Internet Providers Band Together to Fight Evil 116
A user writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"
"It sounds a bit like Razor, doesn't it?" (Score:5, Funny)
Re:"It sounds a bit like Razor, doesn't it?" (Score:3, Insightful)
Since it is run by humans it must be totally innocent and for the benifeit of the human race in general, right?
Re:"It sounds a bit like Razor, doesn't it?" (Score:1)
Fighting evil!? (Score:1)
Re:Fighting evil!? (Score:4, Insightful)
Re:Fighting evil!? (Score:1)
Re:Fighting evil!? (Score:2)
It's the drug induced hallucinations. Google isn't an Internet provider.Rumors abound when Google was looking for people experienced in fiber - but they want start mapping and reselling dark fiber. It is just sitting there.
"Evil"? (Score:5, Insightful)
Re:"Evil"? (Score:5, Insightful)
If I read this correctly, if you take part in a DDOS attack also known as "Slashdotting", it takes just a single trigger-happy sysadmin somewhere on the way to knock you and the rest of us from the participating networks.
The article is pretty vague, and if I read correctly, there _is_ a human factor involved. Of course, humans are better from machines from telling apart a bone-fide Slashdotting (beh, a "bona-fide" DDOS attack
However, our bona-fide attack just took their server down. We're entering a gray area here: is it still a legitimate flash crowd? It's often hard to tell. The problem is, until today, the one who used to lose was the affected server. If enough backbone ISPs will join this alliance, it will be us getting hurt by the collateral damage.
Re:"Evil"? (Score:5, Informative)
No, a denial of service against a web server such as a syn flood or a resource attack doesn't look like
In a denial of service like a syn flood, there are a bunch of incomplete TCP handshakes, often from the reserved address space. In a resource starvation attack, the TCP may complete, but the client doesn't actually send any traffic to the host, in the case of an HTTP transation, would be a GET or a POST--so you get a TCP set-up and then nothing else.
In a
See?
Re:"Evil"? (Score:1)
Re:"Evil"? (Score:1)
Re:"Evil"? (Score:2)
Re:"Evil"? (Score:2)
Could you set up a network where only 2 incomplete TCP handshakes per minute are allowed, all other packets from that IP ignored for the remainder of the minute? Same basic idea with a starvation attack - if you don't receive traffic within a given timeframe, that
Re:"Evil"? (Score:2, Insightful)
Re:"Evil"? (Score:1)
Interesting Idea (Score:2, Interesting)
The notion of "Fingerprints" is interesting, I wonder if this will really stop the spammers and other cyber-criminals.
As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??
Re:Interesting Idea (Score:3, Insightful)
As for the revealing competitive information I dont care revealing anything these bastards could have, you know, they keep pissing people so, why have any consideration ??
Keeping the information non-specific protects ISPs sharing fingerprints from any privacy concerns or laws and also from giving out too much information about their own network to possible competitors. Think traffic jump X on ports Y and Z, through border router Q, with additional criteria A, B, C. It describes a type of traffic and c
Well... (Score:1)
Re:Well... (Score:2)
hmm (Score:5, Interesting)
I can't see this working unless they make it more secure, and define what "evil" is
Re:hmm (Score:1, Funny)
IP packet with Evil Bit set?
Re:hmm (Score:1, Funny)
Re:hmm (Score:1)
They'll be fighting the enemies of democracy.
I know its like 2 days early, but.... (Score:4, Informative)
Re:hmm (Score:1)
http://www.faqs.org/rfcs/rfc3514.html [faqs.org]
Fight evil? (Score:2, Funny)
Are you kidding? (Score:2, Funny)
Oh god, please... NO. I have this delicate image of a 300 pound sysadmin with greasy hair and beard wearing what you described. For some reason, I have now completely lost my appetite...
