Slashdot Mirror
An Anti-DoS Tool That Returns Fire
An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."
Yes, let's fire back at the machines attacking and DOUBLE the number of packets on the network while breaking the law! That'll solve it! As if the bandwidth from DoSnets and spam wasn't choking the internet down enough already...
How in the hell do ideas like this make it long enough to be publicly announced? It makes me sad that morons have tech jobs making crap and I couldn't even get hired changing toner if I wanted too...
CAn'T CompreHend SARcaSm?
I interpreted the article the same as you did the first time through, reading that the counter-attack would also be a DDoS. Second time I read that sentence though, I wonder if maybe this guy who was speaking meant to say that this is simply a counter-attack to DDoS, not a DDoS counter-attack. Who knows.
A DDoS _as_ the counter-attack is a ship with many holes in it.
innocent, possibly and slightly are not 3 words I use to describe people who allow their computeres to become zombies for DDoS attacks. It's in appropriate to say the 3 words I would use in public.
I do security
One interesting thing that didn't really get picked up on was the idea of monitoring and blacklisting networks hosting a lot of zombied machines. This could be the incentive that ISPs will finally need to start adding egress filtering to their routing devices, which at the very least, will allow victims of DDoS an easier time of maintaining their defensive measures.
Not necessarily.
What stops company X from making a "pact" with company Y? If company X is getting DoS'd, then company Y helps defend by launching their own counter-strike.
Dangerous? Yes.
Liability issues? Yes.
Effictive? Maybe. Probably more than current methods. If it doesn't stop the current DoS, maybe it will prevent them in the future.
Surely someone will implement a counter-strike system in the next 5 years. Let's see what happens!
John Draper (aka captain crunch) visited UIUC a few years ago. I hung out with him at a party and he began telling us about how the CrunchBox could be configured to launch counter attacks. I'm not sure it it's available in the present configuration - but it was definitely under consideration at one time.
http://www.shopip.com/
While just DOSing the poor guy back is just silly I could see some usefull applications mostly with worms. Your site gets hit with tcp based worm lets call its wormE now wormE is a known worm and your running a nice honeypot type setup possibly in side the firewall or proxy. Since we know how wormE propigates you could go and fix the problem with wormE using the same hole. I'm not talking about intentialy doing damage but rather killing the worm process possibly poping up a message box on console with patch instructions and stopping the offending process.
Now since it's tcp and a 2 way connections we can be fairly confident that at the time of the connection reverse routing paths go to the attacker otherwise syn fin ack would have been problematic.
Things liek this have been discussed on NANOG etc before and a lot of people hate it obviously. I think if you could find exploits in the worms themselves and reply back with something to disable the worm inside the same request that would be acceptable as I should have the right to respond to any request from the internet with whatever I desire inside one session, though some would disagree.
No sir I dont like it.
Given the amount of thought that seems to have gone into this, what do you want to bet that they forgot the "if (attacker == self) return;" clause? As such how about SCO versus SCO and leave the backbone out of it?
Launching a counter-DOS attack is illegal in many juristictions, and is certainly unethical. Also, the owners of zombied machines aren't likely to notice that they are being counter-attacked; after all, they didn't notice that they were attacking someone. And someone being attacked by a large zombie-net is unlikely to have the resources to effectively shut down a significant part of that zombie-net unless he has his own zombie-net (also illegal).
The "automated shut-down script" idea would only require a couple packets sent to each attacker, rather than a flood, but it requires this software to be installed and running on all zombied hosts. Not bloody likely. Even if it was packaged in Windows TheNextVersion, you can bet the first thing the trojans would do would be to disable it. Also, it would be trivial to spoof valid "shut-down" messages, creating a whole new way to DOS people. With this, a single PC on dial-up could take down a whole network within minutes. You would be adding tools to the "1337 H4XX0R5"' toolkit, not taking them away.
It's obviuously a stupid idea. By definition, a DDoS is going to be launched from compromised machines...with a 99% probability the lowner of said machine has no idea what's going on.
But, most DDoS attacks do have easily verifiable signatures. (Ping floods, excessive SYNs from spoofed source addresses, among many others.)
Why not start helping ISP's to block this crap at the source? They are, essentially, what allowed these machines to be zombified in the first place. Aggregators and headends should already have the intelligence to block IP spoofs, which eliminates SYN floods. It shouldn't be too difficult to imagine blocking an excessive amount of outbound (inbound from the ISP's customer base) ICMP packets...say...10% or more packets are ICMP=no YUO. (arbitrary figure, it could be less, it could be more).
If nothing else, build some intelligence into backbone packet inspection (yes, I am aware of the vast amount of cycles this would take...but everything can be ported to ASICs at some point), such that vast amounts of packets, with duplicate signatures could be throttled back or dropped if a DDoS is detected.
