Using Honeypots to Fight Worms

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

Honeypot for lawyers

[rot26]

Sounds like a lawsuit waiting to happen, unfortunately.

Re:Honeypot for lawyers

[zasos]

what's honeypot?

Re:Honeypot for lawyers

what's honeypot?

About $100 for a quarter-ounce.

Re:Honeypot for lawyers

[zasos]

nevermind... RTFA :) here's what it says in the article: Honeypots are computer elements helping to delude aggressors. On a production network, evil hackers will attack some kind of fake system, losing time in doing so and giving information about themselves and their methods [ref 4]. When a honeypot is a dedicated host uniquely used to delude aggressors, it is supposed to play no role linked to systems in production. This implies that every request directed to the honeypot is suspect. While honeypots are often thought to be used for passive analysis, they can also play an interactive role to deal with worms. Two kinds of honeypots are often used : high interaction: a kind of real host is usually almost sacrificed (called a "sacrificial lamb") on a network while waiting for any aggressor. low interaction: services and/or hosts are simulated (for example, Honeyd by Niels Provos).

Re:Honeypot for lawyers

[scubacuda]

I totally agree.

Imagine one or more of the following shit-uations:

• Hacker is smarter than those who created honeypot.
• Honeypots set up poorly.
• The lawyer of this 12 yro arguing that it was an "attractic nuisance" (anyone know how much water this argument could hold?)

Re:Honeypot for lawyers

[nate1138]

Could you argue self-defense? If somebody is hitting me over the head with a bat, and I shoot them in the arm to make them drop the bat, that is self defense. This seems to me to be very much the digital equivalent of the bat scenario. It would be interesting to watch it play out, anyway.

Re:Honeypot for lawyers

[SirLantos]

A honeypot is a server that is intentionally left unsecure to lure a cracker in to trying to break in to it.
It is kind of like leaving your car doors unlocked in the middle of NYC and pointing a video camera at it to see who tries to steal it.

Re:Honeypot for lawyers

[ePhil_One]

If somebody is hitting me over the head with a bat, and I shoot them in the arm to make them drop the bat, that is self defense. This seems to me to be very much the digital equivalent of the bat scenario.

1) Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

2) Unless your Iron Lung is hooked to the internet, no internet attack is an attack on your life. If I steal your laptop from your trunk, you are not confered the right to break into my car. So its a pretty different situation.

Re:Honeypot for lawyers

I dont know about you people, but even if I was infected by a worm, I'd rather not be hacked "just to clean up the infection"

While I can understand the frustration that an infected system can cause, I still think there are other, less drastic measures that could be taken against an end user.

Oh well, maybe I dont understand the situation as well as I would like to, but thats my .02 cents. (or sense, as some would say)

Re:Honeypot for lawyers

[nate1138]

Yeah, but If I do break into your trunk, what the hell are you going to do about it? Go tell the police that somebody stole your stolen laptop?

In addition, that scenario is flawed. In the theft scenario, the crime is already complete, and what is being done is revenge (which is wrong). I think both of us have flawed analogies. A more accurate representation would be if somebody was breaking into my house, and I hit them with a fucking brick to make them stop.

Re:Honeypot for lawyers

My girlfriend has worms in her honeypot. Thank goodness for vaginal creams!

Re:Honeypot for lawyers

[DarkZero]

I believe he was referring to "launching counter attacks to clean infected hosts", which sounds less like a honey pot and more like an automated hacking script. At the very least, the description of it would be reason enough for someone to TRY a lawsuit against them if one of their honeypots makes contact with their machine.

Re:Honeypot for lawyers

You bastard! Leave that donkey alone!

Re:Honeypot for lawyers

[Smidge204]

An interesting (and fairly accurate) analogy, especially since that's a fairly common trap used by the police.

Leave a car on the street, put a tiny camera in it to catch the faces of anyone sitting in it, and as an added bonus put in a remote control device to kill the engine and lock the doors/windows to make it easier to catch the guys. (Obviously the cops ahve to wait until the theif starts to drive off, then it's a little hard to claim they weren't trying to steal it!)
=Smidge=

Re:Honeypot for lawyers

[dollar70]

I dont know about you people, but even if I was infected by a worm, I'd rather not be hacked "just to clean up the infection"

Get a clue! If the honeypot system is trying to knock out your computer, you've already been hacked!!! Your computer has gone rogue! In fact, it's almost as bad as the dog jumping the fence and mauling people!

And don't give that sorry excuse: "so two wrongs make a right, eh?" That's no way to run the internet! The internet is supposed to attempt to fix itself when things break. If that means taking out the noise generated by a mad dog computer, then so be it!

Hey, it's not like your "infected" computer was doing you or your company much good at that point anyway, so the counter attack is irrelevant.

Re:Honeypot for lawyers

[jon3k]

They've been doing exactly that for several years. Makes for some pretty good video footage :)

Re:Honeypot for lawyers

I need to move to Texas.

Where I live (maryland) you can shoot someone in self defense, if you feel your life is in danger.

However if they are there to steal stuff, you have to sit there and watch them carry out your entertainment center while you wait for the police, who may or may not show up.

If you feel your life is in danger and you cannot escape, you may shoot. However, then you are subject to be sued by the theif's wife for lost income (even if this income is from crime). I can point you at cases in the news.

What a sad fscking world we live in. I am gonna start looking for a job in Texas.

l8,
AC

Re:Honeypot for lawyers

yep... there is always some opportunistic attorney that will create hell for anyone that tries to do good for the majority of people and somehow impedes criminals.

Attorneys suck ass. Maybe I should become one.

Ahh that's right, screwing innocent people by helping criminals walk all over them isn't in my nature.

l8,
AC

Re:Honeypot for lawyers

Florida is OK too, although the "I felt my life was in danger" defense may or may not work, depending on the judge/jury. You are allowed to use deadly force to prevent a FELONY, however, just being beaten up doesn't qualify as a felony unless they cause "grevious bodily harm", which is essentially defined as a broken bone or loss of consciousness.

Re:Honeypot for lawyers

[Archfeld]

so you hacking a computer that is infected is OK ?

Sorry, that is just as wrong and illegal. Getting the infected comp yanked of the net is one thing but making unauthorized changes, what-ever your intent is just as bad as the original person who spread the virus. Now if say your ISP were to have you sign an agreement giving them the right to preserve the network stability by making local host changes, you would be covered, and MORE POWER TO YA, but as it stands now most ISP's have only one recourse and that is drop you off-line...

Re:Honeypot for lawyers

[Joe+U]

You are right. I recommend an automated system that unroutes the infected system's entire netblock until it's fixed.

Convince the core routers they don't exist, that should solve the problem fast. (Might speed up the Internet as a whole too)

(Unroutes? Is that a word? Deroutes? Removes network routing entry from router.)

Re:Honeypot for lawyers

[chimpo13]

That depends on what state you're in in the US. Say we're both in Louisiana and you come up trick-or-treating. I open the door and shoot you. That's legal in Louisiana. Or maybe that's only legal if I'm white and you're not. Although that sounds like I'm race baiting, I'm not.

Re:Honeypot for lawyers

[reverius]

I read that article. It made me sick.

How exactly was Rodney Peairs acquitted? The article doesn't even begin to address that (or the utter immorality of it IMHO), and focuses instead on an entirely non-sequitur issue.

As far as I can tell, the issue of that case is -not- gun control. The issue is that a white American killed a Japanese man and got away with it.

Re:Honeypot for lawyers

[dollar70]

Sorry, that is just as wrong and illegal.

So by that logic an infected computer attacking your computer and attempting to infect it with malicious code should be considered legal?

I agree that installing a security patch on the infected computer is probably not the best approach. I prefer the idea of blasting them off the internet with such a devistating counter attack that it will take the administrator(s) of the infected system days or even weeks to recover.

Re:Honeypot for lawyers

[chimpo13]

From what I've read about that case, the Japanese kid showed up thinking that was the house where the Halloween party he was going to was at. The guy freaked out and told the kid to freeze. The kid, being Japanese and all, didn't understand the slang of "freeze". So the crackpot ended up shooting the kid to death.

Try googling on the guys name. Or louisiana halloween shooting japanese

Re:Honeypot for lawyers

[Gorignak]

These are perfectly legal tactics and systems. The honeypots I've heard about were more like systems intentionally and obviously left open for hackers, viruses, and worms. It's more of a tactic of using a gill net to catch fish rather than a fishing pole. They want to see what's out there for research purposes, not entrapment ones. Although, I would support using them for entrapment.

Re:Honeypot for lawyers

[Flamerule]

Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

Mostly wrong. For example, in the jurisdiction of New York, see this page, or Google yourself. Quote:

When one believes that the use of deadly force is justified, one has a duty to retreat before using such force if one knows one can do so with complete safety.

Running away from a guy beating you with a bat is not "complete safety". You would be entirely justified in defending yourself in this situation, and as far as the degree of that defense:

... one may justifiably use "deadly physical force" to defend herself from what she "reasonably believes to be the use or imminent use of unlawful physical force."

The question isn't even the deadliness of the assault, just its unlawfulness.

The page I linked also listed the relevant law in other jurisdictions. Of the states they list there, Delaware seems to have the most onerous requirement for the victim, in that he must retreat if he can do so "safely". All the other states either use the term "complete safety", or don't have a requirement for flight to be considered at all. That means that a victim in those states is never required to run away before wounding/killing his attacker.

