tag:blogger.com,1999:blog-81620221719166809192024-03-05T13:24:17.160-08:00AS research public blogThis blog is dedicated to post information about my research work.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-8162022171916680919.post-70253635514935235852010-09-18T21:10:00.000-07:002010-09-18T21:19:38.816-07:00IPv6 in any given dayThis is a previous result of some research that I am doing in IPv6 usage.<br /><br /> From the access in IPv6 received by lacnic.net (just www) this is the distribution of OSs and browsers in a random day that I selected on September:<br /><br />{'Googlebot': 170, 'Windows': 2878, 'Unknown': 772, 'Linux': 3933, 'Macintosh': 2214}<br />{'Konqueror': 99, 'Firefox': 5732, 'Microsoft Internet Explorer': 1174, 'Chrome': 844, 'Opera': 383, 'Safari': 729}<br /><br />Errata: It's not a day, it's a weekArturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-41707295689709063312010-05-30T05:09:00.000-07:002010-05-30T05:11:36.513-07:00Need a botnet, only $9.00 the hour<div>Adding a bit of salt to the problem of botnets and the topic about "Attack as a Service (AaaS)" (not sure if the term really exists) this note is intersting:</div><div><br /></div><div>Study finds the average price for renting a botnet</div><div>http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528</div><div>"Based on an experiment conducted by researchers from VeriSign’s iDefense Intelligence Operations Team, involving 25 different "rent a botnet" underground marketplace propositions, they were able to conclude that the average price for renting a botnet is $67 for 24 hours, and $9 for hourly access."</div><div><br /></div><div><br /></div><div>Some other articles about bontnets:</div><div>The attack of the opt-in botnets</div><div>http://www.zdnet.com/blog/security/attack-of-the-opt-in-botnets/6268</div><div><br /></div><div>The biggest cloud on the planet is owned by ... the crooks</div><div>http://www.networkworld.com/community/node/58829</div><div><br /></div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-10860279772860218622009-12-01T05:13:00.000-08:002009-12-01T05:21:20.760-08:00The Cloud of real time for London 2012<div><br /></div><div> I just read about an article about a "Cloud of real time information for London 2010". I wrote a bit in my blog in Spanish, <a href="http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http://arturo-servin.blogspot.com/2009/12/la-nube-de-informacion-de-tiempo-real.html&sl=es&tl=en">there is an automatic translation here</a>.</div><div><br /></div><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/NmEBFWXMImM&color1=0xb1b1b1&color2=0xcfcfcf&hl=en_US&feature=player_embedded&fs=1"><param name="allowFullScreen" value="true"><param name="allowScriptAccess" value="always"><embed src="http://www.youtube.com/v/NmEBFWXMImM&color1=0xb1b1b1&color2=0xcfcfcf&hl=en_US&feature=player_embedded&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="425" height="344"></embed></object><br /><div><br /></div><br /><br /><div>I won't write too much about it, I would prefer to you to go to the <a href="http://www.raisethecloud.org/">Cloud</a> website or to <a href="http://www.techcrunch.com/2009/11/30/realtime-cloud-m-i-t-olympics-2012/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Techcrunch+(TechCrunch)&utm_content=Google+Reader">the original article from TechCrunch</a> or in . However, I would say that the project seems quite a challenge and I am looking forward to hearing more about it in the near future.</div><div><br /></div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-19638318992373347102009-08-08T06:56:00.000-07:002009-08-08T07:01:25.211-07:00DoS/DDoS news resourcesConsidering the hype about DoS and DDoS in the last days as consequence of attacks to Twitter, Facebook and LiveJournal I decided to include some of my information sources in this blog. I did some redesign of the right bar. I included some DoS and DDoS news, they are a set of news manually selected by me. I take the news from different sources and I apply some basic filtering and data-mining I come with them. They can be also <a href="http://www.google.com/reader/shared/user%2F11229999151764544287%2Flabel%2Fdosnews?hl=en">accessed here</a> if you want to include them in your RSS reader.<br /><br />"Security news from Twitter" are posts about DoS/DDoS attacks collected from twitter. This is a little bit noisy with around 30-50 posts per day. Some of the posts are repeated or uninterested (from my perspective) but it works as a source for my tools that extract some information for them. The raw feeds are <a href="http://www.google.com/reader/shared/user%2F11229999151764544287%2Flabel%2FDDOS%20feed?hl=en">here</a> and <a href="http://pipes.yahoo.com/pipes/pipe.run?_id=e4b09ed0b6d894029fcafa7eea564d95&_render=rss">here</a>.<br /><br />Finally I included some general IT security news from twittsecurity. <a href="http://twitter.com/twittsecurity">Twittsecurity</a> is a bot that shares security news in Twitter. It searches and selects IT security news using a hybrid method (automatic and human assisted). Feel free to <a href="http://twitter.com/twittsecurity">follow it</a>.