has been allocated the network 1.2.3.4/29 then all traffic from your DSL *not* coming from 1.2.3.4/29 can be filtered at the ISP end of the DSL pipe - i.e. it's filtered before it even enters the ISP network. This prevents spoofing of other users on the same ISP - any unblocked traffic would easilly be traced back
        • I thought DSL (and dialup) already had that, and that was only an issue with cable modem.
          • I thought DSL (and dialup) already had that, and that was only an issue with cable modem.

            Not from what I've seen - some ISPs filter spoofed traffic with a source address outside the ISP's network, others appear to do no filtering at all. I'm not sure if any bother to filter based on a customer's allocated network.
    • IF there's somethign strange , in your network group Who You Gonna Call .. DDOS butsters If your packets are strange , and your email slow Who You Gonna Call .. DDOS busters
    • The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC )

      I doubt that the fingerprint sharing alliance will have much direct effect upon this problem. It will help ISPs better manage traffic generated by DoS attacks launched by infected home computers, but most of the ISPs have had a list of infected hosts for a while now (one is provided

    • You cleave to the muzzle of a bunch of fat enveloping whales.

      The ankle is the time to kill. Dont forget to stab you in your general direction. I dislike it because you have any cocane?

      What the fuck are you fucking talking about but cannot recall what i have a very easy job. The kind robots will be ddos'ed into the ground.
  • "members of the alliance can share internet threat information with each other in real time"

    That and some sweet downloads.
  • Looks great (Score:1, Funny)

    by Anonymous Coward
    Looks great and all, but according to one of those screenshots, alot of the ICMP packets are coming from 172.x.x.x addresses. I asked my ISP if they could dish me out a few of these once awhile back, but they kept on declining everytime I asked. What gives?

    Also, they say this bad boy runs on OpenBSD. Where can I download my copy?
  • Barracuda Networks (Score:5, Informative)

    by p0 ( 740290 ) on Wednesday March 30, 2005 @08:04AM (#12087644)
    The best example for collaborative evil fighting is www.barracudanetworks.com
  • ... they implement the evil bit?
  • by mwdmeyer ( 803276 ) on Wednesday March 30, 2005 @08:07AM (#12087659) Homepage
    A group of prominent Internet providers
    Not after we slashdotted them :\

    Shouldn't these so called "Internet providers" cope with a small increase in traffic?
  • by Anonymous Coward
    RIAA and MPAA Team Together to Create Kryptonite would be my guess.
  • by TheSpeedoBeast ( 863070 ) on Wednesday March 30, 2005 @08:18AM (#12087704)
    This could be the greatest comic book. Ever.
  • by G4from128k ( 686170 ) on Wednesday March 30, 2005 @08:28AM (#12087739)
    Initiatives such as this one are part of a move toward an internet immune system -- active systems that watch for and halt undesirable activities. But like the mammalian immune system, it will doubtless be subject to false positives. This raises the potential for auto-immune diseases such as when someone's IP is inappropriately blacklisted.

    The core of the problem will be a disconnect between the fast response time required for properly halting fast-spreading malware (e.g., a compact worm that attacks even just 1% of hosts will probably double its infected base every second and saturate the entire net within a minute) and the slower response times of human-mediated due-process procedures. The need to quickly halt infections will lead to a hair-trigger system that may shutdown innocent hosts or kill legitimate activity.

    Internet auto-immune diseases are potentially quite serious as that actually create a serious new vulnerability. Criminals could try to trigger an immune response on a target and trigger an immunity-DOS response on the target by using the system against itself.
  • from the razor [sourceforge.net] home page, top right corner. "spam should not be propagated beyond necessity"

    Is just engrish [engrish.com] or something? What amount of spam propagation is necessary? Can't the last two words there just be dropped?

  • Finally the evil bit is going to be used! They start on Friday.
  • by sTeF ( 8952 )
    Since they are the ones providing the pipes, they could really give a boost to the RFC 3514 [rfc-editor.org] a.k.a. Evil Bit for filtering out the unwanted packets ...
  • by pklong ( 323451 )
    "Internet Providers Band Together to Fight Evil"

    I wonder what their special powers will be. I know BT's agreement with ET will enable it to fly bicycles and heal sick things with a glowing finger, but what about the others?

    (Sorry American people etc. You probably haven't seen the adverts.)
  • How it works (Score:5, Informative)

    by hal9000(jr) ( 316943 ) on Wednesday March 30, 2005 @08:45AM (#12087845)
    Ok, Peakflow SP tracks and reports on network flows and the associated data gleaned from a flow such as src/dst IP addresses and ports, bytes transferred, duration of flow, etc. It does't capture packet data (though you can do that on a limited basis). A flow is a unique network transaction that starts with the first packet from a source to a destination and ends with either a time-out(no packet sent) or in the case of TCP, a close sequence (RST, FIN).

    What is interesting about this is that traffic like DoS/DDoS attacks port scans have unique network fingerprints. For example, a DDoS attack is a large amount of traffic to a single source, often without any return traffic. That is unusual. Sure, the /. effect might trigger a DoS alert, but someone has to go investigate the cause. Besides, how many sites get /.ed on a daily basis? But in general, flash traffic would be seen.

    What this means for service providers, hopefully, is that they can more quickly respond to attacks and improve the general health of the networks they manage by locating the source of the malicious traffic more quickly.
  • by NoMercy ( 105420 ) on Wednesday March 30, 2005 @09:14AM (#12088040)
    Subject says it all, and it's pretty much all I want, a automated system where by if I say I don't want to recieve ICMP messages for the next hour, my ISP firewalls them off.

