Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
The Internet

Distributed Computing for Tracking Net Problems? 15

Posted by Cliff from the how-effective-would-it-be dept.
Osrin asks: "A software firewall package that came with a recent computer purchase is using a site called MyNetWatchman to track, catalog and escalate firewall incidents back to ISPs. I was wondering what Slashdot readers think of this type of solution and which other Internet problems it would lend itself to helping resolve?"
This discussion has been archived. No new comments can be posted.

Distributed Computing for Tracking Net Problems? More

Distributed Computing for Tracking Net Problems?

Comments Filter:

  • Dshield too (Score:5, Interesting)

    by isn't my name ( 514234 ) <slash&threenorth,com> on Tuesday January 06, 2004 @11:50PM (#7899697)
    Dshield [dshield.org] also performs a similar service. Between it and mynetwatchman, they do seem to perform a valid service. With the fast-acting worms, they may not be able to do anything on new worms before it is too late, but they are in an excellent position to track trends and they are going to see some of the preliminary scans that go on as someone is testing an early exploit.

    I'm waiting for the time that data from those two sources is actually used to track down someone who releases an exploit. I really think it is only a matter of time.

    • Re:Dshield too (Score:2, Interesting)

      by Bad Boy Marty ( 15944 )
      Note that Dshield has a number of prepackaged clients to submit data, including both ipchains & iptables (Linux) log analyzers, as well as a host of others.

      Even with the spoofing of IP addresses available easily via nmap, it still seems like contributing to the database is a Good Thing[TM]....

    • Re:Dshield too (Score:3, Insightful)

      by phorm ( 591458 )
      track down someone who releases an exploit.

      Really, this is more the case of "track somebody who releases a virus using an exploit." The problem with this is that crackers can and often will seed the virus through more conventional methods (kazaa, hijacked email, etc), and allow others to infect themselves and thus continue on with the trend.
      • The problem with this is that crackers can and often will seed the virus through more conventional methods (kazaa, hijacked email, etc), and allow others to infect themselves and thus continue on with the trend.

        Oh, I completely agree. Howver, before they have the virus totally debugged, if you are talking a new exploit, there have to be some small probes and packets sent out into the wild to test things. Of course, these are probably going to go through zombie computers, but I still think that one day i
  • This has been going on for a while and you may not have known it. Earthlink and many other ISP's have been using Visual Network's IP Insight [visualnetworks.com] in your branded dialers for many years to track QOS and connection statictics under your nose...

  • Too much greed... (Score:4, Insightful)

    by wal ( 56225 ) on Wednesday January 07, 2004 @12:21AM (#7899923) Homepage Journal
    The internet is too saturated with greed to allow any kind of distibuted application viable on the internet.

    As soon as any type of app becomes widely used enough to make it worth while it is either bought up and ruined by any number of corporations or sued and shutdown for some kind of obscure copyright violation in order to allow for a bigger and better solution from the copyright holder which will inturn be so ridden with spyware that it will never get used.

    Not that I am a pessimist or anything...
    • Yeah! Like... WinAmp! AOL really ruined that!

      Oh, wait, no, thats wrong... Winamp 3 may have been stupid, but that wasn't AOL's fault.

      Anyway, thats the only counterexample I could come up with, so take that as you will.

      --
      lds

  • Spoofed addresses (Score:5, Informative)

    by Anonymous Coward on Wednesday January 07, 2004 @12:27AM (#7899965)
    When blocking a TCP connection most firewalls will just drop the SYN packet and log it. Since the 3-way handshake has not been completed, it is impossible to verify the source address and silly to notify the "sending" ISP. If you actually ran a service on that port which accepted, logged, and closed the connection, then it would be OK (but there's no trick like this to detect spoofed UDP packets).

    nmap has an option ("-S") to spoof the source address. Here's the documentation from the man page:
    Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! This is not a supported usage (or the main purpose) of this flag. I just think it raises an interesting possibility that people should be aware of before they go accusing others of port scanning them. -e would generally be required for this sort of usage.
    You could also combine this with the -D (decoy) option, which accepts a list of addresses to spoof. More text from the same man page:
    The real moral of the story is that detectors of spoofable port scans should not take action against the machine that seems like it is port scanning them. It could just be a decoy!

    • Yes, but. . . (Score:3, Insightful)

      by isn't my name ( 514234 )
      All valid points, but the bulk of the worm infestations out there aren't spoofing becuase then they can't spread the infection. Given the number of ip addresses that mynetwatchman.com or dshield.org has reporting to them and the fact that they both require independent reports from multiple sources on ports with known exploits before making any type of report, the overwhelming majority of those reports are going to be for infected machines.

      • Re:Yes, but. . . (Score:3, Informative)

        by Anonymous Coward
        All valid points, but the bulk of the worm infestations out there aren't spoofing becuase then they can't spread the infection.

        Worms that spread over UDP (like Blaster) could spread using spoofed packets since they don't require two-way communication. That would probably force a lot of ISPs to install egress filters.

        Even worms that spread using TCP could send some spoofed packets occasionally, just to screw with these distributed tracking systems.

        Given the number of ip addresses that mynetwatchman.com
        • Worms that spread over UDP (like Blaster) could spread using spoofed packets since they don't require two-way communication. That would probably force a lot of ISPs to install egress filters.

          IIRC, Slammer DID spoof. Fortunately, it was easy for the backbone carriers to drop the port it used, as it wasn't port 80 or any other critical port.

          With a port 80 worm, you can't block it easily.

  • Could the feedback loop be closed so that the "service" would corelate an attack and then update the firewall filters on each host? Clearly there are trust issues to overcome, but for the sake of this discussion, let's assume the trust issue can be solved.

    • I think that is a way of the future, and probably will be right before the internet becomes self aware. everything that happens causes changes, those changes propogate out, it becomes an environment where each node is intelligent and responsive, not merely passive.

      A worm appears, it affects the first few boxes and they report out what is happening and then the network adapts. Isn't that how the Borg developed? MmM, Borg vs SkyNet. This could get interesting.

Slashdot Top Deals

I program, therefore I am.

Close