Wednesday, 10 December 2008

Le Monde (the translated version here) reports that the web site of the French Embassy  in China has been inaccessible for a few days. The cause is an apparently DDoS. The attack seems to be a consequence of the political tensions between China and France as result of the meeting of the french president Sarkozy with the Dalai Lama in Poland.

This is another case of the infamous cyber-war.


Tuesday, 4 November 2008

New DoS and DDoS coming?

  The SANS Internet Storm Center reports that some worms exploiting the new Microsoft RPC vulnerability (MS08-067) are been seen on the wild. As I wrote before (here for the automatic translation by Google) this is critical vulnerability from the same family that brought us worms as Blaster

Fortunately as mentioned by Steve Gibson in Security Now the Internet has changed a lot from those past experiences. Today most Windows XP (with SP2) and Windows Vista hosts have the firewall on by default that minimizes the risk of infection. However many Windows 2000, 98 and 95 computers, most of them forgotten in some computer room are still in a high risk. I wonder if this will be another endemic disease that will be living in the Internet as their cousins.

Here there is the report from F-Secure for the interested people. And, wait for at least some minor disruptions generated by compromised machines.

Monday, 8 September 2008

TCP monitoring in NS

Today I was asking in how to monitor TCP connections on NS-2. Then I decided to blog about the topic.

First you need a TCP agent and maybe with a FTP or some sort of application (I suppose that you already have some nodes):

#Setup a TCP connection set tcp1 [new Agent/TCP]
$tcp1 set class_ 2

#Attach tcp to node n0
$ns attach-agent $n0
set sink [new Agent/TCPSink]
#Attach a sink to node
$ns attach-agent $n1 $sink $ns connect $tcp1 $sink
$tcp1 set fid_ 1
#Setup a FTP over TCP connection

set ftp0 [new Application/FTP]
#Link tcp agent with FTP application

$ftp0 attach-agent
$ftp0 set type_ FTP

Now, create a procedure to print some TCP information

proc update_tcpinfo {} {
global ns file_out time_step
set now [$ns now]

set window [$tcp set cwnd_]

set avgwind [$tcp set awnd_]

set rtt [$tcp set rtt_]

set acks [$tcp set ack_]

Then you have window, avgwind, rtt and acks that you can print out to screen or to a file (an output file or may be the tracefile, I would recommend a separate trace file).

puts $file_out "$now $window $avgwind $rtt $acks"

And call the procedure every time_step

$ns at [expr $now + $time_step] "update_tcpinfo" }

To declare your outfile just do it as the trace and nam files are normally initiated:

#Open flow file set file_out [open flow_trace.txt w]

And do not forget to close it:
#Define a 'finish' procedure
proc finish {} {

global ns nf tf file_out

$ns flush-trace

#Close the NAM trace file

close $nf

#Close the Trace file

close $tf
#Close outputs file

close $file_out

#Execute NAM on the trace file, uncomment the next line to exec NAM automatically

#exec nam out.nam & exit 0

Call the procedure and run the simulation

$ns at 0.5 "updatetcpinfo" #Call the finish procedure after 5 seconds of simulation time $ns at 5 "finish" #Run the simulation $ns run

This is only pseudo code and it could have some errors. I prepared a working file that can be found here:

Wednesday, 4 June 2008

DoS video with captions

Well, I started to play with the new YouTube feature to add captions to your video. I think that my video of the DoS attack simulation is better explained with captions. This is the same video that I have used in some of my research work and paper presentations.

I do not why but the embedded video did not show the captions, so the link is here.

Friday, 30 May 2008

Revision 3 Under DDoS by ... MediaDefender

This has been around the twitter world and it is funny and serious. Some days ago Revision 3, a new media company that distribute their content via Internet was under a DDoS attack. They just released in their blog that the attack came by no other than MediaDefender. MediaDefender is a dark company paid by content distributors in order to disrupt, hack and to do other non ethical activities with the flag of "Anti-piracy". It results that Revision 3 uses bittorrent, a very common P2P tool to distribute ITS OWN content.

Many questions raise with these actions. What was Mediadefense doing against Revision3? Are legal their actions? What are the MediaDefender's criteria to "disrupt" torrent sources?