Re:Honeypot for lawyers

[devilspgd]

Is this any different then setting up an HTTP system that returns a chunk of code?

As long as the system only responds to requests, in a bandwidth reasonable way (not a DoS of any sort), then are you really breaking any law?

I doubt this would get far in civil court either, since the "victom"'s computer initiated a hack attempt first.

Re:Honeypot for lawyers

[devilspgd]

"ROUTE DELETE *" should do the trick.

Drop all routes, or drop the default gateway... ?

Re:Honeypot for lawyers

[devilspgd]

If you hit me with your fists, I am 100% justified to hit you back with my fists.

If you hit me with a bat, I am 100% justified in removing the bat from your possession.

I wouldn't suggest making an "attack" damage the machine, just stop the active attack in progress.

Re:Honeypot for lawyers

[devilspgd]

And regrettably, you're probably unable to shoot their ass if you're unconscious.

However, how about to prevent a felony? "I thought he was going to break my arm"?

Re:Honeypot for lawyers

[devilspgd]

You like sucking ass?

Re:Honeypot for lawyers

[Brendan+Byrd]

Lawsuits? Definately.

launching counter attacks to clean infected hosts

Oh, you mean like Nochi? Yeah, good idea. My ISP is STILL trying to clean that shit out! Damn "cleaner" virus is worse than the thing it's trying to clean. CodeGreen might have been a good idea, but it's easy to create a monster that you can't contain.

Re:Honeypot for lawyers

[Yottabyte84]

Fsck, I hate that damn thing. Had firewall rules in place to protect our lusers from it, but the laptop monkeys got infected at the university and it got on the lan. damn thing kept poping up.

Re:Honeypot for lawyers

[Strog]

Better be careful who you blast off the network. The more sophisticated these worms get, the harder they are to track. You could be blasting the wrong machine and now who's in the wrong?

Even if you find the right target, most blasting techniques affect routers and other users along the way.

Vigilantism is just asking for trouble.

Counter attacks don't work

[bobbabemagnet]

We are all well aware of Welchia and the fact that it caused nearly as much nuisance as Blaster. Let us learn from this and never again release a worm for good purposes.

Re:Counter attacks don't work

[Neon+Spiral+Injector]

Or at least one that isn't so enthusastic about finding hosts to clean.

I'm still waiting for Jan. 1st, 2004.

Re:Counter attacks don't work

[IncarnadineConor]

That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.

Re:Counter attacks don't work

[gorfie]

There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.

However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.

Re:Counter attacks don't work

[David+McBride]

The advantage here is that the server would *only* counter-attack a box with a fix if it was attacked first.

Although decidedly risky legally-speaking, it would mean that only vulnerable hosts would get contacted and have fixes forcably deployed on them -- meaning that as the original infection dies down then so too will the number of forced deployments.

The key problem with the Welchia worm is that it simply didn't go away. It continues to actively probe and scan for vulnerable machines indefinitely -- and enumerating IP addresses and attempting connections to each one generates a lot of traffic.

No, technically speaking this could be a far better solution than a self-propagating worm. Although not necessarily suitable for the 'net at large, it's definitely viable for, say, a deployment within an organisation which would therefore -- by definition -- own and be permitted to patch all the machines on the local network.

You still have to be very careful that the forced patch deployment doesn't break something else -- but that's not a new problem.

I'm going to go read the article now..

Re:Counter attacks don't work

[Charlie+Bill]

Honestly -- I knew there were worms like this, but I hadn't heard of Welchia...

Clearly what we need is a worm to clean the worm that cleans the worm. And a worm to patch the worm to clean the worm to clean the worm. Etc.

Re:Counter attacks don't work

[AndIWonderIfIWonder]

In fact the article even infers that it should be used in a department or organisation and not on the net, and mentions the ethics of such a procedure.

This script, given strictly as an example, can be improved upon by using evolved programming languages such as VBS. A longer example [ref 13] has been tested on a research network, cleaning our infected hosts in a few minutes.

Some SysAdmins were recently polled to determine if it is ethical to take active defense measures in such a targeted, counter offensive way, within a network their organizations owns. The results can be seen here [ref 14, page 29 & 32] (76 respondents).

Re:Counter attacks don't work

[pebs]

I think a honeypot such as this (or any honeypot) would be useful within an internal network. So set it up in your LAN, so that you can find out about a potential worm or intruder earlier. Launching a counterattack would be fine within an internal network, but it would be very foolish to do this on the internet -- that would get you in legal trouble.

Re:Counter attacks don't work

[psychofox]

Whilst I agree with you in principle, it is hardly logical to argue 'some guy try once and and it didn't work, so it should never be attempted again...'

Re:Counter attacks don't work

[silicon+not+in+the+v]

Yeah, unless the worms spoof IP addresses. That is going to open up the legal trouble when the "counter" action starts hitting wrong machines.

Re:Counter attacks don't work

[Tim+C]

Seems somewhat resonable to me.

Unfortunately, what is reasonable and what is legal are not always the same thing. Anyone considering embarking on such a project would be very well advised to consult with a lawyer before getting too far into it.

Re:Counter attacks don't work

[t0ny]

It seems perfectly obvious (to me, anyway) that eventually we will reach a point where all this will have to be done by machines; in that light, this is a step in the right direction.

When you have hackers using automated systems, remote controlled computers, etc, to do their hacking for them, we will eventually reach a point where we, too, will need to use automation to fight them.

This is the exact same pattern you see in every other area where automation is now being used: nuclear power, jet aircraft, etc. Of course, just as with those fields, people should still be required to know how to do the job manually, but the automation will be an eventual happening in networking. Im surprised its taking as long as it has.

Re:Counter attacks don't work

[PhilHibbs]

Unfortunately, what is reasonable and what is legal are not always the same thing.

Then the law needs to be revised - a definition of "an active, compromised machine" worked out, and a provision for designated organisations to be empowered to react to attacks from such compromised machines in such a way as to prevent the attacks. Whether this is patching the machine or crashing it, I really don't mind. Do IP blocks have email contact info associated with them in a similar way to domains?

Re:Counter attacks don't work

[ctr2sprt]

No. It is never acceptable for anyone to do anything on my computer without my express prior permission, end of story. It's not "somewhat reasonable," it's not reasonable at all. We need to clamp down on this hard before people start acting on their "good wishes." It only takes one or two people to cripple the entire Internet nowadays; we need to make it perfectly clear that this sort of thing is simply not acceptable and never will be.

I will cheer just as loudly when the makers of "benevolent worms" are sent to prison as when makers of destructive worms are, because they are exactly the same thing in every way.

Re:Counter attacks don't work

[zangdesign]

Seems somewhat resonable[sic] to me.

Completely overlooking the fact that the response is to alter a system that is not under your control without the owner's permission. You can block at the router if you want, thereby denying traffic from the host, but I would argue that making alterations to another's system without permission is exactly as unethical (and probably illegal, depending on jurisdiction) as the original worm.

Re:Counter attacks don't work

[gorfie]

So... just as you would have the owners of the honeypot be accountable for doing something to your computer, shouldn't they be able to hold you accountable for doing something to their computers? Seems to be a washout in the end... although for their single attack on your computer, you will have attacked at least one of theirs as well as those of many other people/organizations.

I think we're defining the line between vigilanteism and self-defense. Welchia is a kind of vigilante worm... the honeypot is more like self-defense.

Re:Counter attacks don't work

[shaitand]

Actually although your point is unchanged by it, the welchia fallout was far far worse than blaster ever was. The simple reason is welchia clogged the bandwidth pipes in a way blaster never dreamed. Effectively cutting off most of net... at least for the state of IL where I work on these issues for users spread all over the state.

Re:Counter attacks don't work

[herrvinny]

As long as the "wrong" computers are patched correctly, no problem.

Re:Counter attacks don't work

[davburns]

I look at the life-cycle of a worm as follows:

• Infancy: The worm starts from one computer, and begins to spread.
• Adult: The worm has tried all 2^32 addresses in the IPv4 internet. The worm continues to spread, however, as machines come and go, and may "leak" into networks not directly connected to the Internet.
• Lingering: Patches are availible and national news covers the story, so everyone knows they need to update their machines, and almost everyone does. A few leftover machines (unadministered, presumably?) keep the worm alive, though. It continues to infect forever, unless the worm suicides (and the suicide works) as long-dormant machines re-connect to the internet, or are re-installed from media of old OSes.

Counterattacks are generally not developed fast enough to deploy in the infancy phase, when they might actually be useful in giving admins a little more time to patch. Slowing the spread of a worm might be done just as effectively with standard tar-pit/sticky honey-pot methods.

Once worm reaches the adult phase (which could be literally miniutes) then all the systems on the Internet that can be infected are already infected. What point could the counterattack have? Sure, it's fun. But it's not a defensive measure (You're either immune, or already infected.) It uses more bandwidth than it saves. Dealing with counterattacks will divert the time and attention of admins from patching -- which is what they need to be doing.

Counterattacks in the lingering stange may seem tempting, especially as one looks at logs and sees evidence of year-old worms, still in the wild. Surely, no machine should be connected to the Internet while being unmaintained this long, right? I suggest, however, that the cost of these attempts is pretty small, and the potential cost of an attack is pretty big (and a self-replicating attack, even bigger!) If you really want to help, email or telephone some domain or netblock contacts, and/or their upstream ISP.

So, I don't see any real benifit from counterattacks, no matter how well intentioned. The "patch treadmill" is a terrible way of securing our Internet infastructure. Unfortunatly, it's also the only way we have, right now.