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com1tag:blogger.com,1999:blog-8162022171916680919.post-45085709205010502792009-07-27T16:29:00.000-07:002009-07-27T16:44:36.731-07:00Some Machine Learning LibrariesI've been doing some experiments using "machine learning" on several projects and I would like to talk a bit about them. For now all I am coding in Python, but also I'll comment on some Java and C++ libraries.<br /><br />A simple to use is <a href="http://leenissen.dk/fann/">FANN</a> (Fast Artificial Neural Network). It also has ports for Python and other languages (PHP, Java, Perl, etc.. Although the Python version of Python did not work for me for some reason).<br /><br />For Support Vector Machines I used <a href="http://www.csie.ntu.edu.tw/~cjlin/libsvm/">LIBSVM</a> (A Library for Support Vector Machines). In the website you can even find a number of recommendations for using SVMs. Other libraries supporting SVM are <a href="http://pyml.sourceforge.net/">PyML</a> and <a href="https://mlpy.fbk.eu/">MLPy</a> (but for some reason the compilation did not work on my machine, so I used LIBSVM).<br /><br />A very interesting library implementing a Naive Bayes Classifier is <a href="http://www.ailab.si/orange/doc/ofb/">Orange</a>. I have not tested but it looks good, plus, it has good documentation and links to various datasets.<br /><br />If you are interested in <a href="http://www.cs.ualberta.ca/~sutton/book/the-book.html">Reinforcement Learning</a>, <a href="http://www.cs.ualberta.ca/~sutton/tiles2.html">Tiles</a> is a library in Python (also in C + + and Lisp) that allows you to "transform" the inputs to a value function represented by an array of tiles. In general, to represent a state in high resolution tiles are better than just simple states.<br /><br />If you want a "decision tree" you can use <a href="http://examples.oreilly.com/9780596529321/">this</a> that is included and explained in the book "Collective Intelligence". I think that the algorithm used is based on ID3.<br /><br />And finally, <a href="http://lucene.apache.org/mahout/">mahout</a>. This is an Apache Foundation project. For now is out of my reach to test it. I do not have the infrastructure or the need to use it. It is based on <a href="http://hadoop.apache.org/">Hadoop</a> and <a href="http://labs.google.com/papers/mapreduce.html">mapreduce</a> concepts. Very interesting.<br /><br /><br />PS: If you want more resources about machine learning, these are <a href="http://delicious.com/the_real_r2d2/machine_learning">my delicious bookmarks on the topic.</a>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com3tag:blogger.com,1999:blog-8162022171916680919.post-39506703290592523372009-04-30T08:08:00.000-07:002009-04-30T08:12:15.620-07:00Some NS-2 code to simulate DoS and DDoS attacksThis is some basic TCL code that used for some simulations. This code works on the <a href="http://nsnam.isi.edu/nsnam/index.php/Main_Page">NS-2 network simulator</a>.<br /><br /><a target="_blank" title="External link to http://www-users.cs.york.ac.uk/~aservin/code/monitor_one_int.tcl" href="http://www-users.cs.york.ac.uk/%7Easervin/code/monitor_one_int.tcl" class="externalLink">Simple simulation with flow monitors</a>. It creates 4 nodes: 1 UDP source and 1 TCP source (FTP), 1 destination node and 1 transit node. It monitors the flows coming in and out from the queue in the link between the transit and destination node. It dumps the trace data to a flow file.<br /><br /><a target="_blank" title="External link to http://www-users.cs.york.ac.uk/~aservin/code/pingflood.tcl" href="http://www-users.cs.york.ac.uk/%7Easervin/code/pingflood.tcl" class="externalLink">Ping Flood </a>. It creates two nodes. Node 1 floods ping packets to Node 2. It could be useful to simulate Denial of Service attacks.<br /><br /><a target="_blank" title="External link to http://www-users.cs.york.ac.uk/~aservin/code/tflow01.tcl" href="http://www-users.cs.york.ac.uk/%7Easervin/code/tflow01.tcl" class="externalLink">Simple DoS Attack</a>. It creates a topology of 7 nodes. Two nodes generate valid traffic (one UDP and another TCP in the form of FTP). Another node generates and UDP <a tiddlylink="DoS" refresh="link" class="tiddlyLink tiddlyLinkNonExisting" title="The tiddler 'DoS' doesn't yet exist" href="javascript:;">DoS</a>.<br /><br /><br /><a target="_blank" title="External link to http://www.cs.york.ac.uk/yds/wiki/index.php?title=Programme#10" href="http://www.cs.york.ac.uk/yds/wiki/index.php?title=Programme#10" class="externalLink"></a>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com10tag:blogger.com,1999:blog-8162022171916680919.post-4223292784751500512009-04-28T04:07:00.000-07:002009-04-28T04:16:17.424-07:00SPAM and the commerce of fearA few days ago <a href="http://twitter.com/the_real_r2d2/statuses/1627934906">I commented</a> that the spammers would soon begin sending mails about medication against the swine flu and replacing the old viagra SPAM. Shortly after, the <a href="http://www.us-cert.gov/current/index.html#swine_flu_phishing_attacks_and">US-CERT warned</a> of phishing attacks using this new vector for social engineering and the <a href="http://isc.sans.org/diary.html?storyid=6271&rss">SANS published a list of sites</a> that could generate malware/phishing /scams (according to the particular domain names selected).