Slashdot Mirror


An Anti-DoS Tool That Returns Fire

An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."

20 of 407 comments (clear)

  1. Friendly fire. by Jaywalk · · Score: 5, Insightful
    For a company that makes a big deal about "thousands of years" of experience, they clearly have not thought this through. A distributed denial of service counter-attack to a distributed denial of service attack? If both sides have massive numbers of machines engaged in sending bogus messages you can be assured of two things: 1) there won't be enough traffic brought to bear on the offending machines to shut them down. 2) It's going to suck down massive amounts of bandwidth.

    Can you see the tech guy trying to explain that their company was knocked off, not by the attack, but by the counter attack?

    "It's okay, sir. It was friendly fire.

    --
    ===== Murphy's Law is recursive. =====
    1. Re:Friendly fire. by abandonment · · Score: 5, Insightful

      this is the stupidest idea i've heard of in a long time - if you have the network infrastructure to try and launch a DDOS attack, then you probably have the ability to survive and/or defend from DDOS attacks without resorting to insanity like this. Of course, companies in the US will probably love this, it fits well with their governments' 'first strike' foreign policy directives as pushed by Mr Shrub etc

    2. Re:Friendly fire. by koh · · Score: 4, Insightful

      Hmmm just a thought, but the DOS counter-attack would be issued only from the original target's subnet, so it does make it easier to block...

      However, it sure looks like a really bad idea. Someone is getting overpaid out there...

      --
      Karma cannot be described by words alone.
    3. Re:Friendly fire. by jamshid42 · · Score: 5, Insightful

      Actually, could you see if two different companies had an automatic DDoS system like this and someone spoofed their DDoS to attack Company A and made it look like it was coming from Company B? Company A's auto-attack would then attack Company B, which would, in turn, attack Company A. Not only would the continual volleys take out both companies, there would also be a huge impact on the network paths between them.

      --
      /. - Proof that Sturgeon's Law is true...
    4. Re:Friendly fire. by robslimo · · Score: 5, Insightful

      Agreed.

      From the article, According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike".

      Given that blacklist maintainers have gotten such an unfriendly response from some quarter that they're starting to operate anonymously (google SPEWS for more), launching your own DDoS would put you in deep doo-doo, no matter how white you think your hat is.

      -RatOmeter

    5. Re:Friendly fire. by Znork · · Score: 4, Insightful

      "Effictive? Maybe. Probably more than current methods."

      It would be even worse if it was effective. Imagine the first time some joined corps get hit by a distributed reflection DOS attack and their little vigilante group of automated systems take out CNN, AOL, Yahoo, Google, etc in the counterstrike.

    6. Re:Friendly fire. by timmarhy · · Score: 3, Insightful

      This is just corp. rubbish. I can think of 2 reasons this thing will either prove to be emabressingly useless or most probably vapourware. 1: they aren't giving details on HOW they DOS the zombie pc's, which makes me think it's designed to impress investors and clueless gov officals and thats it. 2:The very nature of a DDoS means the attacker will have more bandwidth then you. whats it going to do, in the middle of a slashdot style swamping start sending our MORE data?!?!?

      --
      If you mod me down, I will become more powerful than you can imagine....
  2. Get ready for more attacks by poptix_work · · Score: 5, Insightful

    This has already been discussed on the NANOG mailing list, the general consensus is that _this_ will be the next
    source of attacks against systems as people spoof attacks at it. (Much like smurf attacks)

    Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.

    --
    Just because you disagree doesn't make it offtopic or flamebait.
    1. Re:Get ready for more attacks by malraid · · Score: 3, Insightful

      Right, it should be easy (if not trivial) to create an attack to someone, and spoof the real target's address. Then you can have cross-fire between two inocent parties. Microsoft and SCO anyone? ...kind of pointless.

      --
      please excuse my apathy
    2. Re:Get ready for more attacks by tessaiga · · Score: 4, Insightful
      Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
      This is the obvious solution (after all, no zombies = no DDoS-nets), but the problem is there's no practical way to achieve it. As things stand today, there's no incentive pushing owners of compromised machines to react quickly to remove them from the net -- there's no financial cost for many home users if they don't do so, and they're shielded from liability by the "I didn't know I was infected" defense.

      A second problem is that for the average computer user, it can be very difficult to tell casually if your computer's been infected and is packeting someone else. The fraction of the computer population that checks their firewall to measure their traffic, or goes over the processes running in memory every once in a while, is probably fairly small. This means that infected computers tend to stay infected for a long time. There's also no real, efficient way for a DDoS target to notify thousands of machines about the problem, much less expect a significant proportion of them to respond in any short amount of time.

      I think the goal of this approach was to try to make it inconvenient for the compromised machines by taking down their net connection, and thus push the owners to investigate what the problem was. A friend of mine recently discovered that her brother's laptop was riddled with trojans and spyware, after he brought it to her complaining that it was "running slow". Turned out he was oblivious to the problem for a long time until so many processes had loaded down his machine that it was running at 100% utilization even when it was "idle". In the meantime, it was potentially available to be a participant in DDoS attacks. It wasn't until it was inconvenient for him that he took any steps to figure out what was wrong with it.

      Of course, many of the other posts have already explained why this particular approach is bad -- everything from spoofing causing innocent victims to be hit with counter-attacks, to the problem of having enough bandwidth to DOS a distributed attack in the first place. The challenge is going to be to develop a practical way of creating incentives for people with compromised machines to fix them quickly.

