Colleges and universities have come under attack by Storm Worm botnets following attempts to detect infections through vulnerability scanning, a response centre for academic networks stated last week. The Research and Education Networking Information Sharing and Analysis Centre (REN-ISAC) sent out the warning last Thursday …
This is a brilliant security feature...
Why dont legitimate security applications do this?
This is brilliant.
Think how effective this would be in the protection of home and corporate machines.
Lets say I released a firewall or security application with this feature and it was installed by millions of people around the word..... Anyone trying to hijack my machine would get seriously DDoS'd into submission.
Hackers would get fed up pretty quickly having to reboot their machines all the time. :-)
Presumably the botnet can easily be provoked into attacking willing targets, either to waste its resources, or to allow the participating machines to be easily identified?
Some kind of vigilante botnet, or something else controlled by the 'good guys', is a bit of a tricky tool to use properly. You'd have to ensure that you never got spoofed, and attacked the wrong person. You'd have to ensure that your counterattacks didn't affect legitimate users sharing a network with a machine triggering the attack. There are so many lawsuits waiting to happen here, I wouldn't even want to consider implementing such a thing.
And as for trying to use up a botnet's resources, that's a tricky one. A big net would have a colossal amount of bandwidth available, and triggering it without affecting other non-honeypot machines and networks would be similarly tricky, no?
Careful, and take Lots of Care
"and triggering it without affecting other non-honeypot machines and networks would be similarly tricky, no?"
Challenging and rewarding when it is done though.... for then Everything Runs Beta and Better.
Honeypots to capture DDos bots?
That's actually not a bad idea.
Essentially you'd have to catch each machine, assuming that the IP address from the attack isn't being spoofed, and add them to your "infected" list as you add them to your filters to drop any packets from those machines.
The nice thing is that you can be 99% sure that legitimate e-mail isn't coming from these machines so you can add them to a blocklist that others could use.
It would be better than SORBS and probably easier to manage.
Because any halfway decent hacker doesn't use his own machine to originate attacks, you'd be taking down innocents left and right. It's like gunning down a large group of protesters just because their leader (who's sitting at home watching TV) once threw a rock at you.
People who are swamping the net with the filth that is the end result of their carelessness, naivete, and incompetence are anything but innocent. Just because the end luser is some old granny who wants to share photos of her grandchildren doesn't mean she's magically entitled to flood the internet with malicious packets because she doesn't know how to keep Windows updated.
I'd of course rather not see those machines DDoSed offline, I wish that ISPs would simply kick them off their networks if they exhibit the hallmarks of being compromised until the user can demonstrate their computer has been cleaned and secured.
Vigilante policing of the internet is fun to think about, but realistically would just add to the problem. The only sort of vigilantism that I approve of are those rare instances of someone who, say, rewrites a worm that spreads itself like the original version, but actually has the worm patch the hole without the knowledge or consent of the owner a few days after it's infected the machine and attempted to propagate across the network to other vulnerable machines in need of repair.
"The only sort of vigilantism that I approve of are those rare instances of someone who, say, rewrites a worm that spreads itself like the original version, but actually has the worm patch the hole without the knowledge or consent of the owner a few days after it's infected the machine and attempted to propagate across the network to other vulnerable machines in need of repair."
AI VXXXXine.... Binary Medicine?
Good Plan.Proper Preparation for Planning Prevents Piss Poor Performance... an Astute NEUKlearer Wisdom.
there is a passive
scanning technique that uses another server which is
not busy to bounce packets off of (thats a gross oversimpli
fication but it'll have to do) the outcome would be you would
nuke some poor shlubs lazy server and of course the scanner
would know but he'd not be effected. So yes of course this
isn't something you would want to do yourself Oh another thing
the Storm worm is now the Porn worm for some reason according
to isc sans I think this might be it's last incarnation.