<br /><br />Well today <a href="http://twitter.com/the_real_r2d2/statuses/1637767048">I received my first flu-related SPAM</a>. Also, visiting a news site <a href="http://the-real-r2d2.tumblr.com/post/101017582/google-ads-pand-mico-y-el-comercio-del-miedo">I found this ad from Google Ads</a>. The ads are not malware sites (at least these three do not appear to be, but try them at your own risk), but certainly they plan to profit from the people's fear.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNgiAaDdHS-Vi4D9zmIrc3lipGDoCk66ygbOUz0-VTQsrDR3fApYgdpUfUJi3QcgVybcMn89xFT-jF4KwI2lmeOMawHa6Gp2EHqTQC53w5kY_25gI1nEKcuf5jCsrrlYyoWnRusEe_bBU/s1600-h/Picture+1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 315px; height: 279px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNgiAaDdHS-Vi4D9zmIrc3lipGDoCk66ygbOUz0-VTQsrDR3fApYgdpUfUJi3QcgVybcMn89xFT-jF4KwI2lmeOMawHa6Gp2EHqTQC53w5kY_25gI1nEKcuf5jCsrrlYyoWnRusEe_bBU/s320/Picture+1.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5329699316202327266" /></a><br /><br />Well, I think that we humans are quite predictable.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-69250436182968675212009-04-01T02:42:00.000-07:002009-04-01T02:49:30.881-07:00The big news today about Conficker ... is that there is no newsFor the moment everything looks calm. Although it is almost April 1 throughout the whole world there is not yet any news about of the end of the world. Today, the media expected big problems as result from the spreading of the worm <a href="http://www.us-cert.gov/cas/techalerts/TA09-088A.html">conficker</a> and the new "payload" that would be activated.<br /><br />More than a result of a large patch campaign, I think that the famous worm exploited a large media campaign that exaggerated and overestimated its effects. I expect this to be just another day in the life of a security research. Anyway, if something happens, I will be updating <a href="http://twitter.com/the_real_r2d2">my twitter</a> and my <a href="http://the-real-r2d2.tumblr.com/">tumbr</a> (this is Spanish only). In case of infection or pro-action against the worm, <a href="http://www.readwriteweb.com/archives/7_resources_to_help_you_prepare_for_confickers_d-d.php">here are some resources</a>.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-76504206650661228552009-03-16T09:51:00.000-07:002009-03-16T10:01:39.236-07:00The BBC, the botnet and other DDoS attacks<div><br /></div>No doubt that the most commented DDoS news of the week were related to <a href="http://blogs.zdnet.com/security/?p=2868">the botnet that the BBC hired</a>. In fact it was the staff of <a href="http://news.bbc.co.uk/1/hi/programmes/click_online/">one of its programs called Click</a>. The program's goal was to demonstrate how easy it is to hire a botnet to perform criminal activities. The botnet was used to send SPAM to a especially set account and to launch a DDoS attack to security company website's specifically set for this purpose. Although the ethics of the action has been critiqued, the fact is that they have demonstrated how easy and cheap it is to hire such services.<br /><br />In other news, Jose Nazario of <a href="http://www.arbornetworks.com/">Arbor Networks</a> in hiss presentation at SOURCE Boston commented about the n<a href="http://blogs.zdnet.com/security/?p=2859">ew "trends" in cyber crime</a>. Nazario said that cyber criminals are not just selling kits for running malicious software on unprotected computers. Now they sell services for script-kiddies and criminals who are just not good enough to use the malware by themselves. The <a href="http://asert.arbornetworks.com/2009/03/jose-nazario-on-botnets-cyberwarfare/">audio of the presentation here</a>.<br /><br />The DDoS attack to the torrent site Mininova continued during this week. <a href="http://royal.pingdom.com/2009/03/10/the-anatomy-of-a-ddos-attack/">Here you can see</a> some trends in traffic that the attacks have generated.<div><br /></div><div>The <a href="http://arturo-servin.blogspot.com/2009/03/la-bbc-su-botnet-y-otras-noticias-de.html">Spanish version of this post here</a>.</div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-82063207476485257022009-03-08T05:23:00.000-07:002009-03-08T05:28:44.703-07:00DDoS in MarchTo the <a href="http://search.twitter.com/search?q=&ands=who+pirate+bay&phrase=&ors=dos+ddos&nots=&tag=&lang=all&from=&to=&ref=&near=&within=15&units=mi&since=&until=&source=&rpp=50">surprise of some</a>, the <a href="http://ykvz.com/pirate-bay-under-attack-ddos-style-pirate-wars/">Pirate Bay website was under a DDoS attack</a> earlier this week. Still no news about the intellectual authors. The site is stable for now.<br /><br />According to an analysis of the anti-virus firm Sophos, the worm <a href="http://www.f-secure.com/weblog/archives/00001576.html">Confiker</a> could start a DDoS attack to some sites, including Soutwest Airlines. The collateral damage would be a DoS due to the spread of the worm. The <a href="http://blogs.techrepublic.com.com/security/?p=997">note on TechRepublic</a>.<br /><br />And the torrent's site Minova has been attacked by a DDoS. <a href="http://torrentfreak.com/mininova-hit-by-massive-ddos-attack-090307/">According to TorrentFreak</a> the attack has reached the 2 Gbps peak. It seems to come from bot networks that appear to be in Germany and Argentina.