Re:Counter attacks don't work

[platipusrc]

At least for worms that request a file and pass too much info, like nimda and code red (root.exe, default.ida), what would the legal response be to putting a file by that name on your server and having that file terminate a code red or nimda-infected computer? It seems to me that there wouldn't really be anything illegal about doing something like that.

Re:Counter attacks don't work

[platipusrc]

If I pay for bandwidth, do I get to send the people I block a bill? Wouldn't it be better for me to just terminate their computer rather than having collection agencies hounding them about it after I start metering bandwidth from IPs that I have to block? Do I get to bill them for me having to take the time to either block them manually or write/buy a program to do it for me? Also, when do I know that it's safe to unblock an IP address, or do I eventually just wall myself off from the Internet by blocking all IP addresses that attack me? It doesn't seem fair to me that they get to cause all the destruction they want without repurcussion, but I'm not allowed to defend my own property and services.

Re:Counter attacks don't work

[jrumney]

No. It is never acceptable for anyone to do anything on my computer without my express prior permission, end of story.

Nor is it acceptable for your computer to try to infect a server with a worm, which is the only circumstances that this honeypot will kick in. If your computer is spreading worms around the internet and some server tries to defend (and the rest of the world) itself against that using reasonable force to disable the worm, then I know who the jury are going to be siding with.

PS: This is not a "benevolent worm", it does not spread.

Re:Counter attacks don't work

[menscher]

If your computer is spreading worms around the internet and some server tries to defend (and the rest of the world) itself against that using reasonable force to disable the worm

Wow... sounds exactly like how you're allowed to respond with deadly force if attacked with deadly force. Or how you're allowed to respond with deadly force if you see another attacked with deadly force. The precedent is already there in human relations, so I don't see a legal problem extending it to computer interactions.

I, for one, am looking forward to the time when people are free to defend themselves (and the rest of the internet) against attacks. Attacked by a worm? Sent spam through an open relay? Take them out! Places that are a threat to the infrastructure do not have the right to exist, and should be destroyed.

(Note I'm not addressing the question of how you determine who should be killed....)

Counterstrike

[pheared]

Will these counterattacks get better QA testing than MS patches?

Illegal

[axehind]

and launching counter attacks to clean infected hosts Sounds illegal.... Unauthorized access to someone elses computer comes to mind. axehind

Re:Illegal

[One+More+Troll]

And how much different is this from you sending me a virus from your PC? True, you didn't do it deliberately, but by not providing protection, you allowed your PC to alter mine without my authorization. All this system seems to be doing is returning the favour, but by doing some good in the process.

Re:Illegal

its a service the "aggresive" honeypot provides, and that the infected host requested. just like you request information and/or files from websites.

if i run a business called "punch you in the face" and had a process where people had to make the request directly and was hard to fake identity of the requestor where i get to "punch them in the face" and i in no way made an attempt to beat around the bush that i would punch you in the face, would it be illegel?

(hmm... slogan? "better then whats on cable tv right now")

Re:Illegal

[axehind]

So your saying 2 wrongs make a right?

Re:Illegal

[axehind]

There is a difference. The person with the virus doesnt know they are infected. It's pretty cut and dry. If I remember right Maxvision did something like this years ago and was convicted and served time for it. axehind

Re:Illegal

Did you hear about the two chinese mad scientists that reanimated the dead body of the inventor of the airplane?

Two Wongs did make a Wright.

Re:Illegal

[Trigun]

No, Maxvision did not do exactly this. He did repair an exploit on machines (the exploit that he used to access the machine in the first place), but he backdoored the machines as well. That's what got him the jailtime.

Re:Illegal

[One+More+Troll]

If it prevents you from "wronging" other systems, then yes, I do think it's right.

If you were a carrier of some biological disease (say, Typhoid Mary) should the state have the right to separate you from the rest of the populace and force you to receive treatment? Yes, because, to quote a line from a movie I saw once, "The needs of the many outweigh the needs of the few, or the one."

If you don't want anyone mucking with your PC, put it behind a firewall. If people don't have the knowledge of how to do this, or how to install anti-virus software, then they also probably would not notice this anyway.

Re:Illegal

[axehind]

I just dont believe this is the solution. I mean it's not going to teach the people that leave there systems vulnerable anything. You have to educate them.

Re:Illegal

what we need is a 'don't fucking open this email' virus. i've seen jokes for it often, but if someone made it a reality and had a message about "i openned this attachement that was sent to you, and found it to be educational, you should open it to."

and the attachement named "don't fucking open this attachment stupid.exe"

have it go through a little leason about don't open attachments even from friends, and that it is a worm that has forwarded itsself to everyone on your address list.

but this only would help email worms.

maybe another one like it that on bootup has the user go through different steps to educate them that their system has been exploited and that they need to take defensive messures to prevent such things. and something about "and i'm using all your bandwidth to find other computers that are just as week as yours... xxx machines infected using your computer to infect them from so far. in some countries since you know about this, it would make you a hacker/cracker/asshole."

Worms too?!

[MeanE]

And here I thought they only caught bears named Poo.

Re:Worms too?!

I gave my dog some honey... but it didn't help get rid of her worms.

Re:Worms too?!

[vpetersen]

In the Soviet Russia, bears catch worms...
Intenstinal ones, that is.

Here goes my karma.. not that I have any to lose cause I'm not a moderator. :)

Re:Worms too?!

Honey on your balls for your dog only helps you not the dog. Duh.

Re:Worms too?!

[BenitoM]

Try this: http://petplace.netscape.com/articles/artShow.asp? artID=328

Works better than SP4!

Re:Worms too?!

Please do not confuse Poo with Pooh. To wit

Pooh : brown, furry, portly, cuddly = teddy bear

Poo : brown, smelly, squishy, slimy = steaming pile of excrement

Re:Worms too?!

[aonifer]

Honey pots and poo. Slashdot's turning into a really iffy porn site.

Re:Worms too?!

It's POOH, you jackass.

Clean infected hosts?

[DrEldarion]

Launching counter attacks to clean infected hosts? I see how this could be useful for internal networks where you actually have permission to clean machines, but it had better be restricted to that network, otherwise this could cause some major legal problems...

Re:Clean infected hosts?

[Tom]

otherwise this could cause some major legal problems...

I assert my right to self-defense. You attack me, I'll attack you in exactly the same way (you see, I already know you're vulnerable to that exploit), and shut you down so you can't continue to attack. I won't wipe you or patch you or do any permanent damage.

"you" and "me" can be either we as persons or our respective servers. It doesn't matter technically, so I fail to see why it should matter legally.

That said, I practice what I preach. I've had a "give me code red and I'll shut you down" script on my webserver for half a year now. There have been zero complaints or legal actions.

# zgrep default.ida access.log* | wc -l
1475

Re:Clean infected hosts?

I assert my right to self-defense. You attack me, I'll attack you in exactly the same way

In many jurisdictions, that is not allowed even for physical attacks - i.e. you can't purposefully kill someone even if they're trying to kill you. Sometimes you can only do the minimum required to defend yourself (maybe knocking them out and calling the police).

In the case of an electronic attack, your machine just has to ignore the attacker to survive. So it would be difficult to justify a counter-attack, even ignoring the fact that physical and electronic attacks have completely different laws.

Re:Clean infected hosts?

[phorm]

But you could, perhaps, make it do an automatic but thourough lookup of the infected domain, attempt to determine the associated admin email, and fire off an email to said admin.

If attacks persist from a host after a month, then perhaps a flag for an automatic response would be appropriate

Re:Clean infected hosts?

[herrvinny]

Then hackers might figure out that your system was a honeypot and DOS it off the net

Re:Clean infected hosts?

[unixdad]

But you could, perhaps, make it do an automatic but thourough lookup of the infected domain, attempt to determine the associated admin email, and fire off an email to said admin.

I think that this sort of thing has already proven to be too difficult to do in the case of spam. Why do you think it will be easier to do with viruses?

I can't even find out how to contact my "cable modem neighbors" to notify them of problems.

Re:Clean infected hosts?

[Tom]

Thank you for confirming my argument.

If shutting your machine down is the minimum required to prevent future attacks on me and others (yes, almost all self-defense laws do include not only defending yourself, but also defending others), then that is exactly my point.

I could firewall myself. But that wouldn't prevent you from attacking others. It also wouldn't stop further attacks on me - it'd just make them inconsequential. However, they are still occuring. Just because your blows don't hurt me doesn't mean I have to put up with them.

Even better

[Anemomenous+Cowherd]

What about a P2P honeypot network? I'd think that would greatly increase the overall effectiveness.

Re:Even better

[00RUSS]

You mean something like a Distributed Firewall. http://www.research.att.com/~smb/papers/distfw.htm l

Yeah, that'll work

[Illbay]

And it won't EVER be subverted for nefarious purposes, will it?

Skynet!

[scovetta]

Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts
Yeah, the honeypot could proactively install patches to systems that it deemed infected, all around the world!
Sounds like Skynet. Run for the hills!

Re:Skynet!

"Run for the hills!"

Unless you live in the southern part of the Governator's state...where the hills are on fire.

Reminds me of what AOL did

[DaneelGiskard]

Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did.

Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

Oh well, babbled enough, back to work ;)

Re:Reminds me of what AOL did

[sirReal.83.]

you didn't read The Digital Imprimatur did you? do it now, but keep in mind it's a worst-case-scenario model. i really don't think restricted access is the solution. honeypots either. let's just write good code in the first place, and not keep it behind locked doors so that in the event something bad does happen, we can fix it as quickly as possible.

