CNN Asks "Can You Hack Back?"

dboothe writes: "CNN.COM has a somewhat interesting article on whether or not it is okay to fight back when being hacked. In the scenario they bring up with the WTO website, it seems pretty clear that they likely should have steered clear, working on the probable assumption that the IP address used was just a dummy machine that had been cracked previously. But what about other situations where it's more of a grey area?"

Moot

[ViceClown]

This is a moot point. Any cracker worth their salt is going to be behind so many machines that attacking back will be impossible without some for-real research and tracking. Just my $0.02.

Re:Moot

[josh_freeman]

I am a system admin for a lab in an educational institution, and I can say that I'm pretty certain I would be nailed to a tree if I tried this. First, it is probably illegal. Fun, but still illegal. Second, since I am on a subnet, everyone else in my institution would be bogged down because of the increased traffic. Lastly, the previous poster is certainly right that in almost all cases a cracker won't be as daft as to use one IP address to launch a DOS attack. But it's fun to contemplate. . . .

What's the point?

[Grexnix]

Somebody who's running a DDOS attack - unlike the hapless electrohippies - is going to be IP spoofing and using a multitude of machines. If you bounce all the attacking packets back, all you're likely to hit is a large number of machines belonging to innocent people with bad security.

--

I am Reminded of a Proverb...

[Tim+C]

"Two wrongs don't make a right"

As tempting as it may be to give them "a taste of their own medicine", the chances are that you're just going to be attacking an innocent bystander whose machine has been cracked, and is being used to launch the attack on yours.

Even if you do hit back at the actual cracker, so what? So you trash his PC and some files; it's not like it's going to put him out of business, or cost him thousands of pounds to restore it.

IMHO, the best thing to do is just find out as much as you can, co-operate with the authorities, and let them deal out any punishment.

Cheers,

Tim

not a good idea

[wrenling]

Attacking back is just going to give the government and industries a reason to try and pass more controlling legislation. Its too close to them being able to create a "Wild West" analogy, where they would have to protect the "innocent women and children."

There have long been accepted channels for handling these situations, such as contacting the sysadmins for the ISPs, *cough* the FBI & local police (Okay, I know, they are often clueless, but they arent going to get MORE clueful if we keep going AROUND them!), etc.

Re:not a good idea

[Michael+Spencer+Jr.]

The FBI isn't always clueless.

I just finished working with two FBI case agents out of Omaha Nebraska (*cough* SiliCorn Valley) regarding tracking down a UDP packet-storm DCA and a simple web site defacement of our 'honey-pot' machine.

Generally, the FBI is clueless only when you throw your hands up in the air and say "I've been hacked!" and expect them to do all the work. If you can do the major investigation yourself (looking up ISP's with 'dig -x ###.###.###.### soa' and 'whois ###.###.###.###@whois.arin.net' and of course 'whois domainname.com' and 'nslookup ###.###.###.###') and draw them a picture, they follow along and understand very well.

It was fun watching a tense meeting with two 'G-men' melt into laughing and joking. They seemed to understand the 'hacker scene' pretty well: the arms-race, the script-kiddies, and the major web sites you get exploits from. And they were visibly excited when they saw that I had done their footwork for them.

Even if the local FBI agents are somewhat clueless (which these weren't) they have someplace full of very clueful people who can analyze your logs for you. If you come across as knowledgable, they'll recommend you to the analysis people, and they'll work with you.

(And remember: When you're getting DCA'ed, 'tcpdump -n -i eth# | gzip > capture.log.gz' is very very useful evidence. When you get your upstream ISP to filter out the flood traffic, sometimes the originator of the attack will ping you to see how your connection is doing. Those little innocent probes in between major shifts in attack activity make for great evidence.)

I wouldn't.

[Booker]

There's generally no good reason to hack back, I think. (Unless identifying and reporting the hacker constitutes hacking back...)

I use PortSentry as one line of defense, and if someone scans the box, they just get dropped into a black hole. (Actually, them and their subnet, in case it's a dynamic IP on a dialup.)