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-69796690971607352512009-02-10T01:18:00.000-08:002009-02-10T01:30:55.220-08:00Feed AnalysisWell, this is post is more a plead for help than a real post.<br /><br />I need to analyse a RSS feed that I have been generating by searching for twitts related to DoS and DDoS attacks. In order to do it soon and with not so much effort I would like to avoid programming something (may be using <a href="http://www.feedparser.org/">feed parser</a> or <a href="http://pear.php.net/package/XML_RSS">XML_RSS</a>). What I would like to do is:<br /><br /><ol><li>Get the average post per day, week and month</li><li>Get the average for a specific week and month</li><li>Get the all items for a specific date</li><li>If possible, to graph the number of items by day, week and month</li></ol><br />If somebody knows a webservice to do that, please let me know to my e-mail, by a comment here or just send me a <a href="http://twitter.com/the_real_r2d2">twitt</a>. I would really appreciate!Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-47919491225867698482009-01-23T01:47:00.000-08:002009-01-23T02:04:03.742-08:00Practical Artificial Intelligence and Machine LearningI gave this presentation yesterday in Ignite <a href="http://www.meetup.com/Ignite-UK-North/calendar/9017862/">UK North in Leeds</a>. It is about Artificial Intelligence and Machine Learning, it contains a little bit of theory, practical examples and some resources to dig a little bit more on the topic. It does not go very deep in details though.<br /><br /><iframe src='http://docs.google.com/EmbedSlideshow?docid=df35nn32_66hk7tnsfd' frameborder='0' width='410' height='342'></iframe>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com3tag:blogger.com,1999:blog-8162022171916680919.post-51392458635587941682008-12-10T01:36:00.000-08:002008-12-10T01:41:24.529-08:00<a href="http://www.lemonde.fr/web/depeches/0,14-0,39-37848051@7-37,0.html">Le Monde</a> (<a href="http://translate.google.com/translate?hl=en&u=http%3A%2F%2Fwww.lemonde.fr%2Fweb%2Fdepeches%2F0%2C14-0%2C39-37848051%407-37%2C0.html&sl=fr&tl=en">the translated version here</a>) reports that the web site of the French Embassy in China has been inaccessible for a few days. The cause is an apparently DDoS. The attack seems to be a consequence of the political tensions between China and France as result of the meeting of the french president Sarkozy with the Dalai Lama in Poland.<div><br /></div><div>This is another case of the infamous cyber-war.</div><div><br /></div><div> </div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-82545683691363074372008-11-04T01:28:00.001-08:002008-11-04T01:41:22.861-08:00New DoS and DDoS coming?<div><br /></div><div> The S<a href="http://isc.sans.org/diary.html?storyid=5275&rss">ANS Internet Storm Center reports</a> that some worms exploiting the <a href="http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx">new Microsoft RPC vulnerability (MS08-067)</a> are been seen on the wild. As <a href="http://arturo-servin.blogspot.com/2008/10/nueva-vulnerabilidad-rcp-de-microsoft.html">I wrote before</a> (<a href="http://translate.google.com/translate?client=tmpg&hl=en&u=http%3A%2F%2Farturo-servin.blogspot.com%2F2008%2F10%2Fnueva-vulnerabilidad-rcp-de-microsoft.html&langpair=es|en">here for the automatic translation by Google</a>) this is critical vulnerability from the same family that brought us worms as <a href="http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci917276,00.html">Blaster</a>. </div><div><br /></div><div>Fortunately as mentioned by <a href="http://www.grc.com/sn/sn-168.htm">Steve Gibson</a> in <a href="http://www.grc.com/securitynow.htm">Security Now</a> the Internet has changed a lot from those past experiences. Today most Windows XP (with SP2) and Windows Vista hosts have the firewall on by default that minimizes the risk of infection. However many Windows 2000, 98 and 95 computers, most of them forgotten in some computer room are still in a high risk. I wonder if this will be another endemic disease that will be living in the Internet as their cousins.</div><div><br /></div><div>Here there is the <a href="http://www.f-secure.com/weblog/archives/00001526.html">report from F-Secure</a> for the interested people. And, wait for at least some minor disruptions generated by compromised machines.</div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-31592215674771250142008-09-08T08:55:00.000-07:002008-09-08T10:28:59.741-07:00TCP monitoring in NSToday I was asking in how to monitor TCP connections on NS-2. Then I decided to blog about the topic.