By Tim Greene
Some of the best Internet minds in the world met Thursday to discuss a
wide range of methods to rid the Web of malicious traffic.
The Usenix invitation-only workshop, called Steps to Reducing Unwanted
Traffic on the Internet (SRUTI), brought together more than 50
academics from all over the world as well as technical staff from
equipment vendors and ISPs to develop methods to cut down on spam,
viruses, worms and distributed denial-of-service (DDoS) attacks -
methods that are practical at an operational level. (=93Sruti,=94 by the
way, is a Sanskrit word meaning "that which is heard.")
Participants exposed fresh ideas to expert criticism, sometimes
resulting in helpful suggestions and sometimes pointing out
One promising proposal would help wipe out the bulk of DDoS attacks
near their sources, but not those attacks in which the aggressor
machines use spoofed IP addresses. Even though the proposal wouldn't
block all attacks, it was still considered feasible because it would
mitigate the bulk of DDoS exploits that rely on networks of unspoofed
zombie machines - botnets - to fire off the attacks.
On the flip side, another presentation advanced a relatively simple
method of encrypting e-mail that would also authenticate the sender
and receiver. But this was pretty much shot down when one attendee
pointed out that encrypting e-mail would render useless spam filters
that search content and subject lines for key words. "You have just
proposed an excellent tool for spammers," he said. The author didn't
have an answer for that.
Practicality seemed the watchword for the day. The author of the
presentation on blocking DDoS attacks said there have been proposals
that would be extremely effective if there were separate IP address
spaces for servers and clients. "This has real possibilities if only
we were redesigning the Internet from scratch," said Mark Handley, a
researcher from University College London in the U.K.
Instead, Handley=92s proposal would introduce devices near Internet
servers and at the edge routers of ISPs to mark and monitor traffic to
the servers. When a DDoS attack was detected, these devices would shut
down at the edge router traffic from addresses identified as the
source of the attack. These devices could effectively reduce DDoS
traffic within a single ISP's network, Handley said. This enforcement
could be extended to other ISPs and block attacks even closer to the
source if the ISPs involved could develop enough trust to share
knowledge about their networks, he said.
While DDoS drew much attention, SRUTI presenters also focused much of
their time on spam, which accounts for the vast majority of e-mail
crossing the Internet.
Dealing with spam
One researcher described a way to analyze the senders and recipients
of e-mail in conjunction with a traditional spam filter to boost the
overall effectiveness of spam protection. The algorithm reduces the
amount of good e-mail that is identified as spam by about 20%,
according to Jussara Almeida, a researcher at Universidade Federal de
Minas Gerais in Brazil. "This is important since the cost of false
positives is usually believed higher than the cost of false
negatives," she said.
The study by her team divided senders and recipients into groups based
on who routinely receives legitimate e-mail from whom. The memberships
of these groups - essentially contact lists - are more stable than
criteria used for other screening methods such as looking for
keywords, Almeida said. Spammers can change the words selected for
spam to duck keyword filters, but establishing themselves as members
of trusted groups is more difficult, she said.
The algorithm weighs the probability that any message sent from a
certain group of senders to a specific group of recipients is spam. It
is effective at sorting a certain percentage as definitely spam and
definitely not spam, with a gray area in between. The researchers are
working to tweak the algorithm to reduce the size of the gray area,
A similar method of sorting IP voice-mail spam - spam over IP
telephony, or SPIT - also relies on senders and receivers. This is key
in filtering SPIT because the point is to get rid of the unwanted
messages without having to waste time listening to them, which would
be required if the content were examined. "You don't have to look at
content to get a pretty good idea of what is going on," said Steve
Bellovin, a professor at Columbia University and a moderator at SRUTI.
"This has been useful in the intelligence community for years."
Researchers from University of North Texas, Denton, have come up with
a voice spam detection server they say can identify a spitter after
just three calls to users in a group, such as a corporation. The
server analyzes where calls are from and whether those sources are
likely to be spam based on the experience users have had with calls
from the same source, said Ram Dantu, a researcher at the university.
Other ideas floated at the workshop ranged from setting up honeypots
to lure in spammers and then tie up their resources, to simulating
network congestion to see how suspicious traffic streams respond as a
way to determine whether a person is behind the session or a zombie
machine sending automated responses. In aggregate the 13 papers
presented last week represent a springboard for producing a faster
Internet, said Dina Katabi, co-chairman of the workshop. "I think the
talks have proposed promising solutions that address important
problems," she said.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.