MSIE Deletion squad (Score:5, Interesting)
After reading the story though , i must say "About fragleing time "
As the submitter mention razor
The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC ), the sooner we can start to enjoy our times online without fear of Spam or fear that our servers will be DDoS'ed into the ground.,
Re:MSIE Deletion squad (Score:3, Informative)
Re:MSIE Deletion squad (Score:2)
Even better would be filtering as close to the customer as possible - if your DSL connection has been allocated the network 1.2.3.4/29 then all traffic from your DSL *not* coming from 1.2.3.4/29 can be filtered at the ISP end of the DSL pipe - i.e. it's filtered before it even enters the ISP network. This prevents spoofing of other users on the same ISP - any unblocked traffic would easilly be traced back
Re:MSIE Deletion squad (Score:2)
Re:MSIE Deletion squad (Score:2)
Not from what I've seen - some ISPs filter spoofed traffic with a source address outside the ISP's network, others appear to do no filtering at all. I'm not sure if any bother to filter based on a customer's allocated network.
Re:MSIE Deletion squad (Score:3, Funny)
Re:MSIE Deletion squad (Score:2)
The sooner ISPs take a proactive(shudder jargon word) stand against offenders and start to disalow the traffic or manage problems (im aware many people are victums , but this gives them an alert that they have an infected PC )
I doubt that the fingerprint sharing alliance will have much direct effect upon this problem. It will help ISPs better manage traffic generated by DoS attacks launched by infected home computers, but most of the ISPs have had a list of infected hosts for a while now (one is provided
Re:MSIE Deletion squad [winhat] (Score:1)
The ankle is the time to kill. Dont forget to stab you in your general direction. I dislike it because you have any cocane?
What the fuck are you fucking talking about but cannot recall what i have a very easy job. The kind robots will be ddos'ed into the ground.
Re:MSIE Deletion squad [winhat] (Score:2)
What's REALLY going on... (Score:1)
That and some sweet downloads.
Looks great (Score:1, Funny)
Also, they say this bad boy runs on OpenBSD. Where can I download my copy?
Barracuda Networks (Score:5, Informative)
Re:Barracuda Networks (Score:1)
So finally ... (Score:1)
prominent...... (Score:4, Funny)
Not after we slashdotted them
Shouldn't these so called "Internet providers" cope with a small increase in traffic?
Re:prominent...... (Score:1)
We're Slashdot - the world's friendliest dDOS attack! Few servers have stood alone against our might and kept running . . . . .
I just wonder what the next headline will be (Score:1, Funny)
"Internet Providers Band Together to Fight Evil" (Score:4, Funny)
Re: (Score:1)
Internet automimmune diseases (Score:5, Informative)
The core of the problem will be a disconnect between the fast response time required for properly halting fast-spreading malware (e.g., a compact worm that attacks even just 1% of hosts will probably double its infected base every second and saturate the entire net within a minute) and the slower response times of human-mediated due-process procedures. The need to quickly halt infections will lead to a hair-trigger system that may shutdown innocent hosts or kill legitimate activity.
Internet auto-immune diseases are potentially quite serious as that actually create a serious new vulnerability. Criminals could try to trigger an immune response on a target and trigger an immunity-DOS response on the target by using the system against itself.
what is this supposed to mean? (Score:1)
Is just engrish [engrish.com] or something? What amount of spam propagation is necessary? Can't the last two words there just be dropped?
Re:what is this supposed to mean? (Score:1)
I don't know that answer, but I know "beyond necessity" is 1.
Evil bit (Score:2)
RFC 3514 (Score:2)
Special Powers (Score:2, Funny)
I wonder what their special powers will be. I know BT's agreement with ET will enable it to fly bicycles and heal sick things with a glowing finger, but what about the others?
(Sorry American people etc. You probably haven't seen the adverts.)
How it works (Score:5, Informative)
What is interesting about this is that traffic like DoS/DDoS attacks port scans have unique network fingerprints. For example, a DDoS attack is a large amount of traffic to a single source, often without any return traffic. That is unusual. Sure, the
What this means for service providers, hopefully, is that they can more quickly respond to attacks and improve the general health of the networks they manage by locating the source of the malicious traffic more quickly.
Automatic upstream firewalling (Score:4, Insightful)
A similar system could be employed by the ISP to inform the backbone to stop sending them specific types of packet for a while, and mabie evolved so that backbones can tell large ISPs to filter some of there customers from sending packets at a specific target.
Great Firewall of China? (Score:2)
This seems fine if it is only done at your request. But with the system in place, isn't there a central authority that can turn things on and off at their own whim? When I first read about this, it seemed more like a "Great Firewall of China" controlled by American corporations. I hope I am mistaken.