I honestly hope that Revision 3 take some legal action against this attack. I think that is enough with the danger that website owners face today with attacks from botnets, it is not good to add more attack sources such as this type of companies.

New Updates in my research page

I just realized that my research page it is a little bit difficult to manage and that I was using my wiki like a blog. So I will do some changes. Among them I plan to integrate and use more web 2.0 technologies, e.g. I will add my papers in CiteUlike, I will manage my links in with tags, I will post some news using twitter and Yahoo Pipes and so on. Probably I even will start using Google Sites to host the pages instead of the university infrastructure.

Thursday, 1 May 2008

DDoS attacks in the Olympics?

According to Jean-Michel Louboutin, Executive Director of Interpol Police the main security risk in the Olympic Games is the physical security of the visitors (and Chinese people as well). I agree with that, however I think that in the interview with PCWorld he subestimate the effect of a DDoS attack. The Chinese Internet infrastructure might be stronger against a DDoS than Estonian, but in a synchronized attack some services such as news reports or the Internet communication of visitors may be compromised. It is true that according to MessageLabs the infamous botnet "Storm" seems to shrunk; although these are good news (and less DoS could be launch) we are not sure if the small size of Storm is due to better security practices or just that another group of hackers has taken control of the botnet.

I read a comment in the Bruce Schneier's Blog about security: Never say "never", "this is impossible", "this will not happen". I honestly wish to be wrong, but I am sure that it will be more than one attack against the olimpyc infrastructure and at least one will success.

This post in spanish

Friday, 25 April 2008

NS-2 Memory exhaustion


I recently started to run a big simulation (68 agents and nodes) in NS-2 to test my intrusion detection algorithm using reinforcement learning. When I ran the simulation for more than x time, it started freezing the host and it ended killing the process. I look for errors in the code and nothing. I freed some disk space thinking that it could be that the log files were using all the available space. It worked a little until I ran the configuration x + y time.

I suspect about memory use and I increase the memory in the host machine (I was using vmware, so it was easy) with good results. However, as I increased the simulation time the solution became and endless cycle (that will end in no more memory available in the machine hosting the vmware). I started looking for problems in how I was using the memory in my code. I found some links about how to debug memory allocations in NS. I must say that I could not make them work, any way the links are here:

NS-2 debugging tips

Of course I sent an e-mail to the ns-users e-mail list, and as always it was useless (it seems that anybody likes to answer smart questions and newbies always post dumb ones -that no body replies either -). After reading the ns-manual again, I found that I could (or I must I am not sure) free the packets that I used. It is that I developed a new type of agent. The interaction and information shared between agents is of course through special packets that I define.

So, the call is:


I call it in the method that receives the packet just after reading the packet data that I need:

void RL_MAgent::recv(Packet* pkt, Handler*)
// Access the IP packet
hdr_ip *iph = hdr_ip::access(pkt);
// Access the RL header for the received packet:
hdr_rl* hdr = hdr_rl::access(pkt);
double stime = hdr->send_time_;
int ptype_ = hdr->p_type_;
int nodeid_ = hdr->node_id_;
int src = iph->saddr();
int dest = iph->daddr();
int srcport = iph->sport();
float now_ = Scheduler::instance().clock();

if (ptype_ == T_START)
{ ...

As result, my simulation only needs around of a steady 10MB of memory to run.

Friday, 22 February 2008

Multi-Agent Reinforcement Learning for Intrusion Detection: A case study and evaluation

I gave this seminar on Feb 22nd.
Artificial Intelligence Group. Computer Sciences, University of York

In this seminar I will present an architecture of distributed sensor and decision agents that learn how to identify normal and abnormal states of the network using Reinforcement Learning (RL). Sensor agents extract network state information using tile-coding as a function approximation technique and send communication signals in the form of actions to decision agents. These in turn generate actions in the form of alarms to the network operator. By means of an on-line process, sensor and decision agents learn the semantics of the communication actions without any previous knowledge. In this presentation I will describe the learning process, the operation of the agent architecture and the evaluation results of our research work.

The presentation is here:

And a video of a Denial of Service Attack. Disclaimer: It may be disturbing for certain audience (it contains cheesy music from ABBA)