      --
      The bold print giveth, and the fine print taketh away ...
  3. Endless Loop by dcocos · · Score: 4, Insightful

    What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?

  4. Pointless by frenetic3 · · Score: 4, Insightful

    Great. So DDoS victims, in addition to having all of their incoming bandwidth wasted, can now spend all their outgoing bandwidth to strike back at their cunning, ruthless assailants -- you know, like all those clever "Dear friends" who "use this Internet Explorer patch now!".

    "More than 500.000 already infected!"

    -fren

    --
    "Where are we going, and why am I in this handbasket?"
  5. Simbiot or Some Idiot? by b0r0din · · Score: 5, Insightful

    Yes, let's protect ourselves from attacks by attacking the offenders and wreaking even more havoc. That'll go over well. I don't even want to go into how stupid a proposal this is. Let's start with the first detail: it's probably illegal.

    I imagine it'll have some sort of military function, though.

  6. Still a useful idea... by tekiegreg · · Score: 3, Insightful

    Proposed idea:

    1) Subject receives DOS attack from Zombie machine
    2) Subject returns fire to zombie machine, perhaps with some sort of encoded you're attacking me so I'm attacking you script.
    3) From here the following happens, either somebody notices the machine is being attacked, investigates and reacts, leading the original victim to shut off it's counter-attack. Or an automated script in the Zombie machine packet sniffs the retaliatory attack and shuts itself down and/or notifies admin for further action.
    This seems like a good idea, while the ethics of a counter-DoS attack are not sound, this could be a way to limit attacks. However Zombie's spoofing other addresses could lead to issues as well...again tho it's well known that DoS's are a pain in the butt to stop so what could work? Dunno...

    --
    ...in bed
  7. March 31 + 1 by dclydew · · Score: 5, Insightful

    Hrmmm, they go live on March 31 and this sounds too silly to be serious. I vote April Fools Joke.

    --
    Get a life, not a lifestyle. - Hikem Bey
  8. This is what happens... by Anonymous Coward · · Score: 4, Insightful

    ...when stupid people get venture captial money.

  9. What's really scary about this.. by humankind · · Score: 5, Insightful

    To me, what's really scary about this isn't that the idea is counterproductive, bone-headed, and probably illegal. It's that any company would propose something like this... which leads me to think that this is the type of story that is promoted just to get a rise out of people and we've taken the bait.

    The company is obviously trying to jump on the media-whore bandwagon by proposing such an idea, but look who they are and where they're from. Texans' historical idea of security hasn't been impressive.

    Shame on ZDNet for creating this troll in the first place. Shame on Slashdot for referencing this troll. Shame on us for being so outraged by it and taking the bait.

    We know this idea will never fly. But now we've given this loser company 15 minutes of fame. This story belongs on a Darwin Business Awards list or Fark.com, not here.

  10. Self defense != vigilantism by Beryllium+Sphere(tm) · · Score: 3, Insightful

    A mob lynches a "witch" -- vigilantism.

    A woman carries out a devastating martial arts move on someone about to rape her -- self defense.

    Self defense is immediate, and it's aimed at stopping an attack in progress. Self defense doesn't excuse harming innocent third parties: if you use a hand grenade to stop a mugger, the law will rightly punish you.

    There's plenty of room for argument about this, but remote patching of the machines that are DDoSing you might be self defense. Any counterattack that is based on military principles, like the product under discussion here, is vigilantism.

    Notice that everything Schneier says is based on the assumption that regulated police and courts of law exist. Before those are set up on a lawless frontier, experience shows that citizens will set up a Committee of Vigilance.

  11. Most interesting part: the techniques. by FooAtWFU · · Score: 4, Insightful
    I found the following the most interesting, for it described how they would respond with "asymmetric responses":

    "In these cases, the operations center may call for a variety of efforts, including (1) escalated multilateral profiling and blacklisting of upstream providers; (2) distributed denial of service counterstrikes; (3) special operations experts applying invasive techniques; and (4) combined operations which apply financial derivatives, publicity disinformation, and other techniques of psychological operations."

    Now how exactly this will help when you have a few hundred to a few thousand virused zombie machines running a DDoS against you and you have no clue who's behind it... is beyond me.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  12. Countattack Vs Countermeasures by phorm · · Score: 3, Insightful

    Unfortunately it's not currently legal, but really what would be a better idea is to react to compromised machines based on their infection behavior. I know that when Code Red first came out (and still now, even) my Apache logs were full of attempts to acces CMD.EXE or other windows stuff.

    The obvious solution would be to respond to the attacking machine by using the same exploit by which it was initially infected, and cause it to go to sleep or attempt to clean itself. Obvious problems arise if the machine is doing something important, but the question arises: when are you allowed to protect your own property in response to somebody who hasn't properly fixed their own?

    Conceptually, the best way to do this would be to log attackers, note how they are infected based on heuristics of common infections, and then wait until they attack has been going on for a certain period of time. If the machine is still coming out strong after a day, one should be justified in taking measured to put it offline...

    It's time to stop pandering to sysadmins that don't do their jobs. We have some machines that aren't $1000/minute mission critical, but if one were infected I wouldn't feel overtly upset if somebody put it to sleep for me (so long as the machine itself wasn't damaged). For those that do run $$$$/minute machines, they should be well secured so such things don't happen, or at least not for prolonged periods of time.

    It's accountability time for sysadmins... you're not unjustified in shooting somebody who invades your house, so why can't you take out the computer that's attacking your network?