Re:Reminds me of what AOL did

[NotAnotherReboot]

A nice concept, "internet driving license," but all it will do is:
a) discourage new users
b) make people afraid to try new things online
c) create some kind of institution with an incredible amount of unwarranted power

Re:Reminds me of what AOL did

[ekephart]

You may get into legal trouble for FIXING an attacker's computer. You can bet though if they don't patch, then they don't turn off unnecessary services either. Enter Windows Messaging Service. Just send them a quick note stating that their machine is infected and they would be best served to patch it.

Re:Reminds me of what AOL did

[DaneelGiskard]

Well, you are of course right. It would definitely reduce some of the "freedom" the internet users. But to keep the driving-license analogy, what would happen if no driving license would be needed and driving would generally be without any rules? It would be a similar situation as the one we have now on the internet, there would be some/many people who are rational and intelligent enough to do things right intuitively, but there would also be people who just do not care.

It has not been much of a problem in the past, but with the swamp of worms we have lately, it does become a problem. What if a user (and I'm sure many do) just does not care if his computer is infected or not and his computer keeps sending all the spam and spreads the worm? At some time his internet service provider might take action, but what if not? How _do_ you want to stop this without rules?

I'm not for taking away freedom, but the freedom we have now in the internet also has many bad sides. Of course, how do you want to regulate something without taking away freedom? It's pretty much impossible I'd guess.

Re:Reminds me of what AOL did

[DaneelGiskard]

I've not read it, but I've bookmarked it and will read it tonight when I got more time. Thanks for the link, certainly looks interesting :)

Re:Reminds me of what AOL did

[grasshoppa]

Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

Nice idea, but I was thinking of something more along the lines of a bat. You could put big letters on the side "CLUE" if you wish. Then, everytime you find a relative ( remember folks, it starts at home ) doing something computer stupid, you use the bat.

We could break the back of this virus problem, literrally.

Re:Reminds me of what AOL did

[DarkZero]

Well, you are of course right. It would definitely reduce some of the "freedom" the internet users. But to keep the driving-license analogy, what would happen if no driving license would be needed and driving would generally be without any rules? It would be a similar situation as the one we have now on the internet, there would be some/many people who are rational and intelligent enough to do things right intuitively, but there would also be people who just do not care.

Yeah, they're perfectly similar, except for that pitiful little detail about large numbers of people dying in one side of the comparison and absolutely no one dying on the other. But really... does the fact that worms can't kill anyone and cars do so on a daily basis make them ANY different? I think not. That's just, y'know, semantics. The semantics of people dying.

This is the most foolish idea I've heard in my life. It makes training geriatric space penguins to fly to Mars for us look like a brilliant idea. And space penguins don't even exist.

A more reasonable idea would be to handle worms, which only damage property, in the same manner that we deal with things that, well... damage property. You don't need a license to use matches, but when you start a forest fire because you're too fucking stupid to figure out the arcane science of USING MATCHES, you have to pay for the damage that your forest fire did to the surrounding property and probably incur criminal damages if the fire is serious enough. You also don't need a license to use a baseball or a bat, but when you carelessly make a home run through your neighbor's window and into their China closet, you have to pay for the damages to that, too. So if someone's carelessness causes them to be infected by a worm, why not just have them pay a fine for it, or possibly pay the users that they damaged directly? The RIAA has proven how easy it is to track people down on the internet and sue them, so I don't see why the federal government or a civil lawyer couldn't do the same.

Re:Reminds me of what AOL did

[gurps_npc]

While the idea of an internet driving license seems OK at first, it would end up being the ultimate person tracker.

To make it worthwhile, people would be required to type in their I.D.L. # to use a computer, destroying the entire concept of privacy.

Re:Reminds me of what AOL did

A nice concept, "internet driving license," but all it will do is:
a) discourage new users
b) make people afraid to try new things online
c) create some kind of institution with an incredible amount of unwarranted power

Where did you get this? From the pull-it-out-of-my-ass-dept. ?
Seriously you make it sound like you've done an intesive study on the subject when you probably just thought it up while scraping jelly off of your t-shirt.

Re:Reminds me of what AOL did

you just went and ruined the best rant ever with a perfectly sensible closing paragraph.

Re:Reminds me of what AOL did

[Tokerat]

Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

Excuse me, but I already pay $50 a month for broadband, that's enough, thanks. I don't need to pay more for some stupid competency license. I know what I'm doing just fine, and to put it mildly, "..we don't need no stinkin' licences!"

The conter-attacks to patch infected machines are a bad idea, most certainly illegal.

Re:Reminds me of what AOL did

[back_pages]

I'm not sure a license to use the internet is the right solution, but there IS a huge issue of accountability these days.

I'm all for privacy and anonymity, but when 1 anonymous person has the potential to introduce a virus that can bring down a corporation's network (or neighborhood's broadband access) through sheer negligence, I very strongly start to question the limits of that privacy.

Of course, a fantastic solution to the problem would be software that doesn't have 59,000 exploits and so many features designed to "Help You Out" that actually "Screw You Sideways", we probably wouldn't be having this discussion. I can't wait for the days when operating systems are bundled 1.) for clueless home users, 2.) for clueful home users, and 3.) for geeks/programmers/sysadmins/et cetera. Then Grandma, 13 year old file sharers, and non-technical corporate workers can be given plastic flatware for software rather than chainsaws and electric knives.

Anyway, something should be done. 5 years ago I would have been vehemently against any type of internet license but these days I'm beginning to think that the solution will be that or an operating system that functions under the assumption that the end user will have no idea if his computer is hacked, hijacked, trojaned, or back doored.

Re:Reminds me of what AOL did

That's what we did at the library with infected user laptops on the wireless network. Popup message saying you have a worm.

Of course, if they came back unfixed, we'd ping flood them off the network and block them at the firewall (we have an authenticating firewall and registered users).

Re:Reminds me of what AOL did

[Spl0it]

What AOL did was not wrong, they used there software to patch a bug. It wasn't like they opened up excell and downloaded your files. Mind you, aol could have told the users what they were planning/doing. Back to this discussion... If I'm running a network of 5000 computers, and 500 of them are dsl, or cable or dialup connections I have everyright to patch those computers on MY network, so long as I devulge this information in the Terms of the contract.!!!

Re:Reminds me of what AOL did

They did not patch a bug. They turned of a service of the operating system.

Re:Reminds me of what AOL did

[the_mad_poster]

Yea, because people who can't handle a simple patch procedure are going to understand the subtle stupidity of Windows Messenger. I can see my e-mail now...

OMG! I'VE BEEN HACKED! lol!!! OM!G JIT SAYS SOMETHIGN ABOUT WORMS YOU HAVE TO COME FIX MY COMPUTER I DONT KNOW WHAT'S WRONG! LOL!!!!

Attachment: "Latest Windows Security Update.exe"

Re:Reminds me of what AOL did

[the_mad_poster]

Uh.. yea... because it's not like we have anything that can be used to track us now. Like IP addresses cross referenced to logfiles. Nope, nothing like that around anywhere.

Re:Reminds me of what AOL did

[Jester99]

At my university, if the router detects you launching traffic known to be a worm propagating, etc, it disables your wall jack. Clean. Simple. Effective. You go to a friend's computer and download the neccessary cleaning tools onto a CD, fix your machine, and call the computer center, and up you are again.

Re:Reminds me of what AOL did

[gurps_npc]

You are correct, it is NOT like we have anything that can be used to track down a person right now. Those things you mentioned are not directly connected to your identity, and can EASILY be negated.

Simple method #1: Go to an internet cafe, pay cash, and no one can possibly back track that stuff directly to you.

Simple method #2: Go to a library, use their computer for free, and no one can possibly back track that stuff directly to you.

More risky Method: Use an anonymizer site to surf and trust that they will in fact keep your info secret.

But yes, it is possible for a fool/moron to give away their identity on the internet without knowing they have done it.

Go back to work

[boatboy]

There's nothing there about French Honeys.

idiocy

[RMH101]

so you have loads of honeypots out there waiting for worms to exploit them, then you redirect these to "fake services". Whoop-de-hoop.
I don't think worm writers are going to care very much. If they're spammers, then some more of their spam will go in the bin - but it's not costing them, so who cares?

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

Re:idiocy

[Afty0r]

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

I understand where you're coming from, but let's take an analogy : in any other walk of life, if you are attacked you are allowed to take reasonable actions to defend yourself.

If someone comes at you and other people in the street with a knife, you are allowed to wrestle the knife from him. Things such as punching him, pinning him or even breaking his arm might be viewed as perfectly reasonable by a judge - in order to prevent harm.

In the same vein, we're talking about disarming the offensive person (host) without causing any collateral damage... So why might this not be considered legal by an enlightened society?

Re:idiocy

i don't think it is up to the virus writers. all you need to do is set the internet at the orginization to forward all non standard ports to the honeypot. this also is only going to catch certain types of worms and most likly be most efective on the internal netwrok verses the "internet". anyways it let's the admins know there is a problem before there actually becomes a larger one that require imediate attention.

Re:idiocy

Because you're neglecting the oh so important difference between defending your person and your property. You are allowed to assault someone comming at you with a knife. You are _not_ allowed to assault someone who just keyed your car.

