Slashdot Mirror
An Anti-DoS Tool That Returns Fire
An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."
Can you see the tech guy trying to explain that their company was knocked off, not by the attack, but by the counter attack?
"It's okay, sir. It was friendly fire.
===== Murphy's Law is recursive. =====
This has already been discussed on the NANOG mailing list, the general consensus is that _this_ will be the next
source of attacks against systems as people spoof attacks at it. (Much like smurf attacks)
Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
Just because you disagree doesn't make it offtopic or flamebait.
What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?
Great. So DDoS victims, in addition to having all of their incoming bandwidth wasted, can now spend all their outgoing bandwidth to strike back at their cunning, ruthless assailants -- you know, like all those clever "Dear friends" who "use this Internet Explorer patch now!".
"More than 500.000 already infected!"
-fren
"Where are we going, and why am I in this handbasket?"
Technically its useless but Im sure plenty of ignorant CEO's and CTO's will sign up for it right away.
Yes, let's protect ourselves from attacks by attacking the offenders and wreaking even more havoc. That'll go over well. I don't even want to go into how stupid a proposal this is. Let's start with the first detail: it's probably illegal.
I imagine it'll have some sort of military function, though.
Proposed idea:
1) Subject receives DOS attack from Zombie machine
2) Subject returns fire to zombie machine, perhaps with some sort of encoded you're attacking me so I'm attacking you script.
3) From here the following happens, either somebody notices the machine is being attacked, investigates and reacts, leading the original victim to shut off it's counter-attack. Or an automated script in the Zombie machine packet sniffs the retaliatory attack and shuts itself down and/or notifies admin for further action.
This seems like a good idea, while the ethics of a counter-DoS attack are not sound, this could be a way to limit attacks. However Zombie's spoofing other addresses could lead to issues as well...again tho it's well known that DoS's are a pain in the butt to stop so what could work? Dunno...
...in bed
Hrmmm, they go live on March 31 and this sounds too silly to be serious. I vote April Fools Joke.
Get a life, not a lifestyle. - Hikem Bey
...when stupid people get venture captial money.
This has no way of working, it can only make a DDoS worse.
A basic denial of service attack is simply nothing more than somebody using all of their available bandwidth to send meaningless information to the victim host. If such an attack is greater than the available incoming bandwidth the victim has, then their legitimate incoming traffic gets delayed or dropped after being timed out.
However, even if the IP addresses are being spoofed, it's pretty easy to trace back through the routers where these packets are coming from, and that'll lead you to the point where the attack is coming from. That doesn't tell you who the hacker was per se, but it at least ends the attack.
A DDoS is nothing more than the result of hundreds or thousands of machines all directing a DoS at the same place. Now it's not so easy to trace back... effectively, they're coming from everywhere! The DDoS victim has nothing they can do for themselves other than order enough bandwidth to have more incoming bandwidth than the attackers have to throw at them, and that's not a cheap or fast solution. They're more or less waiting for whatever virus or worm touched off the storm to be cleaned up by the antivirus vendors.
Hacking back your attackers is only going to cause other people to start wondering why you're scanning and hacking them... isn't not going to do much towards stopping the useless data that's streaming at you. The worst case situation is where two of these hacking systems meet it each other... and therefore an automated hacking war between identical systems go on forever while never disabling a real hacker.
Seems like all this product does is appeal to over-agressive personalites who are in IT positions and hate the concept of there being an attack that there's a possible attack that there's no possible way to defend against. It doesn't have to work, it just has to seperate dumb people from their money.
How in the hell do ideas like this make it long enough to be publicly announced?
Good marketing. Marketing makes decisions independant of intelligence, feasability, or any of the other things that people with a normal IQ would consider important aspects of the plan. Managers know that if the plan somehow succeeds (they're managers, they have no way of guaging the feasability or intelligence of anything more technical than simple addition) they can take credit for lending muscle and support to it. If it fails, they can shift the blame to the engineers for poorly implementing such a "promising" idea.
The engineers pretty much either take it in the end for the stupidity of marketing and management or, if it somehow succeeds, get ignored (this is the best case scenario for any engineer - being ignored).