PortSentry allows you to run any arbitrary command when a scan is detected, but he warns against retaliatory action:

I NEVER RECOMMEND PUTTING IN RETALIATORY ACTION AGAINST AN ATTACKING HOST. Virtually every time you're are port scanned the host doing the scanning has been compromised itself. Therefore, if you retaliate you are probably attacking an innocent(?) party. Also the goal of security is to make the person GO AWAY. You don't want to irritate them into making a personal vendetta against you. Remember, even a 13 year old can run a [insert favorite D.O.S. program here] attack against you from their Windows box to make your life miserable.

Sounds reasonable to me...

---

Another Age-Old Debate.

[Alarmist]

Really, this is not much different from the arguments regarding the use of force in defending one's home against a burglar. True, the stakes are different (lives versus property), but the story is the same, as are the concerns:

• There is the danger of injuring innocent bystanders (shooting through the wall and hitting someone else/destroying a hapless innocent's machine).
• The use of force may deter the individual offender, but won't necessarily stop potential offenders.

The difference here is that in cracking attempts, one can easily find oneself enmired in a situation where attempts escalate as the cracker and defender each try to outdo the other. This isn't the case with breaking and entering, as it usually only happens once, and if someone is killed, they cannot continue the escalation.

What recourse do system administrators have? They can build the best defenses possible, but any system built to connect to another can be compromised. The law may or may not be on their side should they decide to retaliate, but law enforecment is notoriously slow to respond in cases of electronic intrusion.

Perhaps the only viable alternative at this time is to strike back. Who can say?

Some informed opinion on the subject...

[mav[LAG]]

can be found at Attrition's page on the subject. In a nutshell, it's much harder than it looks, legally questionable and more often than not ends up screwing around with innocent third parties.

NWFusion has a feature on this this week...

[bemis]

NetworkWorld Fusion (idg.net subsidiary) has a pretty good feature on this this week, and from what i gathered from it most netadmins/sysengineers *wanted* to go back after people in the process of penetrating their systems, but the overwhelming majority *wouldn't* ... they opted for setting up 'honeypots' and the like to lure the criminals in and monitor them (presumably) long enough to confirm identity/ensure enuf info is gathered for conviction... check it out ... good article.

Doing the attacker's dirty work

[Phaid]

The problem with even having this discussion is that it assumes that the victim of the initial attack, and the attacker, are operating in a vacuum -- or at least that they both have direct connections to internet backbones. Most times this is not the case; both parties have upstream ISPs that carry their outbound and inbound traffic to the rest of the world. In the unlikely event that the victim can locate the true source of the attack, and not just an owned machine, retaliating against the attacker will constitute an even greater load on the victim's ISP and probably create a DOS condition at the attacker's ISP.

Let's do the math: we retaliate, and twice as many people (or more) are subjected to a DOS. Hmm, doesn't sound like a good strategy.

Crack Backs and Spam

[Gorbie]

I do not like crack backs or spam

I would not try it from my box,
I would not try it in my sox,

I wouldn't use your subnet,
I despise the cracks and spam and yet,

you ask would I do it if I thought I could,
you ask would I do it whether I thought I should,

The 'puter in the middle is just a little pawn,
They don't like it either, the damage that is spawned.

they are witless, a helpless little lamb,
and so I do not like crack backs and spam!

Re:Legality of fighting back

[Legolas-Greenleaf]

Hmph... i actually consulted the RCMP computer crimes division on this matter, since i was getting attempted DoS/portscan attempts on my home machine for an entire weekend. (attempted. ipchains and portsentry makes me happy).

Anywho, apperently, in Canada, portscans and the type are not illegal. It isn't even illegal to *attempt* to break in... you haven't broken the law until you actually access the machine. The RCMP officer type I spoke with (who was quite accustomed to Linux - I was impressed) likened it to Girl Guides knocking on your door, which isn't illegal (I argued that if they started checking every door and window for days straight, it would be different, but that's another story entirely).

