Some of the best Internet minds in the world met for the first time last week to brainstorm new ways to defend against 'Net-clogging threats.

The Usenix invitation-only workshop, called Steps to Reducing Unwanted Traffic on the Internet (SRUTI), brought together more than 50 technical staff from equipment vendors and ISPs, as well as academics from all over the world, to develop practical methods to cut down on spam, viruses, worms and denial-of-service attacks. Sruti, by the way, is a Sanskrit word meaning "that which is heard".

Participants exposed fresh ideas to expert criticism, sometimes resulting in helpful suggestions and sometimes pointing out significant problems.

One promising proposal would help wipe out the bulk of distributed DoS attacks near their sources, but not those attacks in which the aggressor machines use spoofed IP addresses. Even though the proposal wouldn't block all attacks, it was still considered feasible because it would mitigate the bulk of distributed DoS exploits that rely on networks of unspoofed zombie machines - botnets - to fire off the attacks.

On the flip side, another presentation advanced a relatively simple method of encrypting e-mail that would also authenticate the sender and receiver. But this was pretty much shot down when one attendee pointed out that encrypting e-mail would render useless spam filters that search content and subject lines for key words. "You have just proposed an excellent tool for spammers," he said. The author didn't have an answer for that.

Practicality seemed the watchword for the day. The author of the presentation on blocking distributed DoS attacks said there have been proposals that would be extremely effective if there were separate IP address spaces for servers and clients. "This has real possibilities if only we were redesigning the Internet from scratch," says Mark Handley, the researcher from University College London who presented the proposal.

Instead, his proposal would introduce devices near Internet servers and at the edge routers of ISPs to mark and monitor traffic to the servers. When a distributed DoS attack was detected, these devices would block at the edge routers traffic from addresses identified as the source of the attack. These devices could effectively reduce distributed DoS traffic within a single ISP's network, Handley says. This enforcement could be extended to other ISPs and block attacks even closer to the source if the ISPs involved could develop enough trust to share knowledge about their networks, he says.

Dealing with spam
While distributed DoS drew much attention, SRUTI presenters also focused on spam, which accounts for the vast majority of email crossing the Internet.

One researcher described a way to analyse the senders and recipients of emails in conjunction with a traditional spam filter to boost the overall effectiveness of spam protection. The algorithm reduces the amount of good email that is identified as spam by about 20 percent, according to Jussara Almeida, a researcher at Universidade Federal de Minas Gerais in Brazil. "This is important since the cost of false positives is usually believed higher than the cost of false negatives," she said.

The study by her team divided senders and recipients into groups based on who routinely receives legitimate email from whom. The memberships of these groups - essentially contact lists - are more stable than criteria used for other screening methods such as looking for keywords, Almeida said. Spammers can change the words selected for spam to duck keyword filters, but establishing themselves as members of trusted groups is more difficult, she said.

The algorithm weighs the probability that any message sent from a certain group of senders to a specific group of recipients is spam. It is effective at sorting a certain percentage as definitely spam and definitely not spam, with a grey area in between. The researchers are working to tweak the algorithm to reduce the size of the grey area, she said.

And now they're Spitting too
A similar method of sorting IP voice mail spam - spam over IP telephony (SPIT) - also relies on senders and receivers. This is key in filtering SPIT because the point is to get rid of the unwanted messages without having to waste time listening to them, which would be required if the content were examined.

"You don't have to look at content to get a pretty good idea of what is going on," says Steve Bellovin, a professor at Columbia University and a moderator at SRUTI. "This has been useful in the intelligence community for years."

Researchers from the University of North Texas, Denton, have created a voice spam detection server they say can identify a "spitter" after just three calls to users in a given group, such as a corporation. The server analyses where calls are from and whether messages left by those sources are likely to be SPIT based on the experience users have had with calls from the same sources, said Ram Dantu, a researcher at the university.

While this particular defence would be the same all the time, some of the proposals called for dynamic defence systems that change as the nature of threats change. Based on the severity of a detected attack and other network conditions, an adaptive defence can adjust its response to minimise the amount of false positives and false negatives, says Cliff Zou, a researcher at the University of Massachusetts, Amherst. False positives and negatives can both prove costly to users, either by blocking important legitimate traffic or failing to block an attack.

One possible downside to this idea of measured response is that attackers might lull such defence systems into less restrictive modes and then hit with sudden, intense barrages that could have devastating effect before an adequate defence could be mounted, according to reactions to the talk.

Other ideas floated at the workshop ranged from setting up honeypots to lure spammers and then tie up their resources, to simulating network congestion to see how suspicious traffic streams respond as a way to determine whether a person is behind the session or a zombie machine sending automated responses.

In aggregate the 13 papers presented last week represent a springboard for producing a faster Internet, said Dina Katabi, an MIT professor and co-chairman of the workshop. "The talks have proposed promising solutions that address important problems," she said.