This concludes your MBA training. You can pick your diploma up from a nearby printer after you've created it in Paint and sent it there.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Don't forget that there are plenty of ISPs at fault too. They neglect to implement egress and ingress filtering to sanitize the traffic that flows through their network. Easy example: CPE routers should not allow traffic inbound (outbound from customer) that does not belong to the customer's range of IPs.
When we get a DDoS attack. NSA steps in and does whats called a strikeback. Infact they killed an ISP a few years ago causein a few million in lost service and broken equipment. hahah Dont mess with a .mil address
To me, what's really scary about this isn't that the idea is counterproductive, bone-headed, and probably illegal. It's that any company would propose something like this... which leads me to think that this is the type of story that is promoted just to get a rise out of people and we've taken the bait.
The company is obviously trying to jump on the media-whore bandwagon by proposing such an idea, but look who they are and where they're from. Texans' historical idea of security hasn't been impressive.
Shame on ZDNet for creating this troll in the first place. Shame on Slashdot for referencing this troll. Shame on us for being so outraged by it and taking the bait.
We know this idea will never fly. But now we've given this loser company 15 minutes of fame. This story belongs on a Darwin Business Awards list or Fark.com, not here.
Remember, follow the money.
Who cares who sent the email/ddos.
Who is benefiting? DDOS them!
Attack the advertisers.
April fools!
Cheers!
Example RR not allowing their users to send packets with a return address that is not a RR IP for the area.
That won't stop DOS attacks from happening, but it will make it easier to track the zombies, and maybe even get the perp.
This is totally flawed... Most DOS attacks are DDOS - distributed. That is MANY users attacking one user. Now, each of these many is often using their entire bandwidth to attack the single user.
So to stop the DDOS attack, you need to take down every DOS user. And to do that you need to send enough data back to flood their bandwidth or kill their computer.
The problem is that it is hard for one user to DOS another user, but is doable. Having one user DOS many users is very hard. Doing this whilst under a DOS attack is almost impossible.
Sure, we all like revenge, and like to be doing something, but I can find better ways to fighting back than this. I like to win, and you cannot win like this
Darryl
A mob lynches a "witch" -- vigilantism.
A woman carries out a devastating martial arts move on someone about to rape her -- self defense.
Self defense is immediate, and it's aimed at stopping an attack in progress. Self defense doesn't excuse harming innocent third parties: if you use a hand grenade to stop a mugger, the law will rightly punish you.
There's plenty of room for argument about this, but remote patching of the machines that are DDoSing you might be self defense. Any counterattack that is based on military principles, like the product under discussion here, is vigilantism.
Notice that everything Schneier says is based on the assumption that regulated police and courts of law exist. Before those are set up on a lawless frontier, experience shows that citizens will set up a Committee of Vigilance.
Ideally, inside your own network, you have enough insight and control to track down the source of the Bad Things(TM) and shut them down. Not to flame or anything, but if you or your IT team can't accomplish that, get a new IT Team.
Seriously, it's easy enough to back track the source of heavy data streams or malformed packets. Once you isolate the subnet, it's easy enough to track down a MAC address. As far as building a version to go after RFC 1918 addresses (Which you mentioned) that's pretty much irrelevant, since this type of thing would simply go after addresses (manually defined or automatically generated in response to the source IP of incoming attacks) of any kind...RFC1918 or not.
that DDOS attacks are asymmetric? [e.g. many to one] So what? Customers of this company will have hordes of zombie computers at their control?
I don't quite get it.
Though you can tell this is an american idea. the concept of collateral damage [e.g. people with the same ISP or host being tossed offline] isn't relatively important to them...
Why not make a tool that can find who started the DDOS and then accidentally send them to 20 years in a pound-me-in-the-ass prison? That would be worth money.
Tom
Someday, I'll have a real sig.
"In these cases, the operations center may call for a variety of efforts, including (1) escalated multilateral profiling and blacklisting of upstream providers; (2) distributed denial of service counterstrikes; (3) special operations experts applying invasive techniques; and (4) combined operations which apply financial derivatives, publicity disinformation, and other techniques of psychological operations."