My point? Oh yes... in Canada, unlike other countries, it isn't illegal to portscan or pingflood. So, i guess, that would make the automatic response legal in Canadian airspace too. Just for anyone who is interested. I guess the attitude is that it is *impossible* for the law to go after every single attempt, and that being portscanned/pingflooded/etc. is just a risk you take going on the Internet, and it is up to the end user to set up the approperiate defenses (which was, incidently, what the ISP that hosts both me and my *active* attacker told me.)

I hope somebody gets something out of that. ;^)
-legolas

i've looked at love from both sides now. from win and lose, and still somehow...

Re:There is nothing wrong with Self-Defense

[Tim+C]

In the case of defending yourself physically, you can be pretty certain that you're hitting the right person. Your life may also be in danger if you don't fight back.

When your machine is under attack, and you strike back, you can not be certain that you're toasting the right machine.

Whatever you may think of a person who's machine is so open to attack that someone can successfully use it to launch an attack against yours, they do not deserve to have their machine toasted for it. If you do that, you're little better than the cracker you're trying to hit back at.

I can perfectly understand the desire to attack, but the likelihood of hitting the worng person is just too high for my liking.

We all have a duty to be responsible netizens, after all.

Cheers,

Tim

Automated reactions could be looped

[gotan]

It's a bad idea to set up something that 'automatically hacks back' e.g. launches an attack back at the attacker. The reason is, that now the hacker doesn't even need to launch his own attack, he only needs to tickle a system in the right way to provoke a reaction, if that reaction acts against another host with the same system installed: wonderful, we have a loop.

It gets even better if the mail, seeing that one mailer is overburdened, gets redirected to an alternative host (or something similar for other services) ... now all we need is the routers in between reacting to the enhanced network traffic for a nice chain reaction (did you ever see the video with the room full of tabletennisballs on moustraps).

Just try to imagine that you are the sysadmin who later should sort out the mess, maybe it was even started by some accident or some rampant virus.

Re:Not Really Hacking Back

[technos]

I have to admit, I have been known to retaliate. But I draw the line at actual harm; If they've portscanned me or played funny with my mailserver, I'll sent them the compliment of malformed packets likely to halt their Windows box. If I see NT on the other end, they get a nice popup 'Touch the box and die' courtesy of Windows Messaging and SMB. If they've ICQ spammed me more than once, they get a few hundred spoofed messages, randomly sent on a crontab.

Annoying at worst, and a deterrant to 98% of the skript kiddies. The other 2% are the determined ones, and I just change IP. They'll spend all night looking for the me again, bent on revenge they can't get.

And what if I get the wrong person/box? Whoop. A Windows box froze, or they got an odd popup message. Like that never happens in the course of normal operation...

McDonald's coffee (WAY, WAY OT)

[dillon_rinker]

If I spill hot coffee on myself at McDonalds and burn my lap
Two facts:
1. The coffee was around 200 degrees.
2. The lady was in the drive-through

Two questions:
1. Why would you serve coffee that is hot enough to cause third-degree burns?
2. Where do you put your drink when you go through the drive through?

I don't believe McDonald's was found guilty of any wrongdoing; rathre, they were found guilty of negligence - a legal term that means "They should have known better." McDonald's should have known that many (if not most) of their customers put their drinks in their laps, and that their coffee would cause third degree burns. Given those two undisputed facts, it is a statistical certainty that someone's crotch would get burned badly.

Keep in mind also that all the woman wanted initially was for McDonald's to pay part of her medical bills. If they has said "We're so sorry" and written a small (to them) check, it would have been over on done with. Instead they said "You STUPID woman! You should have known better!" and promptly launched a propaganda campaign that has clearly had its intended effect, as evidenced by that note in your post. So the woman sued for millions and won.

It's funny, as anti-corporate as the typical /.er seems to be, they sure buy the corporate propaganda, hook, line, and sinker.