<br /><br />First you need a TCP agent and maybe with a FTP or some sort of application (I suppose that you already have some nodes):<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">#Setup a TCP connection</span> <span style="font-family:courier new;"> set tcp1 [new Agent/TCP]</span> <span style="font-family:courier new;"><br />$tcp1 set class_ 2</span> <span style="font-family:courier new;"><br />#Attach tcp to node n0</span> <span style="font-family:courier new;"> $ns attach-agent $n0<br />$tcp1</span> <span style="font-family:courier new;"> set sink [new Agent/TCPSink]</span> <span style="font-family:courier new;"><br />#Attach a sink to node<br />n1</span> <span style="font-family:courier new;"> $ns attach-agent $n1 $sink</span> <span style="font-family:courier new;"> $ns connect $tcp1 $sink</span><br /><span style="font-family:courier new;"> $tcp1 set fid_ 1</span> <span style="font-family:courier new;"><br />#Setup a FTP over TCP connection</span><br /><span style="font-family:courier new;"> set ftp0 [new Application/FTP]</span> <span style="font-family:courier new;"><br />#Link tcp agent with FTP application</span> <span style="font-family:courier new;"><br />$ftp0 attach-agent<br />$tcp1</span> <span style="font-family:courier new;"> $ftp0 set type_ FTP</span></span><br /><br />Now, create a procedure to print some TCP information<br /><br />proc update_tcpinfo {} {<br /><span style="font-size:85%;"><span style="font-family:courier new;"> global ns file_out time_step</span> <span style="font-family:courier new;"><br />set now [$ns now]</span> <span style="font-family:courier new;"> <br />set window [$tcp set cwnd_]</span> <span style="font-family:courier new;"> <br />set avgwind [$tcp set awnd_]</span> <span style="font-family:courier new;"> <br />set rtt [$tcp set rtt_]</span> <span style="font-family:courier new;"> <br />set acks [$tcp set ack_]</span></span><br /><br /> Then you have window, avgwind, rtt and acks that you can print out to screen or to a file (an output file or may be the tracefile, I would recommend a separate trace file).<br /><br /><span style="font-family: courier new;font-size:85%;" >puts $file_out "$now $window $avgwind $rtt $acks"</span><br /><br /> And call the procedure every time_step<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">$ns at [expr $now + $time_step] "update_tcpinfo"</span> <span style="font-family:courier new;">}</span></span><br /><br /> To declare your outfile just do it as the trace and nam files are normally initiated:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">#Open flow file</span> <span style="font-family:courier new;">set file_out [open flow_trace.txt w]</span></span><br /><br /> And do not forget to close it:<br /><span style="font-size:85%;"> <span style="font-family:courier new;">#Define a 'finish' procedure</span> <span style="font-family:courier new;"><br />proc finish {} {</span> <span style="font-family:courier new;"> <br />global ns nf tf file_out</span> <span style="font-family:courier new;"> <br />$ns flush-trace</span> <span style="font-family:courier new;"> <br />#Close the NAM trace file</span><br /><span style="font-family:courier new;"> close $nf</span> <span style="font-family:courier new;"> <br /><br />#Close the Trace file</span><br /><span style="font-family:courier new;"> close $tf</span> <span style="font-family:courier new;"> <br />#Close outputs file</span> <span style="font-family:courier new;"> <br />close $file_out</span> <span style="font-family:courier new;"> <br />#Execute NAM on the trace file, uncomment the next line to exec NAM automatically</span><br /><span style="font-family:courier new;"> #exec nam out.nam &</span> <span style="font-family:courier new;"> exit 0</span> <span style="font-family:courier new;"><br />}</span></span><br /><br /><br /> Call the procedure and run the simulation<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">$ns at 0.5 "updatetcpinfo"</span> <span style="font-family:courier new;">#Call the finish procedure after 5 seconds of simulation time</span> <span style="font-family:courier new;">$ns at 5 "finish"</span> <span style="font-family:courier new;">#Run the simulation</span> <span style="font-family:courier new;">$ns run</span></span><br /><br />This is only pseudo code and it could have some errors. I prepared a working file that can be <a href="http://www.laneta.net/arturoservin/files/7">found here</a>:Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com2tag:blogger.com,1999:blog-8162022171916680919.post-55168639105933025372008-06-04T06:39:00.000-07:002008-06-04T06:46:01.253-07:00DoS video with captionsWell, I started to play with the <a href="http://googlesystem.blogspot.com/2008/06/youtube-annotations.html">new YouTube feature to add captions to your video</a>. I think that my video of the DoS attack simulation is better explained with captions. This is the same video that I have used in some of <a href="http://www-users.cs.york.ac.uk/%7Easervin/">my research</a> work and <a href="http://ki.informatik.uni-wuerzburg.de/%7Ekluegl/ALAMAS.ALAg/#program">paper</a> presentations.<br /><br />I do not why but the embedded video did not show the captions, <a href="http://uk.youtube.com/watch?v=X8Gumjf80Ig">so the link is here</a>.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-68019473989182571142008-05-30T12:34:00.001-07:002008-05-30T13:39:50.329-07:00Revision 3 Under DDoS by ... MediaDefenderThis has been around the twitter world and it is funny and serious. Some days ago Revision 3, a new media company that distribute their content via Internet was under a DDoS attack. They just released <a href="http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3">in their blog</a> that the attack came by no other than <a href="http://www.mediadefender.com/">MediaDefender</a>. MediaDefender <a href="http://en.wikipedia.org/wiki/MediaDefender">is a dark company paid by content distributors in order to disrupt, hack and to do other non ethical activities</a> with the flag of "Anti-piracy". It results that Revision 3 uses bittorrent, a very common P2P tool to distribute ITS OWN content.