Slashdot Mirror


An Anti-DoS Tool That Returns Fire

An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."

4 of 407 comments (clear)

  1. Re:Friendly fire. by bkowitz · · Score: 5, Interesting

    John Draper (aka captain crunch) visited UIUC a few years ago. I hung out with him at a party and he began telling us about how the CrunchBox could be configured to launch counter attacks. I'm not sure it it's available in the present configuration - but it was definitely under consideration at one time.

    http://www.shopip.com/

  2. This has me thinking... by Frennzy · · Score: 5, Interesting

    It's obviuously a stupid idea. By definition, a DDoS is going to be launched from compromised machines...with a 99% probability the lowner of said machine has no idea what's going on.

    But, most DDoS attacks do have easily verifiable signatures. (Ping floods, excessive SYNs from spoofed source addresses, among many others.)

    Why not start helping ISP's to block this crap at the source? They are, essentially, what allowed these machines to be zombified in the first place. Aggregators and headends should already have the intelligence to block IP spoofs, which eliminates SYN floods. It shouldn't be too difficult to imagine blocking an excessive amount of outbound (inbound from the ISP's customer base) ICMP packets...say...10% or more packets are ICMP=no YUO. (arbitrary figure, it could be less, it could be more).

    If nothing else, build some intelligence into backbone packet inspection (yes, I am aware of the vast amount of cycles this would take...but everything can be ported to ASICs at some point), such that vast amounts of packets, with duplicate signatures could be throttled back or dropped if a DDoS is detected.

    In short, we know we can't educate the lusers, but if the ISP's distributed the cost of such an implementation among all users, I'd imagine most people wouldn't even notice the cost increase.

    There's some other ideas floating around in my head, but they aren't fully formulated yet.

  3. Re:Friendly fire. by jekewa · · Score: 5, Interesting
    Reading the entire content of their website (all three pages, two of which are PDF, and hey, isn't that a cool count down on the homepage to when the DDOS starts on their site...), it doesn't say that they're couter attacking by return DOS on the systems attacking them. They claim to have a way to identify the system responsible for the attack, and then exact retribution.

    I suppose that one could theorize a way monitor the network traffic around the attacking system and attempt to gather information about the zombie traffic, for example. That can't be easy, and perhaps their solution is to sell (or otherwise distribute) monitors for us to put on our systems to aid them in monitoring the networks from which DDOS can be attacking... As Wayne and Garth say cha, right.

    Also, doesn't /. sometimes look like a DDOS? Acts like it, maybe. Seems to wipe out more than a few web servers...

    --
    End the FUD
  4. My take on this by bruns · · Score: 5, Interesting

    Heres my take on this, pulled from a recent post to NANOG:

    Lovely. So not only do we now have to fend off attacks from script kiddies
    and packet monkies, we now have to fend off attacks from idiot sysadmins who
    set this tool up and allow it to go all out on supposed 'attacks' against
    their systems.

    I'll share my favorite goober with firewall story. When I was a
    sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from
    clueless users all the time. I could identify which tool they used just by
    how the body of the message looked and how the 'attack' was described. Got
    ones saying that my performance testing server (which sometimes did ping scans
    across the dialups to see what the general response time was) was 'attacking'
    the user's machine with a single ICMP echo. Or how our IRC server was trying
    to attack the user on the ident port every time they tried to connect.

    Of course, the best one was when a supposed 'security expert' called up and
    complained how my two caching DNS servers for the T1 customers was attacking
    his entire network on port 53 UDP. He had naturally filtered the 'attack'
    because it was obvious that our Linux DNS servers were infected with one of
    the latest Windows viruses going around, and suddenly noone on his network
    could browse the web anymore.

    So, let me ask the question, do we really want people like that having a tool
    which autoresponds to attacks with attacks? At least when he filtered out our
    DNS traffic, it only affected his network... But imagine if he had launched
    an attack against my DNS servers in response? Yeah, thats a great idea.

    Of course, now that the AHBL does its own proxy testing, we get all sorts of
    fun reports from end users about our 'attacks' against their machines. Latest
    one demanded I tell her why we had scanned her, but wouldn't tell me her IP
    address or when the scan happened exactly, claiming that I had done the scan,
    so I should know what IP she is. Too bad I test over 100,000 IP addresses
    daily for open proxies....

    Lets not even get into the legal consequences for a tool like this, especially
    if it backfires and launches an attack against the NIPC, for example.

    --
    Brielle