Now how exactly this will help when you have a few hundred to a few thousand virused zombie machines running a DDoS against you and you have no clue who's behind it... is beyond me.
The World Wide Web is dying. Soon, we shall have only the Internet.
Unfortunately it's not currently legal, but really what would be a better idea is to react to compromised machines based on their infection behavior. I know that when Code Red first came out (and still now, even) my Apache logs were full of attempts to acces CMD.EXE or other windows stuff.
The obvious solution would be to respond to the attacking machine by using the same exploit by which it was initially infected, and cause it to go to sleep or attempt to clean itself. Obvious problems arise if the machine is doing something important, but the question arises: when are you allowed to protect your own property in response to somebody who hasn't properly fixed their own?
Conceptually, the best way to do this would be to log attackers, note how they are infected based on heuristics of common infections, and then wait until they attack has been going on for a certain period of time. If the machine is still coming out strong after a day, one should be justified in taking measured to put it offline...
It's time to stop pandering to sysadmins that don't do their jobs. We have some machines that aren't $1000/minute mission critical, but if one were infected I wouldn't feel overtly upset if somebody put it to sleep for me (so long as the machine itself wasn't damaged). For those that do run $$$$/minute machines, they should be well secured so such things don't happen, or at least not for prolonged periods of time.
It's accountability time for sysadmins... you're not unjustified in shooting somebody who invades your house, so why can't you take out the computer that's attacking your network?
mailbomb someone until their mailbox filled up so the mail server would bounce the message back
BR
IIRC, you didn't need to fill up an account. Simply sending a message from invalidAddy@server1.net to invalidAddy@server2.net usually did the trick. Server2 would bounce the invalid message back to Server1 rinse and repeat. Not that I have any first hand expirience.
I am an expert. Not in inverted commas "expert" but a real expert with hard won experience in the last few weeks.
I have helped a customer who was suffering several DDoS attacks from sub humans from Eastern Europe. The attacks took out an entire Australian state for days at a time and in one 30 minute period, all of Australia at 4.30 in the morning, not just one ISP or one customer. We're not talking small attack fleets here.
Now... where to start?
This product is the stupidist, most lame, and idiotic idea I can think of. I don't know what the hell they were thinking, but all I can think of is that they've never ever had a DDoS attack aimed at them.
In Australia (where I live), this type of counterattack *IS* illegal, and I have real lawyer advice from IAL (I am a lawyer) types at a big firm. If you want to prosecute, you sure as hell should not have retaliated... or you'll end up facing prosecution too, and unlike the scuzz buckets in eastern Molvania, you will go to jail and be Bubba's Vegemite Valley Viking buddy for some time.
You want to know how to prevent spoofed attacks? Force * by law * Cisco and the two or three other manufacturers of telco equipment (DSLAMs, cable head ends, and digital modems) to not pass packets with spoofed IP addresses. Make it illegal to acquire equipment without these controls. Make it illegal to modify the equipment to allow such usage. Followed up with the "Good" ISPs null routing "Bad" ISPs who pass packets from "customers" (sources) who spoof. ISPs *know* the BGP AS's they route at their edge. They are the best placed not to allow spoofed packets to originate from them. This solution is SO simple, I'm surprised no one has done anything about forcing Cisco et al's hand yet.
You want to know how to prevent DDoS attacks being used for extortion? Clueful law enforcement. Too many times, the victims of these attacks have to establish an uncontaminated body of evidence, keep a chain of custody for all evidence they collect, and show exactly how they've filtered the raw evidence to demonstrate the links between the few unspoofed packets and the badly written e-mails with the attacks. This is like a mugging victim collecting evidence swabs from themselves, taking the photos, doing a few PCR DNA tests (or three hundred), ensuring all statements are taken, keeping the evidence safe from contamination and doing the leg work of the investigation. ENOUGH! It's time for the police to get a fscking clue and employ real investigators in their "high tech" forces.
Until then, companies like this one will be allowed to peddle their wares to customers who just want a large piece of 4x2 and to whack someone... anyone. I know because I soooo wanted that 4x2 so many times during January and February.
Andrew van der Stock