Re:idiocy

[Reblet]

Actually, there's some good sense in these honeypots. By redirecting the worm to fake services you make the worm waste time, which stops it from propagating, and perhaps just as important, congest network traffic (the honeypot can use vhosts to accomplish this). As an additional bonus, you'll be able to study the behaviour of the worm without actually compromising a machine. The point is not so much to find the original culprit, but preventing it from doing more damage.
Also, on the subject of counter-attacks, it should be noted that article quite clearly mentions that this should only be done where the infected host is under the legal control of the administrator of the honeypot. Although this won't really help for your home computer, it may prevent spreading of the worm on business or school networks, for example.

Re:idiocy

[Tim+C]

You are _not_ allowed to assault someone who just keyed your car.

More accurately, you're not allowed to key the car of someone who just keyed your car, which is what attacking an attacking computer would be more like.

It seems to me that the main problem with most worms that we've seen so far is the havoc they wreak on the network as a whole, chewing up bandwidth as they propagate, rather than what they do to the machines in question. How would a "good" worm be any different? It has to propagate by the same means, after all. At best, the author may be a little more careful of bandwidth usage, but chances are it'll still cause a problem.

Re:idiocy

[unixdad]

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

What if it's a tool that you have deployed in your network, and it just so happens that the honeypot is a little bit misconfigured, allowing it to respond to all hosts that attempt to infect it?

How is this then different from desktops that are poorly written/designed or misconfigured allowing them to spread viruses on the internet?

The purpose of the tool (virus prone desktop vs. honeypot) is a bit different, but the end result is the same (a 3rd party's computer is modified without their permission). What makes the user of the desktop more defensible than the user of the honeypot?

Re:idiocy

You are allowed to assault someone comming at you with a knife. You are _not_ allowed to assault someone who just keyed your car.

No, but this is more like taking his keys.

Re:idiocy

[Fluid+Truth]

So why might this not be considered legal by an enlightened society?

In what country are you living? Anymore, there aren't too many enlightened societies.

Re:idiocy

[Afty0r]

You are _not_ allowed to assault someone who just keyed your car.

You are however allowed to use physical force to stop someone who is currently attempting to key your car...

Smokey the Bear says...

When using your honeypot at the campgrounds, always practice safety.
Surround your honeypot with rocks to keep the fire from spreading. Be sure when
you're done with your honeypot to put it out with a bucket of water and make
sure it has stopped smoking before you leave the area.

Remember what Smokey the Bear says. Only you can prevent your honeypot from starting a forest fire.

Re:Smokey the Bear says...

[Nom+du+Keyboard]

Surround your honeypot with rocks to keep the fire from spreading.

Yes, build a firewall.

Re:Smokey the Bear says...

moron, fire pit. sorry. i live in michigan and i remember these, at state parks, and other state outdoor events. you mean hang them in the tree to prevent bears form eating your food stuffs.

Bad Idea

[Mortanius]

...launching counter attacks to clean infected hosts!

They're just that, 'attacks.' Unauthorized access to users' machines with the intent of installing software without the users' knowledge (even with, it makes no difference.)

It's a nice idea in spirit, the Community (I hate that term) working to automatically protect those who can't help themselves (sounds rather elitist, doesn't it). But in the end, it's no better than your average hacker / skript kiddie futzing around with your machines.

Re:Bad Idea

If the ISPs were more responsible/interested, they could selectively shut off ports of infected customers, or direct all of their web traffic to their own local page that describes how to fix it.

They haven't done so, and they continue to let the menaces plauge the Internet.

A two-pronged approach seems best. One prong tries to convince ISPs to take action, the other prong (probably in a foreign country) issues shutdown commands to infected computers. Everybody wins.

Re:Bad Idea

[kavau]

For the method of counter attack described here, you might as well say it's self-defense. An infected computer tries to exploit vulnerabilities to install itself on one of your systems. Of course the most important things is always to make sure your machine is secure. But why should it be considered unethical to make sure the offending computer can't infect other, less secure, systems?

If someone is randomly assaulting people in the street, should you just run away and lock yourself up at home, or should you knock that guy out to prevent him from harming other innocent people?

Of course you're taking the law into your own hands with this approach, and the legal situation is certainly difficult. Maybe one should have some sort of "internet police" that is entitled to launch counterattacks on infected systems, maybe as an automated system, in order to achieve good response times? Then you could forward any logs from attacks on your honeypot to the internet police, which does the rest. The question is then, of course, who controls the internet police?

Re:Bad Idea

Even though the whole idea of the counter attack is definitely unethical, and probably illegal, it does sound good from the perspective of a systems administrator who had a user being bombarded by an infected cable modem user over the period of an entire month.

Contacting the cable company ( comcast cable ) did absolutely nothing to resolve the issue - they were waiting for the user to change ip addresses for some reason, and wanted me to call when the ip address of the attack changed.

Of course, I was sitting on 3 DS3s... the only thing that came to my mind at the time was ping -f... but I resisted. After fighting the cable support morons, I finally got them to get off their asses and call the user to let them know they were infected.

ONLY when the actual ISPs start to be held accountable for their users' actions, will crap like this stop happening. It's pretty easy to sniff your own network traffic to find well known worms which are trying to propagate. Find them, cut the user off until they get a clue and patch. That's the only way.

Legalaties

[PPGMD_PDA]

Now one has to ask if it is legal to launch a counter worm?

Now as using a honeypot to analysis a worm, is that the whole purpose of a honeypot?

Re:Legalaties

[ViolentGreen]

I would think and hope that it is not. It is still an intrusive attack on another machine and an invasion of privacy.

Even if this eventually is used (and I hope to God it's not) there would have to be all kinds of of legislation defining "good" worm and "bad" worms.

Can you imagine the government sitting aournd trying to do this?

Also, who decides what is removed? What's to keep someone from saying, "downloading mp3s is illegal, we are going to write a "good" worm to remove mp3s without drm?" Sure that is a bit extreme but this would cause more problems then it's worth.

Re:Legalaties

[ViolentGreen]

In that last part about deciding what's removed, I was just illusrating how going into machines and removing worms can escallate to removing other bits of data.

Re:Legalaties

[harlows_monkeys]

Now one has to ask if it is legal to launch a counter worm?

Launching a counter-worm is obviously a bad idea, but I see nothing wrong with disabling the original worm on any system that tries to infect the honeypot.

I did some experiments along those lines, with Apache set up to redirect various common worm-generated requests to a CGI which tried to do a "dir" on the remote system using the same hole that it was using to try to get my system, and a large fraction of the time, that worked.

On some of these systems, I then created a "C:\YOU_ARE_INFECTED.TXT" file that told them they were infected. Don't know how well that worked.

I don't have the time nor inclination to get sufficiently into Windows hacking to go farther than that, so stopped.

Re:Legalaties

[topsoil]

How about %SYSTEMDIR%\Desktop\YOU_ARE_INFECTED.TXT ? I would expect that to be more visable than just C:\

However, with profiles, etc the Desktop does change for each user. Maybe C:\Documents and Settings\Administrator\Desktop\YOU_ARE_INFECTED.TX T

Nice try

[Tom]

It is a nice attempt at active worm defense.

Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

Sorry.

Re:Nice try

Unfortunately for him, I have just published a paper [dead link]

If your paper-writing skills are on par with your linking skills, he probably doesn't have much to worry about :p

Re:Nice try

[GMFTatsujin]

Lookie here, if you can't figure it out from the malformed URL: http://web.lemuria.org/security/WormPropagation.pd f

legal way to have internet connection shutoff

[Dark+Fire]

Welchia proved that good intentions can be disasterous. Even well-intentioned actions could damage someone's livelihood or equipment and open up the vigilante to criminal/civil penalties. A better approach would be a quick legal remedy that would permit one party to obtain a court order ordering the ISP of another party to cut off their internet access until they complied with the remedy (fixing the issue). The ISP is given 10 business days to notify the customer of the court order. An ISP could then try and verify the claim and file a response themselves if they find the claim unsubstantiated, or they could pass on the claim to the customer who would then would be responsible for replying. If the customer or ISP replied without properly addressing the claim or fixing the issue, they would be liable for criminal penalties and fines under the law. Wow, this whole idea ended up sounding kind of draconian which is not at all what I was going for. Any thoughts?

Re:legal way to have internet connection shutoff

In 10 days, the entire Internet is infected.

Re:legal way to have internet connection shutoff

[mystik]

This happened to me. (well, no court order or what not). My ISP monitors for network anomolies, and thought that I had welchia (I had actually ran a portscan against one of my servers). They put a flag on my account, and disconnected me, and waited for me to call them to find out what happened.

What would be a good solution, is some kind of 'secure' winpopup. (ie, mabey an ISP gives you a public key, that your machine will accept messages from) ISPs could then give their users notice of suspected activity, then if no action is taken, pull the plug.

Re:legal way to have internet connection shutoff

[BuckaBooBob]

You have a sniff of an idea.... have isp's working together and add a prhrase in thier EULA to authorize patching of thier systems to stop worm attacks.

There would have to be a opt out for people that wouldn't trust others messing with thier machines... but then they could be in a 24 hour notice to clean and remedy or lose connection untill it has been delt with... 24 hours should be enough to remedy .. if not maybe some other time frame might be approprate.