Re:Great Firewall of China? (Score:2)
It could be abused in some situations, but for the most part, some simple rules to remove filters which arn't in use anymore, and to ensure only sensible requests are made would probably make it very dificult for a
Fighting Evil-Doers? (Score:1)
Blunt Marketing? (Score:2, Informative)
There is nothing new about the idea, in fact, it's long overdue. There is however something new in the idea having a practical implementation. The problem so far was that various network operators use very different hardware and software to monitor their networks (if at all..), thus, the idea of a 'fingerprint' may vary. Sharing becomes difficult.
By standarlizing on one platform (Arbor Networks PeakFlow SP), this becomes possible. All o
Re:Blunt Marketing? (Score:2)
In fact, it's all not much more than clever marketing for overpriced Arbor devices; without the initiative, you can easily look toward other products (Cisco GuardXT, ex-Riverhead, many others).
A system like this relies upon two factors; intelligence and filtering horsepower. One nice benefit to Arbor's offering (as opposed to riverhead/cisco) is that while Arbor provides the intelligent part of the system, they will interoperate with any vendor's filtering horsepower. If Cisco's system ever actually st
Open Source "Appliance" using Snort + IPtables (Score:4, Interesting)
http://netsquid.tamu.edu/ [tamu.edu]
Re:Open Source "Appliance" using Snort + IPtables (Score:3, Insightful)
An additional point - the internal web server should really provide the tools to clean the infection, otherwise someone's gonna be screwed when their access to the clean up tools has been blocked. Even smarter would be to identify the infection and redirect them to a page that contains the tools and instructions for cleaning that specific infection. (Hell, for people using IE the internal webs
Re:Open Source "Appliance" using Snort + IPtables (Score:1)
one of the only tools that allows for a box with no ip to be hacked. fantastic
Re:Open Source "Appliance" using Snort + IPtables (Score:2)
This is great and all but, (Score:1)
Captain Internet? (Score:3, Funny)
Whenever the evil Doctor Congestion and Señor Spam try to take over the 'Net they come together to summon Captain Internet who saves the day and educates us about how to use up less bandwidth.
This could be perfect for fighting zombie spam (Score:5, Insightful)
The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.
The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.
All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)
Re:This could be perfect for fighting zombie spam (Score:2)
The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.
Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizabl
Re:This could be perfect for fighting zombie spam (Score:3, Insightful)
It's always going to be packets in to some IP address, always going to be packets out to port 25 at some other IP address. The nastiest technique would be to have a local network of zombies so that the incoming packets go to a di
Re:This could be perfect for fighting zombie spam (Score:2)
The article talks of sharing the "fingerprints" of the abuse, which seems to indicate that one of the design goals is to anticipate and provide for a constantly-changing pattern of abuse rather than assume a fixed pattern.
It is true that you can fingerprint traffic on a variety of criteria, and recognize particular types of use. The problem is that their are only a limited number of traffic characteristics that can be easily gathered an analyzed on a macroscopic scale. You can evaluate the ports, packet
Re:This could be perfect for fighting zombie spam (Score:3, Insightful)
What's the destination of the port 25 packets? In general I don't wish to examine packet contents, only size and ports and IP addresses. For abuse packets my feeling is that the ISP has a complete right to fully examine them - the ISP is acting to protect itself and is not intercepting valid traffic.
The easiest traffic to spot is the worm propagation traffic that compromises machines in
Re:This could be perfect for fighting zombie spam (Score:2)
Sigh.
Re:This could be perfect for fighting zombie spam (Score:2)
Obligatory (Score:3, Funny)
Is it a torrent packet ?
Is it a ping ?
No... it's ISP man !!!!
I just hope they wear good tights. Superheros need good tights.
"Sounds a bit like razor, doesn't it?" (Score:2)
From the title... (Score:1)
None of this will ever work (Score:1)
Check This (Score:1)
http://www.forescout.com/activescout.html
Re:got it! (Score:3, Insightful)
Would that I could mod this +10 Insightful and put it up in 40-point flashing type.
Re:fighting evil (Score:1)