<br /><br />Many questions raise with these actions. What was Mediadefense doing against Revision3? Are legal their actions? What are the MediaDefender's criteria to "disrupt" torrent sources?<br /><br />I honestly hope that Revision 3 take some legal action against this attack. I think that is enough with the danger that website owners face today with attacks from botnets, it is not good to add more attack sources such as this type of companies.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-65865767982362714122008-05-30T12:17:00.000-07:002008-05-30T12:27:57.109-07:00New Updates in my research pageI just realized that my <a href="http://www-users.cs.york.ac.uk/%7Easervin/">research page</a> it is a little bit difficult to manage and that I was using my <a href="http://www-users.cs.york.ac.uk/%7Easervin/myWiki.html">wiki</a> like a blog. So I will do some changes. Among them I plan to integrate and use more web 2.0 technologies, e.g. I will add my papers in <a href="http://www.citeulike.org/user/arturo_servin">CiteUlike</a>, I will manage my links in <a href="http://del.icio.us/the_real_r2d2">Del.icio.us</a> with tags, I will post some news using <a href="http://twitter.com/the_real_r2d2">twitter</a> and <a href="http://pipes.yahoo.com/pipes/person.info?eyuid=4D6.S5gyundXA3d.viFasOtIEi7z">Yahoo Pipes</a> and so on. Probably I even will start using Google Sites to host the pages instead of the university infrastructure.<span style="display: block;" id="formatbar_Buttons"><span class="on" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);"></span></span>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com1tag:blogger.com,1999:blog-8162022171916680919.post-13682598937045310072008-05-01T13:04:00.000-07:002008-05-01T13:30:31.043-07:00DDoS attacks in the Olympics?According to Jean-Michel Louboutin, Executive Director of Interpol Police the main security risk in the Olympic Games is the physical security of the visitors (and Chinese people as well). I agree with that, however I think that in the <a href="http://www.pcworld.com/article/id,145349-c,businesscenter/article.html">interview with PCWorld</a> he subestimate the effect of a DDoS attack. The Chinese Internet infrastructure might be stronger against a <a href="http://news.zdnet.co.uk/security/0,1000000189,39408158,00.htm">DDoS than Estonian</a>, but in a synchronized attack some services such as news reports or the Internet communication of visitors may be compromised. It is true that according to MessageLabs the infamous botnet "Storm" seems to shrunk; although these are good news (and less DoS could be launch) we are not sure if the small size of Storm is due to better security practices or just that another group of hackers has taken control of the botnet.<br /><br />I read a comment in the <a href="http://www.schneier.com/blog">Bruce Schneier's Blog</a> about security: Never say "never", "this is impossible", "this will not happen". I honestly wish to be wrong, but I am sure that it will be more than one attack against the olimpyc infrastructure and at least one will success.<br /><br /><a href="http://arturo-servin.blogspot.com/">This post in spanish</a>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-67157709554682310052008-04-25T06:09:00.001-07:002008-05-01T08:47:12.500-07:00NS-2 Memory exhaustion<span style="display:none;">1078404057</span><br /><br />I recently started to run a big simulation (68 agents and nodes) in <a href="http://nsnam.isi.edu/nsnam/index.php/Main_Page">NS-2</a> to test my <a href="http://www-users.cs.york.ac.uk/~aservin/myWiki.html">intrusion detection algorithm</a> using <a href="http://www.cs.ualberta.ca/~sutton/book/the-book.html">reinforcement learning</a>. When I ran the simulation for more than <span class="Apple-style-span" style="FONT-STYLE: italic">x</span> time, it started freezing the host and it ended killing the process. I look for errors in the code and nothing. I freed some disk space thinking that it could be that the log files were using all the available space. It worked a little until I ran the configuration<span class="Apple-style-span" style="FONT-STYLE: italic"> x + y</span> time.<br /><br /><br />I suspect about memory use and I increase the memory in the host machine (I was using <a href="http://www.vmware.com/">vmwar</a>e, so it was easy) with good results. However, as I increased the simulation time the solution became and endless cycle (that will end in no more memory available in the machine hosting the vmware). I started looking for problems in how I was using the memory in my code. I found some links about how to debug memory allocations in NS. I must say that I could not make them work, any way the links are here:<br /><br /><br /><a href="http://www.isi.edu/nsnam/ns/ns-debugging.html">NS-2 debugging tips</a><br /><a href="http://www.dmalloc.com/">dmalloc</a><br /><br /><br />Of course I sent an e-mail to the ns-users e-mail list, and as always it was useless (it seems that anybody likes to answer smart questions and newbies always post dumb ones -that no body replies either -). After reading the <a href="http://www.isi.edu/nsnam/ns/ns-documentation.html">ns-manual</a> again, I found that I could (or I must I am not sure) free the packets that I used. It is that I developed a new type of agent. The interaction and information shared between agents is of course through special packets that I define.