In short, we know we can't educate the lusers, but if the ISP's distributed the cost of such an implementation among all users, I'd imagine most people wouldn't even notice the cost increase.
There's some other ideas floating around in my head, but they aren't fully formulated yet.
Their white paper does at least pay lip service to having enough "eyes on target" to provide "positive identification". What I didn't see was awareness of how difficult that was, or of the issues of attacks launched from neutral territory.
I know that comment was meant to be cute but there has been real thought into fighting back spammers.
I suppose that one could theorize a way monitor the network traffic around the attacking system and attempt to gather information about the zombie traffic, for example. That can't be easy, and perhaps their solution is to sell (or otherwise distribute) monitors for us to put on our systems to aid them in monitoring the networks from which DDOS can be attacking... As Wayne and Garth say cha, right.
Also, doesn't /. sometimes look like a DDOS? Acts like it, maybe. Seems to wipe out more than a few web servers...
End the FUD
The NSA no longer does Strikebacks in fear of litigation. However if the source is foreign non friendly then they take some action. But it is a big deal. If one of use decides to press the button we automatically go to jail (no passing go/no $200). Inmates at FtLevenworth dont exactly fear a computer guy who pressed the Strikeback button.
I think we need to focus on ISPs who allow large numbers of these infected machines to remain on their networks. These ISPs could easily set their gateways to log suspicious outgoing traffic (like lots of connection attempts to different hosts on port 135), compile a list of potentially infected machines, and then contact the end users to help them clean and patch. I imagine a well-designed ISP liability law (with warning provisions to help overcome corporate inertia) could help a lot.
Heres my take on this, pulled from a recent post to NANOG:
Lovely. So not only do we now have to fend off attacks from script kiddies
and packet monkies, we now have to fend off attacks from idiot sysadmins who
set this tool up and allow it to go all out on supposed 'attacks' against
their systems.
I'll share my favorite goober with firewall story. When I was a
sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from
clueless users all the time. I could identify which tool they used just by
how the body of the message looked and how the 'attack' was described. Got
ones saying that my performance testing server (which sometimes did ping scans
across the dialups to see what the general response time was) was 'attacking'
the user's machine with a single ICMP echo. Or how our IRC server was trying
to attack the user on the ident port every time they tried to connect.
Of course, the best one was when a supposed 'security expert' called up and
complained how my two caching DNS servers for the T1 customers was attacking
his entire network on port 53 UDP. He had naturally filtered the 'attack'
because it was obvious that our Linux DNS servers were infected with one of
the latest Windows viruses going around, and suddenly noone on his network
could browse the web anymore.
So, let me ask the question, do we really want people like that having a tool
which autoresponds to attacks with attacks? At least when he filtered out our
DNS traffic, it only affected his network... But imagine if he had launched
an attack against my DNS servers in response? Yeah, thats a great idea.
Of course, now that the AHBL does its own proxy testing, we get all sorts of
fun reports from end users about our 'attacks' against their machines. Latest
one demanded I tell her why we had scanned her, but wouldn't tell me her IP
address or when the scan happened exactly, claiming that I had done the scan,
so I should know what IP she is. Too bad I test over 100,000 IP addresses
daily for open proxies....
Lets not even get into the legal consequences for a tool like this, especially
if it backfires and launches an attack against the NIPC, for example.
Brielle
Pretend that I'm a hacker running a DDOS attack. One, if not a few of the machines I am using to run this DDOS attack on a server has this anti-DOS software. The server under attack would have this software as well.
I'll let you think about that scenario. It's probably unlikely, but it's still fun to think about. However, remember that if some guy has hijacked grandma's PC, the ISP she uses may have such software. I'm guessing the architect of this software didn't pay attention during his Operating Systems course.
Oh, and of course I have to include the obligatory:
1. Actually devise security software to bring down the ENTIRE internet.
2. ???*
3. Profit!
*Insert Trial Lawyer here...
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
This is the obvious solution (after all, no zombies = no DDoS-nets), but the problem is there's no practical way to achieve it.
I think I see a way:
First: A counter-probe to identify whether a suspected site actually is a zombie. This would eliminate friendly-fire counterattacks and lets-you-and-him-fight scenarios.
A good signature is the presence of a controlling port for the zombie (though this might be camoflaged during the attack, so you'd have to go after something else once the attackers catch on and redesign). What you probe for, of course, will vary with the attacking tool.
Second: An infected michine will have had one of the set of vulnerabilities known to the particular tool's infection mechanism. (That will probably still be in place, since the tool's author will want to leave it open for future use, or not try to close it due to the added complexity and risk of exposure.) It will usually also have additional backdoor(s) installed by the tool. These give you an exploit for counterattacking it.