    A similar system could be employed by the ISP to inform the backbone to stop sending them specific types of packet for a while, and mabie evolved so that backbones can tell large ISPs to filter some of there customers from sending packets at a specific target.
    • Subject says it all, and it's pretty much all I want, a automated system where by if I say I don't want to recieve ICMP messages for the next hour, my ISP firewalls them off.

      This seems fine if it is only done at your request. But with the system in place, isn't there a central authority that can turn things on and off at their own whim? When I first read about this, it seemed more like a "Great Firewall of China" controlled by American corporations. I hope I am mistaken.

      • The User-ISP one is pretty solid. The only diference to the current system is where the filtering takes place. Instead of you filtering out incoming pings (for example) the filtering would be done on the other side of the Cable/ADSL line, thus freeing the limited-bandwidth link for valid trafic.

        It could be abused in some situations, but for the most part, some simple rules to remove filters which arn't in use anymore, and to ensure only sensible requests are made would probably make it very dificult for a
  • Maybe they should change the name of the organization to the Civic Minded-18. Of course their battle cry [rose-hulman.edu] is going to have to be, "Let's Make A Difference!"
  • Blunt Marketing? (Score:2, Informative)

    by Anonymous Coward
    First of all, some more details about this project can be found here. [arbor.net]

    There is nothing new about the idea, in fact, it's long overdue. There is however something new in the idea having a practical implementation. The problem so far was that various network operators use very different hardware and software to monitor their networks (if at all..), thus, the idea of a 'fingerprint' may vary. Sharing becomes difficult.

    By standarlizing on one platform (Arbor Networks PeakFlow SP), this becomes possible. All o
    • In fact, it's all not much more than clever marketing for overpriced Arbor devices; without the initiative, you can easily look toward other products (Cisco GuardXT, ex-Riverhead, many others).

      A system like this relies upon two factors; intelligence and filtering horsepower. One nice benefit to Arbor's offering (as opposed to riverhead/cisco) is that while Arbor provides the intelligent part of the system, they will interoperate with any vendor's filtering horsepower. If Cisco's system ever actually st

  • by mwilliamson ( 672411 ) on Wednesday March 30, 2005 @09:42AM (#12088274) Homepage Journal
    Texas A&M University has put together an open source tool called NetSquid which can be put inline with your evil users (dorms). It then automagically identifies viral outbreaks (via snort rule matching) and cuts their access (using iptables) to everything except an internal Webserver to notify them of their infection. If they stop spewing viral traffic for a pre-set time, it allows them back on without IT staff intervention.

    http://netsquid.tamu.edu/ [tamu.edu]

  • I notice no AOL on this list. The single largest provider of drone machines for botnets. You'd think they'd want in on something like this.
  • by Jesus_666 ( 702802 ) on Wednesday March 30, 2005 @10:16AM (#12088577)
    When I read "Internet Providers Band Together to Fight Evil" for some reason I had the mental image of a bunch of kids with the names of major ISPs written on their T-shirts running around with rings containing the power of broadband, low latency etc.
    Whenever the evil Doctor Congestion and Señor Spam try to take over the 'Net they come together to summon Captain Internet who saves the day and educates us about how to use up less bandwidth.
  • by minas-beede ( 561803 ) on Wednesday March 30, 2005 @10:26AM (#12088678)
    If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.

    The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.

    The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.

    All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)
    • The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.

      Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizabl

      • "Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizable way, or in a way that mimics normal e-mail usage. This could slow down spam, but I doubt it is a good long term solution."

        It's always going to be packets in to some IP address, always going to be packets out to port 25 at some other IP address. The nastiest technique would be to have a local network of zombies so that the incoming packets go to a di
        • The article talks of sharing the "fingerprints" of the abuse, which seems to indicate that one of the design goals is to anticipate and provide for a constantly-changing pattern of abuse rather than assume a fixed pattern.

          It is true that you can fingerprint traffic on a variety of criteria, and recognize particular types of use. The problem is that their are only a limited number of traffic characteristics that can be easily gathered an analyzed on a macroscopic scale. You can evaluate the ports, packet

          • If a host begins talking on port 25 did a worm just start spamming or did the user sign up for a new e-mail account?

            What's the destination of the port 25 packets? In general I don't wish to examine packet contents, only size and ports and IP addresses. For abuse packets my feeling is that the ISP has a complete right to fully examine them - the ISP is acting to protect itself and is not intercepting valid traffic.

            The easiest traffic to spot is the worm propagation traffic that compromises machines in
  • Obligatory (Score:3, Funny)

    by TractorBarry ( 788340 ) on Wednesday March 30, 2005 @10:30AM (#12088713) Homepage
    (goofy tech looking at LAN Monitor) What's that on the LAN ?

    Is it a torrent packet ?

    Is it a ping ?

    No... it's ISP man !!!!

    I just hope they wear good tights. Superheros need good tights.
  • I wish it sounded more like DCC, which is vastly superior.
  • ... I thought for a minute maybe everyone was going to gang up on SCO.
  • Until every provider (or at least a significant number of them) starts using new standards, and particularly for e-mail. Spam via e-mail is one of the biggest problems today, and it is all because of an extremely inadequate e-mail standard. In my opinion, this where it should all begin. Is that one of the goals clearly stated by this "alliance"?

  • http://www.forescout.com/activescout.html

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Working...