<br /><br /><br />So, the call is:<br /><br /><br />Packet::free(pkt);<br /><br />I call it in the method that receives the packet just after reading the packet data that I need:<br /><br /><span style="font-size:85%;">void RL_MAgent::recv(Packet* pkt, Handler*)<br />{<br /><span style="COLOR: rgb(51,102,255)">// Access the IP packet</span><br />hdr_ip *iph = hdr_ip::access(pkt);<br /><span style="COLOR: rgb(51,102,255)">// Access the RL header for the received packet:</span><br />hdr_rl* hdr = hdr_rl::access(pkt);<br />double stime = hdr->send_time_;<br />int ptype_ = hdr->p_type_;<br />int nodeid_ = hdr->node_id_;<br />int src = iph->saddr();<br />int dest = iph->daddr();<br />int srcport = iph->sport();<br />float now_ = Scheduler::instance().clock();<br />Packet::free(pkt);<br /><br />if (ptype_ == T_START)<br />{ ...</span><br /><br />As result, my simulation only needs around of a steady 10MB of memory to run.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com2tag:blogger.com,1999:blog-8162022171916680919.post-18182010863124766332008-02-22T06:54:00.000-08:002008-02-22T14:56:32.636-08:00Multi-Agent Reinforcement Learning for Intrusion Detection: A case study and evaluation<div> </div><div> I gave this seminar on Feb 22nd.<br /><a href="http://www.cs.york.ac.uk/aig/">Artificial Intelligence Group</a>. <a href="http://www.cs.york.ac.uk/">Computer Sciences,</a> University of York<br /></div><div> </div><div> Abstract:<br /><br />In this seminar I will present an architecture of distributed sensor and decision agents that learn how to identify normal and abnormal states of the network using Reinforcement Learning (RL). Sensor agents extract network state information using tile-coding as a function approximation technique and send communication signals in the form of actions to decision agents. These in turn generate actions in the form of alarms to the network operator. By means of an on-line process, sensor and decision agents learn the semantics of the communication actions without any previous knowledge. In this presentation I will describe the learning process, the operation of the agent architecture and the evaluation results of our research work.<br /><br />The presentation is here:<br /><br /><iframe src="http://docs.google.com/EmbedSlideshow?docid=df35nn32_2249qtc2gc" frameborder="0" height="342" width="410"></iframe><br /><br /><br />And a video of a Denial of Service Attack. Disclaimer: It may be disturbing for certain audience (it contains cheesy music from ABBA)<br /><br /><object height="355" width="425"><param name="movie" value="http://www.youtube.com/v/X8Gumjf80Ig&rel=1"><param name="wmode" value="transparent"><embed src="http://www.youtube.com/v/X8Gumjf80Ig&rel=1" type="application/x-shockwave-flash" wmode="transparent" height="355" width="425"></embed></object><br /><br /></div>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com1tag:blogger.com,1999:blog-8162022171916680919.post-1399686841589437812007-08-23T02:51:00.000-07:002007-08-23T02:53:26.227-07:00Gnuwin32This is an alternative to have some <a href="http://gnuwin32.sourceforge.net/packages.html">GNU applications</a> (e.g. grep, gawk, ls, wget, etc.) in your windows machine without installing cygwin. It is not so powerful as Cygwin but it does the trick to install some applications to run some scripts. For me it has been useful to run some scripts with gawk and wget.<br />To get it, download from <a href="http://getgnuwin32.sourceforge.net/">http://getgnuwin32.sourceforge.net/</a> It will probably redirect you to the download page of sourceforge. I will suggest downloading and installing all the packages instead of installing just the application that you need (e.g. wget). The package manager will then take care of any updates that your applications will need in the future.<br />After download and run the exec file, it will prompt asking for a destination to decompress the file. You can choose whatever you want. You will need to move it to someplace else later, so a good place may be “My Documents”. To install, follow the instructions. This is just a summary; if you want details you can check the readme file in the package.<br />1) Configure wget if you are behind a proxy. (use bin\wget.ini)<br />2) Edit and select your mirror in download.bat<br />3) If 1 and 2 worked, it will start to download stuff (all the applications pacakes)<br />4) After finishing the dowload run install.bat. It will start to decompress the packages<br />5) The following is optional, but I suggest to do it because it will be easy to work with the programs in gnuwin32<br />6) You will see now a folder “gnuwin32”. Now you can move the entire directory to “C:\Program Files”<br />7) After moving the entire gnuwin32 run “update-links.bat” to update any orphan link.<br />8) Copy the folder “Star Menu” inside gnuwin32 to the Start Menu of your windows desktop. When executed the shortcuts inside will automatically start a cmd in the path of gnuwin32.<br />9) That’s all. Enjoy.