Re:legal way to have internet connection shutoff

[Dark+Fire]

Without a an approved legal remedy, in 100 days the internet is still infected. In 300 days, in 600 days, ... and so on. Old exploit attempts show up in my web logs every 15 minutes. Sometimes the people you contact either won't listen or the contact information you have for them isn't correct or they are just hard to get a hold of via it. If it takes two weeks of your effort just to contact each individual, the internet will be affected forever. But if they receive a court notice from their ISP indicating that they have 10 days to comply or the ISP will be forced to shut them down, someone will pay attention, especially when the site quits working. The idea was for a legal course of action that requires minimal involvement for the party seeking corrective action from the offending party.

Re:legal way to have internet connection shutoff

[owlstead]

quick legal remedy

Those three words should not be used at the same time.

The ISP is given 10 business days to notify the customer of the court order.

Ten minutes in slow time (time when you're not online, for the non-cyberpunks out there) is years in time you spend in the matrix (the ... oh bugger it, this is /.).

An ISP could then try and verify the claim and file a response themselves

LOL. Insightful. Right.

sounding kind of draconian

No, just bloody unlikely to happen. Besides, the justice dept. over here (NL) is busy enough already. The US justice dept. ? Settle it!

Automatic firewall definition update

[Goodbyte]

It is obvious that 'attacks' can ony be made inside a corporate network or similar, or else one would probably face lega consequences.

Apart from that, I think this is a great idea. You could use honeypots to automaticly update firewall filters and block further infection attempts!

Re:Automatic firewall definition update

[David+McBride]

Yes, but you have to be very, very careful. Otherwise, someone could deliberately (manually) attack your honeypot on a critical service port and trigger a firewall update... that knocks all of your critical systems offline.

Re:Automatic firewall definition update

[fuzzybunny]

Good luck. Name me one product you'd trust to automatically adjust your perimeter security.

I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.

First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to trust it not to fuck up legitimate business operations.

Second, there are good tools out there (e.g. Snort & co.), but they're very often misconfigured--IDS are often "alibi" exercises, to allow a company to check a tick-box on an audit report ("yeah, we have an IDS. NEXT?")

Third, the moment you find someone using such a tool, assuming it existed, consider the possibilities to DoS a large corporation or network by just making it think it's under attack. You wouldn't even actually need to hit it particularly hard. You'd just make their super-duper IDS Black ICE Skynet AI shit its pants and think it's getting hammered, and decide to close down. Bang, objective achieved without even having to write a working exploit.

Re:Automatic firewall definition update

[lamj]

Not really, IPS (Intrusion prevention system) is better for that purpose. Getting your firewall signature tuned by Honeypot would cause too much false alarm. Also, for honeypot (or IDS for that matter) to tune the firewall (to shun a source host) is not exactly effective. In UDP attack, sometimes one packet is required to own the boxen (port 1434 UDP anyone?), getting your IDS to chat with firewall and all other packets are already in your infrastructure.

Know your enemy

[Twillerror]

Half the time we don't know our network is infected until it is too late, or someone complains the internet is slow.

Just having a honeypot that can alarm us to what boxes are infected is a big plus. We can take it from there.

Somehow taking the computer off the network would be a bonus as well. I wish our firewall had this functionality.

Re:Know your enemy

Get a good intrusion detection system. Update the signatures and it will alert you if you have an infected host. Set up a response mechanism and it can lock out that PC from the network as well. We use Cisco's IDS and it does that. I know Snort can be set up to do it as well.

I use our IDS to monitor internal systems more than I do external threats.

Re:Know your enemy

[Short+Circuit]

Run a Linux firewall, and talk to your boss about developing a userland netfilter queue processor.

Re:Sun Cobalt an m$ windoze

[GNUALMAFUERTE]

May be, but you are the anonymouse coward.

Nice try (with fixed link)

[Tom]

It is a nice attempt at active worm defense.

Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

Sorry.

Re:Nice try (with fixed link)

[fuzzybunny]

You might want to have a look at Nick Weaver's Homepage--How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.

Frankly, you're correct in your assumption. However, the author makes a good start in terms of preventing that initial spread. I agree that if you focus too much on 'reaction', dependent on identification of a worm, you're screwed to start out with. But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.

I'll gladly dig out some of our info on this if you're interested, as we're pretty closely involved with exactly this topic right now, but alas, short of time due to having to prepare a presentation on, you guessed it, worm spread in corporate networks :)

Re:Nice try (with fixed link)

[Tom]

How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.

I've read that one, and it is referenced in my paper. :)

However, the author makes a good start in terms of preventing that initial spread.

Chapter 4.5.1 of my paper shows how to circumvent that questionabe protection.

But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.

That is the correct approach. Until worms earn polymorph capabilities, of course. Unless you are ready to risk a fairly large false positives quota.
Remember, most of the recent worms spread as web-traffic.

having to prepare a presentation on, you guessed it, worm spread in corporate networks

You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.

Yes, I am serious.

Re:Nice try (with fixed link)

[slim+hades]

Very well written paper. Wish I had something amusing or demeaning to say, but I don't. Just wanted to say that.

Re:Nice try (with fixed link)

[fuzzybunny]

I honestly had just scanned over your paper, but I will read it in detail asap.

You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.

I don't doubt you at all. In fact, I am happy for yet another legitimate-looking piece of work which says this. In fact, this statement is one of the cornerstones of all the security incident response mechanisms and structures we've been putting together in my current project. You're preaching to the choir, so to say--it's what we've been yelling for weeks and months. In fact, it was our conclusion that if someone had translated the recent MS Messenger bug (MS03-043) into a successful remote code execution exploit, using sample code released with the DoS exploit for that vulnerability, along with a semi-reasonable hitlist generator, a ca. 60,000 station corporate LAN would be down in 10-15 seconds. Flat.

Until worms earn polymorph capabilities, of course. Unless you are ready to risk a fairly large false positives quota.
Remember, most of the recent worms spread as web-traffic.

Not entirely--Nimda and Code Red were both multi-vector worms; SQLSlammer was just that (MSSQL port 1434), and Blaster spread via RPC. What I'm waiting for is not really a polymorphic worm which mutates autonomously (you'd need a fairly horrendous AI capability for that) but rather one which exhibits the covert channel new exploit uploads and cell-based hitlist exchange and breakdown that Nick and others postulate.

We've divided worms into two general categories (this is from the corporate point of view.) These are: worms that primarily affect unpatched private machines, and worms which may not be so damaging on the internet per se, but which will wreak havoc on company infrastructures (your less-than-60-second example) once it penetrates the 'eggshell' or 'maginot line' approach most large corps take to perimeter security.

I would love to get into more of a discussion about this offline--it fits exactly into what we're working on. Assuming you get hit by something against which there's really no defence in existence yet, the really interesting topic is how to recover very quickly, without serious business impact. And there are definitely ways of doing that.

Re:Nice try (with fixed link)

[owlstead]

Simulating and optimising worm propagation algorithms

I dunno if I like this title too much. I do not think coding skills are required. The design is way more important. Furthermore, MS is going to do one patch pack per month. Whaddaya think that will do to fast worms?

Re:Nice try (with fixed link)

[Tom]

MS is going to do one patch pack per month. Whaddaya think that will do to fast worms?

Nothing. By definition, fast worms live on a timescale of minutes, not months.

Imagine...

[sheck]

Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!

Yes. Just imagine.

Yes, imagine that..

[kcm]

wait, here it is.

Ethics mentioned?

[AndIWonderIfIWonder]

I've already posted about this on this article, but it seemed relevant here...

The article even infers (to me anyway) that it should be used in a department or organisation and not on the net, and mentions the ethics of such a procedure.

This script, given strictly as an example, can be improved upon by using evolved programming languages such as VBS. A longer example [ref 13] has been tested on a research network, cleaning our infected hosts in a few minutes.

Some SysAdmins were recently polled to determine if it is ethical to take active defense measures in such a targeted, counter offensive way, within a network their organizations owns. The results can be seen here [ref 14, page 29 & 32] (76 respondents).

fascinating article..

[herrvinny]

This honeypot can either be a "sacrificial lamb" (a normal host without the very latest updates applied on, sacrificed in expectation of an attack), or just a simulation of services.

If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out? I think it would be better to have a small network of 6-8 computers (wouldn't have to be much, just get a rack off Ebay and a few of those mini-itx components, load em in, don't need a fan, case, etc) and have each computer at varying levels of patches. One computer is patched every day, one patched every two weeks, etc. There isn't enough time to customize a computer to be infected by the worm; by the time you hear about it, the worm has already infested millions of computers.

They also should look more into that counterstrike idea. Seriously, if you attack my computer, even if you didn't know about the virus, then I have the right to self defense. I'll gladly install some of that counterstrike software when I set up a honeypot. You're PO'ed because I attacked your computer? You attacked me first. I'm only exploiting the same vulnerability the worm did. If you were a SMART web citizen, you would have gotten a firewall to protect yourself from the worm in the first place.

Re:fascinating article..

[mr_z_beeblebrox]

If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out?

Assuming that MS the infallible (random quote..."No one would ever need more than 640K") identifies EVERY flaw BEFORE worm writers do than yes, patching makes perfection. Please, do not assume that.

Re:fascinating article..

[HermanZA]

Well, responding to a computer attack is not self defence - you are not under personal attack - even though it may feel like that. It is merely an effort to protect your own property and as such is probably allowed in most jurisdictions.

Silly old bear!

[scumbucket]

Remember Winnie the Pooh has a fondness for honeypots and keeps getting his head stuck in them!

Winnie the Pooh, Winnie the Pooh,
Chubby little buddy, all stuffed with fluff
it's Winnie the Pooh, Winnie the Pooh
little bitty silly ole' bear!