As things stand today, there's no incentive pushing owners of compromised machines to react quickly to remove them from the net -- there's no financial cost for many home users if they don't do so, and they're shielded from liability by the "I didn't know I was infected" defense.
Seems to me that a few thousand machines scattered around the net that respond to the latest worms by breaking into the zombies, popping up a notifier that they're infected and need to fix it, shuting down the infection, and cutting them off from some of their network service until they fix it, might just give them an immediate incentive. B-)
A second problem is that for the average computer user, it can be very difficult to tell casually if your computer's been infected and is packeting someone else. The fraction of the computer population that checks their firewall to measure their traffic, or goes over the processes running in memory every once in a while, is probably fairly small. This means that infected computers tend to stay infected for a long time.
Another reason to install something on their machine that mildly harasses them until they fix it once they've been exploited and the exploit attacked YOU. Issue solved.
There's also no real, efficient way for a DDoS target to notify thousands of machines about the problem, much less expect a significant proportion of them to respond in any short amount of time.
See above.
I think all the bases you mentioned are covered.
Yes, there might be an issue with the anti-hacking laws. But I think the necessity defense would be applicable here.
"Your honor: Defendant stipulates that he did install software on his machine which did respond to an attack from the machines owned by states' witnesses 1 through 5 by breaking into their machines, disabling some of the software running there, and installing additional software, without their permission.
But at the time the software performed this operation, defendants machine, which is necessary to his livelyhood, was already under active attack by the software on witness 1 through 5s' machines, and thousands of others, due to an infection by software installed by an unknown and malicious third party. This attack, if not countered, would make it unusable for its primary purpose.
The third party's software was installed on their machines, and left running, at least partially due to their own negligence, and was causing serious harm to the defendant's own machine. The defendant's software, on the other hand, took extensive measures to insure that it only counter-attacked machines that were already attacking it, and to do make the minimum changes necessary to abort the attack and notify the owners of the attacking machines that the machines had been infected and needed to be fixed.
Defendant pleads necessity.
To apply the anti-hacking law to defendant in this case is the same as jailing a man who was being beaten by an enraged mob for violating the laws against assault in his effort to protect himself."
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This is just one reason why an automated counter attack system would never be a good idea. If, however, your organization were repeatedly victimized by a DOS attack, and you could accurately identify who was responsible, counter attacking would make all the sense in the world. Not only would it make the attacker unable to perform new attacks, but if the company got lucky the attacker might even try to sue them. Why is this a good thing? You have to identify yourself to sue someone. Then the company knows who to countersue, and for much more money than the original suit. DOS attacks will only stop when there is a possibility of real consequences against the offender.
This operation "Broken Arrow" will not work.
For one, yes you can identify legitimate sources if it is tcp traffic (or some UDP services). However, the bandwidth it would take to effectively stall or at least make the ISP take the hosts offline is far too much.
Then only real solution is a share technology across tier-1 ISP that identifies hosts participating in these attacks and just null-routes their IP. Certain organizations are already sharing DDoS-route servers, and if the major backbone are willing to accept another 1/4 million routes to the bit bucket, we may have something. Once the difficult attacks are taken care of, attackers will be left with easily identifiable blasts of bandwidth consuming garbage.
While a user may not attempt to fix their problem if they're running a bit slow, they will most certainly fix it when they can't access Google, online banking, or porn.
This means (effectively) that all the Majority MPs are barred from ever voting their concience or on behalf of their constituents in Pariliament, which i think is wrong, considering thats why we elected them in the first place.
At least in the States, you'll find a break in partisanship as Senators and Congressman often break from the party line to vote the way they feel.
Secondly, their is virtually no separation of the Executive (prime ministers office) and Legislative branches of the Goverment ... which wouldn't matter anyways since we have an unelected and completely ineffective Senate.
Recall the Senator that actually MOVED OUT OF CANADA TO MEXICO and went years between even bothering to show up to work. He still, unfortunately, is a senator to my knowledge
Recall again Mulroney adding 3 extra senators (!!!!) so he could pass his GST bill.
Can you imagine what the American's whould do to a president that violated the constitution to ram a fucking 7% sales tax bill.... ???
All in all though... pretty cool country.
What would happen the first time someone spoofed one of these companies in attacking at another company with a counter strike practice in place? Counter strikes are unlikely to be tit for tat, but a little bit more. It would be likely to escalate between the two until one of them gave up. Two innocent parties duking it out.
A white list or reverse DNS lookup might prevent this. Other thoughts?
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
If there are 2 of these boxes, then a spoofed attack that sets them against each would kill both. I suspect the drawing board needs revisiting.