<br /><br />There are some more optional things that you can do. Because I do not use them and they can “mix up” some original windows applications with the same name in the gnu package I will not explain them here. If you want to do it, check the readme file.<br /><br /><a href="http://gnuwin32.sourceforge.net/packages.html">Packages in GNUWin32</a>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-47670944203322496122007-08-17T02:06:00.000-07:002007-08-17T02:14:48.989-07:00A worm that strikes backThe last August 9th the <a href="http://lists.sans.org/pipermail/unisog/2007-August/027405.html">REN-ISAC from the University of Indiana warned </a>the academic community about the Storm Worm infected machines. After scanned, machines that are infected strike back with a flood DoS attack to the source of the scanning. The process seems to be automated according to the note.<br /><br />Although the warning was issued to universities in U.S. I am sure that it will also affect to other universities and enterprises that have the scanning of hosts as one of their security policies.<br /><br />More notes:<br /><a href="http://www.informationweek.com/software/showArticle.jhtml?articleID=201800635&cid=RSSfeed_IWK_News">Information Week</a><br /><a href="http://www.theregister.co.uk/2007/08/17/storm_worm_attacks/">The Register</a>Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-88643984154080383022007-08-10T03:50:00.000-07:002007-08-10T03:56:40.608-07:00Spock or SpookyThis has nothing to do with my research, but any way it was a little bit amusing and worrisome to do some research about this topic. Few weeks ago I knew about <a href="http://www.spock.com/">Spock</a>, a site for searching people. I was eager to jump in and to test what it was about (I did something similar for <a href="http://www.linkedin.com/">LinkedIn</a>, <a href="http://www.facebook.com/">Facebook</a>, <a href="http://www.myspace.com/">Myspace</a>, etc. sometime ago) but then I thought. Even that someone offered me an invitation I stopped and I wonder. Do I really want all my personal data to be in just one place?<br /><br />I mean, my data is there around my blogs, my website, my profile in I do not how many places. You just need to do some <a href="http://www.google.com/">Google</a> research to find my contacts details and some information about me. So, is there any difference between “google” me or search about me in Spock? Well, there is. I am not in Spock. Nice, isn’t it?<br /><br />Well, but someday for sure I will, so, there will be any difference then? I think yes, while searching about people with <a href="http://www.yahoo.com/">Yahoo</a>, Google or any other search engine you have to go around several pages to get all the data, while in Spock, you get it with just one or two clicks (depending how common is the name you are looking for). The implications are so great (I am been sarcastic if you haven’t noticed it), you can have all the need to make some online frauds, crack passwords, stole identities, etc. The possibilities are unlimited. I am being paranoiac, yeah, may be. In the other side, may be hackers will not use it any way, today is a little bit slow and online scammers rely in better applications than Spock to profile people (just <a href="http://www.newsfactor.com/news/Social-Networking-Sites-Are-Vulnerable/story.xhtml?story_id=012000EW8420">read this</a>). So, in the end I think that it will be very helpful to track some of your old friends, colleagues and classmates. And why not, to amuse you a little bit finding curious details of people that share the same name than your friends or best, to know details that you did not know about your friends. Just to mention I learn Zodiac Signs, weird hobbies, sexual interests, trips, past relations, etc. Every bit of information that is there but they did not share with you, you just need to dig a little to find it.<br /> Until today, if you are trying to find some friends to get in touch, better use other methods such as Google. The database of Spock is still very small. Finally, the concept is not new. There are some other sites that do the same. The thing with Spock is that the marketing played and important role to bring it to the spot light.Arturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0tag:blogger.com,1999:blog-8162022171916680919.post-91859281562949163992007-07-28T03:52:00.000-07:002007-07-28T04:01:47.267-07:00Digg and MicrosoftThis is not about my research but I found interesting to comment about it.<br /><br />Few days ago Digg and Microsoft <a href="http://www.microsoft.com/Presspass/press/2007/jul07/07-25DiggPR.mspx">signed an agreement where Microsoft will be the provider of contextual advertising</a>.<br /><br />I predict some change in Digg during the next six months:<br /><br />- You won't be able to criticize Microsoft, if you do that, then you will be banned<br />- You will need to use IE with DRM<br />- If you comment about Linux, you could be sued by infringement of bogus MS pattens<br />- You could get infected by a worm just to click in posts<br />- You won't be allowed to submit news about Linux, Apple or Google<br />- The site sometimes will display a blue screenArturo Servinhttp://www.blogger.com/profile/13746081813770295985noreply@blogger.com0