Re:Bad Idea? not so

Personnally, if someone is too dumb to patch his/her computer, enabling a worm to spread, wasting bandwidth, possibly provoking network slowdowns, I really see no problem "fixing" his/her computer or getting it offline using the same vulnerability as the worm.

French Honeypots...

...use IIS so webservers quickly surrender to worms.

Re:French Honeypots...

[Tonytheloony]

Coming from an anonymous coward! Oh the irony! ;)

Attractive Nuisance

[supersmike]

The Internet in general is an attractive nuisance to script kiddies.

the Counterstrike phase will nullify your paper...

[herrvinny]

Because, think about it. All those computers that have been infected will still be scanning for computers to infect, even if the internet is saturated with virii. So when the worm attacks a honeypot, the honeypot can then erase the worm. As long as the honeypots clean faster than the worm spreads (which would take a very big honeypot network indeed) then the worm infestation will slowly go down.

How about using honeypots to attack back?!

[pair-a-noyd]

I think that the worms and viruses should be disected and once the origin is known, launch an all assault on the author. DDoS the SOB into oblivion.

Or, for virus writers, how about giving them a good dose of SARS or AIDS?? That'll teach them to play games..

not really

[autopr0n]

All virus writers have to do is 'secure' the system they just compromized. This could be as easy as shutting down a service.

Umm...how about..

[Demerol]

"Using Linux to Fight Worms"

Sounds easier to me.

Honeypot

I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.

If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.

Re:Honeypot

[Raptor+CK]

While I can't moderate (I choose not to,) I can comment.

WOW. I like that. I like that a lot. This should be standard practice. It's not invasive at all, and it forces the schmucks who never paid attention when they got their massively powerful infection node^W^Wcomputer to finally get up to date.

Let's face it, as long as we have uneducated users, these problems will continue to crop up. If we can keep them offline until they learn the simplest parts of system maintenance, then maybe these problems won't crop up anymore.

Now I want one of these to try to stop mail worms. I don't suppose that's as cut-and-dry, though...

Re:Honeypot

[mbklein]

When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

So as long as I get my prescription filled, you'll let me out of quarantine? Great! I don't actually have to take my antibiotics, as long as they're nearby.

Re:Honeypot

[VertigoAce]

I assume that they can get themselves quarantined again if they continue to disrupt the network. And I'd imagine that your account would be flagged so that an administrator would know it's been taken off more than once.

Re:Honeypot

[SteelRat]

would mister anonymous like to post a redirect (tinyurl or whatever) to an implementation guide for this?

I know I would be quite appreciative :)

Good article

[lamj]

Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.

For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.

Now imagine...

...a beowulf cluster of these!

Hey get MS to fund it

[baggins2002]

They have told me over and over again that 95% of the computers out there are MS. So most of the problems are coming from computers with there operating system. So maybe they should help pay for some of these solutions.
Oh yeah, its because they want us to pay them for the solution.

Re:Hey get MS to fund it

[BuckaBooBob]

But its the end users 90% of the time that don't path thier systems or have thier systems configured insecurly.

So going back to what you said... End users should have to pay? or just uneducated people that lack the understanding to secure thier home PC? if its just the people getting infect how would to qualify people that should pay for these solutions?

How about we forget this nonsense...

What a ridiculous waste of time and money. Honeypots and viruses and worms and trojans. WTF. Computers are just friggin computational tools. And whiny little bedwetter nerds want to wage inane little wars against each other with them.

How about we start making harsh examples out of the virus writers that do get caught? And I mean *harsh*. No this will not deter all from creating more of this crap, but it will deter many. And no it will not stop it coming from backwords countries with slack laws, but at least its a start.

How about we start taking this shit seriously like we would if someone was attacking any other piece of our telecommunications infrastructure?

Let's quit fooling around trying to play cat and mouse footsie with these scumbags by using our friggin "honeypots".

Re:How about we forget this nonsense...

[BuckaBooBob]

They are very hard to track for starters.. secondly from what i have seen and read the ultimate majority of these writes that are in North America are underage teens... So what would you proposed would be a harsh example for a underage teen that would get parents enmasse to speak up and block these measures to protect thier intelligent kids?

Also the mentallity of this group of youngersters is usally that they are indistructable and cannot be caught cause they know more than the next guy :) So the people that got caught are stupid unlike them :)

Re:How about we forget this nonsense...

Actually, most of these virus writers are in E. Europe like Bulgaria, Romania, Ukrain, and Russia.

Don't they mean honeybuckets?

...because as we all know, shit attracts flies or lawyers.

Yeah...

[inertia187]

I wrote about that too. Mine is implemented using a simple Servlet.

Important Question

Hey can you make Honey pots for SCO stuff??

Re:Important Question

[mr_z_beeblebrox]

Hey can you make Honey pots for SCO stuff??

Sort of. Same basic concept. Write a program and use some of their secret copyrighted comments. Here is a good example of a way to cause SCO to own you (C Code excerpt):
\\This is broke. Fix it later
That comment is obviously part of Sys V Unix

Re:Important Question

Owch man you've been microsoft-whipped to using backslashes.
i.e. //This is broke. Fix it later.

Also thats a C++ style comment which you'd think wouldn't be in code from the 70s/80s.
i.e. /*This is broke. Fix it later.*/

On a somewhat related note, am I the only one who gets smacked by websites that use the backslash in the URL b/c IE accepts that?

Imagine!

Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!

Imagine discussing this in 1988 when the first internet worm was released! There is nothing new in that paper.

Legal implications of counter-attack? NOT!

[Not_Wiggins]

To be perfectly honest, there's no legislation to go after the "Joe Average Infected Computer User" for spreading the original worm. What makes you think they'd be all set to jump on (supposed) "White Hats" with systems that only respond to attacks in an effort to stem them (technically "illegal" or not)?

Before I had a webserver up-n-running doing useful stuff, I had Code Red Vigilante running on port 80; it felt good knowing that machines that had tried to infect me were being warned that they were infected... you know, trying to be a good netizen and enlighten my fellow surfer.

Of course, I was able to do that because I could look through the Java code I was installing and determine exactly what that code was doing (ie, not fall victim to a socially engineered attack where I mistakenly INSTALL someone's worm code on my computer!)

No... the real question won't be how this all gets sorted out legally; we'll figure out how to use technology to stop this crap before any law gets passed to "protect me."

The real question will be how do we protect the average person in the interim without making them easily exploitable targets for malicious anti-worm code that is, in essence, a socially-engineered worm attack in its own right.

Re:Legal implications of counter-attack? NOT!

[axehind]

"Joe Average Infected Computer User" doesnt know he has a infected computer and that its accessing someone elses. Where as the honeypot administrator would know that his computer is accessing someone elses without that persons permission.

Re:Legal implications of counter-attack? NOT!

[ratfynk]

The last thing that Sarc and Symantec want is effective OSS pro active worm and virus software. It might cut into their bullshit AV security pie too much! There is nothing wrong in notifying users that they are infected, it is the one thing that might help stop worms. I have had to tell my Aunt that I keep getting silly .exe's in mail from her. If there was an automated way to tell her I would do it. What is really a hoot is to wine ./ the crap binary and watch it smoke my X session. If it doesn't smoke my X session then I check to see what the hell it is trying to do with eth0 down.

Nice try indeed - an internet immune system! :-)

[Juggler]

Actually, that's only assuming that you have a relatively passive system.

If you actively update the "defense boxes" with all the latest exploits and then configure it to use it's full arsenal to take down any attacking hosts (e.g. by making all exploits simply turn off networking on the target machine), then you'll have a very high success rate indeed. Then only worms exploiting previously unknown holes on otherwise fully patched machines will be able to run unchecked. This raises the bar for worm writers by an order of magnitude... or two.

Note that I'm suggesting that the "counter attack" would be simply disable networking on the infected host. This is easier to get right than any sort of complex cleanup, thus lowering the odds that you'll break the infected machine. Also, a machine which keeps dropping off the network will eventually get attended to by a technician, who will hopefully disinfect and patch it properly.

This would also have the beneficial side-effect that worm authors would be forced to close the holes they exploit in order for their worms to live. This would suddenly mean that worms and viruses would be competing against each other instead of coexisting peacefully.

Frankly I hope someone writes such a thing and a government body or group of white hats simply deploys it. Or both. Then the internet will finally have an immune system.

The Solution is IPv6

[Nom+du+Keyboard]

The solution may be IPv6. These days scanning the 4 billion odd IPv4 addresses is not beyond the capability of a few machines on broadband. Yeah it won't reach NATed networks easily, though it only has to get inside via one machine.

But the problem of scanning the IPv6 space is non-trivial. Not only is it easier to hide somewhere inside this much larger space, but serious folks, why don't we start from the beginning having routers to identify obvious scanning attempts (i.e. requests to a whole lot of different IP addresses over a short period of time) and work to locate and isolate those machines while raising an alarm? There's more that could be done to halt obvious misuse of the Internet than is being done now.

Re:The Solution is IPv6

[Gwala]

However IPv6 is still very structured, like IPv4 before everything was loosened up. Which means things will still be constricted to bands for a while, so the effect wont be as great as you think, but it will help.

As for your suggestion about routers - as soon as routers become more powerfull, to process and examine what they are passing realtime, it will be feasible (try do this on a backbone.) however currently, it would produce far too much lag to counter the benefit of doing so. But on the upside, it would help with things like spam which always originate from a single source and spam the crap out of a massive selection of hosts ... Considering that spam is estimated at 30% of traffic passing through the backbones, eliminating it this way could offer performance boosted ...

-Gwala

Re:the Counterstrike phase will nullify your paper

You only need one honeypot in your theory. You don't have to clean faster than it spreads. Once it's saturated, it can't spread.

Sounds AWFUL

[mr_z_beeblebrox]

(Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)

As a matter of a fact it sounds an awful lot like the anti-blast worm some jackass wrote. That bit of well meaning cyber-carpentry got on my network despite being prepared for blast and it did very similar damage. The honey pot project should look for useful things to the community not to an individual.

How I dealt with Welchia

[skinfitz]

We got caught out by Welchia by someone kindly connecting an infected laptop directly into the network behind the firewalling. Ironically this was possible due to a mistake in SMS package deployment (was done hastily - my fault).

My solution was to deploy honeypot windows machines running snort which reported into a central SQL server database.

Using Windows scripting host, I then wrote a script that ran periodically on a network management workstation which queried the database, creamed off the last machine that was an infector and using the wonderful free PS Tools from Sysinternals automatically determined what OS the machine was running (PSInfo), updated its antivirus signatures (PSExec), de-wormed the machine using the Symantec "FixWelch" utility (again using PSExec), decided if the machine was up to service pack spec (data from PSInfo) and if not service packed it (PSExec) then applyed the patches to prevent re-infection (PSExec).

All worked a treat.

I'm kind of glad we got hit because as a result I can now insist machines get patched (previously people would complain about a "box on the screen" (SMS installer)) while also being able to remove machine admin rights across the board and ban any machines that are not ours from being connected on pain of a disciplinary offence.

A lot of work but ultimately, I WIN. MOO HAR HAR!!

Re:Honeypots

[mr_z_beeblebrox]

Throught Asia, honeypots are used to store 'nightsoil.

I throught you make a good point.

use HoneyD to fight worms.

[00RUSS]

Apperently HoneyD has been doing this for a while, looks like the pretty much copyed HoneyD's work. http://www.citi.umich.edu/u/provos/honeyd/msblast. html

Honeybuckets?

[SA3Steve]

I would think that Honeybuckets and Johnny-on-the-Spots attract a lot of worms...don't worms thrive in human waste?

Ohhh...Honeypots! Sorry...wrong item :-)

"a normal host WITHOUT the very latest updates..."

Read whatever you're quoting twice before commenting on it. It's easy to overlook things on the first pass.

As for the counterstrike idea, it isn't a bad thing in and of itself. The problem is that it would set a precedent for retaliation, something a few media associations would certainly like to see allowed.

Such measures could be restricted to internet access providers concerning their own networks. But I have a feeling there's probably a loophole in there to be abused by doing that.

LaBrea

[rixstep]

http://hackbusters.net
Has there ever been a better way to fight them?

yeah, this is a waste.

[twitter]

You think this is a bad idea. I have to agree, but for different reasons.

There's nothing wrong with trying to clean up your own network. These boxes would be a great idea on a corporate network. When some new M$ transmitted disease comes springing out of LookOut of Internet Exploder, a central box could fix the problem.

For all that, I still think projects like this are a waste of time. Why should prople spend their time fixing Windoze? The best you can hope for is the RAV fate, a buyout. Microsoft more than likely, will give you the shaft some other way. Look how they treat the SAMBA people who have done fantastic work fixing M$ flaws and omisions. People who use Windoze should just be left to their fate. The Fanboys who still want to use Windoze are simply going to blame this service when things go wrong. Midrosoft is shit, all you get when you fool with it is dirty.

Your TeX has a few typos

[fizbin]

In the "theoretical limits" section, several times you have too much in the superscript in your calculations. (This looks like a pure TeX typesetting error, not an error in your calculations) Also, for the final result I believe you meant:

t = \log_{(r+1)} n_t - \log_{(r+1)} i

Not, as you have there,

t = log_{(r+1)} n_t

LaBrea extended

[tliston]

I have recently begun beta testing of an extended-functionalty version of my original Open Source application, LaBrea, mentioned in the article. The new software, known as LaBrea Sentry, uses the same methods of trapping and holding connection attempts by worms and scanners. It also proactively defends real machines from attack from those same worms and scanners as well as communicating all log information to a central server which provides updated "Bad Guy" lists to the entire network of Sentry boxes. Scanning IPs that make it onto the "Bad Guy" list are blocked from access to all monitored networks while they continue to scan. (And before you even ask, yes, there are many safeguards on the system to prevent spoofing...)

In initial tests, the system knocked down 94.7% of the scripted, scanning attacks against a live webserver, BEFORE those attacks ever made it to the server or IDS logs. That's what it's designed for: not to replace firewalls or IDS systems, but to simply cut down on all of the crap that they see...

Note: There seems to be a great deal of confusion about the "countermeasures" mentioned in the article. In the case of both LaBrea and LaBrea Sentry, these are "passive" countermeasures, consisting of trapping or tarpitting connection attempts. I agree that the idea of "actively" attempting to patch a machine is frought with legal issues.

More information on LaBrea Sentry can be found here.

Vigilantes or Revolutionaries?

[Angram]

Vigilante justice may be bad, but when there is no police force, it's all that stands between people and anarchy.

This may be a bad precedent (and illegal), but without any effective legal methods to stop the 'bad guys', it's essentially all we've got. This is a full assault - hackers, crackers, script-kiddies, scammers, spammers, etc. are not holding back, they're not stopping, and they've got little resistance. Legal methods (anti-viral programs, patches) aren't doing much to stop them - it's not a war, it's a slaughter. The vigilante white-hats aren't the best thing to have by any means, but I don't see much help in other corners. They may make things worse, but they may also be the big guns that can level the playing field (or win). Show me a an effective legal army, and I'll be against this, too. Until then, someone has to fight back, no?

Actually, this does slightly modify your results

[fizbin]

In section 5.1.1 you use your theoretical limit, but you forget that you started with 10 infected hosts. This leads to a theoretical best time-to-saturation of 29.499 seconds, not 36.506 seconds.

I will concede that this point isn't crucial, however. It still makes a worm that hits saturation in under a minute very close to ideal.

You know You've been reading too much /. when...

[Mr.+Moose]

You see
Imagine a well-constructed honeypot framework...

and read it as
Imagine a Beowulf cluster...

... and then watch worm ...

[torpor]

... writers use the technology to counter-counter-attack with honeypott'ed 'virtual cells' constructed on infected hosts for double-service as a DDOS distraction ...

Contract "passive" honeypot vs "active" scanner

[Nonesuch]

As a matter of a fact it sounds an awful lot like the anti-blast worm some jackass wrote. That bit of well meaning cyber-carpentry got on my network despite being prepared for blast and it did very similar damage. The honey pot project should look for useful things to the community not to an individual.

The key difference here is that the honeypot is passive, it does not go out looking for vulnerable hosts, it waits until after the three-way TCP handshake on TCP/135 is complete, and only then does it react.

Spoofing complete TCP sessions is non-trivial, making false-positives (especially for a two-stage worm like Blaster and Nachia, using two different sessions to complete the infection) highly unlikely.

Secondly, while I agree that vigilante entrapment on the wild Internet is a dangerous direction, the basic concept is a sound approach to handling worm propagation within an ISP, corporate WAN, or other "private" (Internet-connected or otherwise) network where the honeypot operator has the legal and moral right to act.

Re:Actually, this does slightly modify your result

[Tom]

Thanks to this correction (also to the other, which yes is a typo and was pointed out to me already).

There has been much feedback from the community ever since I posted it, and I will update it soon (have a conference talk to do that takes priority right now).

Re:the Counterstrike phase will nullify your paper

[Tom]

Not if I have a destructive worm as outlined in chapter 8.1 of my paper. :)

The owner of a computer

[Archfeld]

needs to be notified in some way. As to legal or illegal, while I agree emotionally with you :) the 'proper' method would be contact the ISP and let them deal with the infected user/node. At some point though you are correct, the negligence has to transfer, even the dumbest driver is responsible for air in the tires and gas in the tank, and either they learn to deal with it or they hire a service to handle it for them. Maybe we need a driver's license for the Net ? as silly as it sounds it would ensure some basic level of knowledge and responsibility.

Misses the point

[djembe2k]

I'm just not impressed by this at all. Set aside the "counterattack" issue that all of the /.ers are reacting to, and look at the meat of the article.

At the beginning of the article, he discusses this as a perimeter defense. MSBlaster was only directly penetrating the perimeter of networks that had inbound TCP 135 open. Anybody who is going to take security seriously enough to set up honeypots as a defense against worms is going to close inbound TCP 135. Everybody I know that saw MSBlaster on their network (and I have a bunch of customers that got it) was infected in some other way, either by an infected laptop plugging in internally, or an infected host coming in via VPN. (BTW, I'd love to see a good solution for intrusion detection that works at the point of entry for VPN connections.)

But then he start talking about counterattacks as if this is something you are going to use to protect your uninfected hosts from your infected hosts internally. Even assuming you don't have a switched network, I still can't imagine the IDS that will analyze all internal network traffic and respond in a timely way, especially under the conditions of a worm attack, which typically involves flooding the network.

And all of that are really details. It all depends on being able to detect and respond to worm traffic faster than worm traffic can infect you. If anybody could find a way to do that, they'd integrate it into a firewall product and use it to just cut off this traffic, and everybody would run out and buy it. Rerouting the traffic instead of cutting it off would be just a curiosity that pretty much nobody would care about.