An Anti-DoS Tool That Returns Fire
An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."
John Draper (aka captain crunch) visited UIUC a few years ago. I hung out with him at a party and he began telling us about how the CrunchBox could be configured to launch counter attacks. I'm not sure it it's available in the present configuration - but it was definitely under consideration at one time.
http://www.shopip.com/
It's obviuously a stupid idea. By definition, a DDoS is going to be launched from compromised machines...with a 99% probability the lowner of said machine has no idea what's going on.
But, most DDoS attacks do have easily verifiable signatures. (Ping floods, excessive SYNs from spoofed source addresses, among many others.)
Why not start helping ISP's to block this crap at the source? They are, essentially, what allowed these machines to be zombified in the first place. Aggregators and headends should already have the intelligence to block IP spoofs, which eliminates SYN floods. It shouldn't be too difficult to imagine blocking an excessive amount of outbound (inbound from the ISP's customer base) ICMP packets...say...10% or more packets are ICMP=no YUO. (arbitrary figure, it could be less, it could be more).
If nothing else, build some intelligence into backbone packet inspection (yes, I am aware of the vast amount of cycles this would take...but everything can be ported to ASICs at some point), such that vast amounts of packets, with duplicate signatures could be throttled back or dropped if a DDoS is detected.
In short, we know we can't educate the lusers, but if the ISP's distributed the cost of such an implementation among all users, I'd imagine most people wouldn't even notice the cost increase.
There's some other ideas floating around in my head, but they aren't fully formulated yet.
I suppose that one could theorize a way monitor the network traffic around the attacking system and attempt to gather information about the zombie traffic, for example. That can't be easy, and perhaps their solution is to sell (or otherwise distribute) monitors for us to put on our systems to aid them in monitoring the networks from which DDOS can be attacking... As Wayne and Garth say cha, right.
Also, doesn't /. sometimes look like a DDOS? Acts like it, maybe. Seems to wipe out more than a few web servers...
End the FUD
Heres my take on this, pulled from a recent post to NANOG:
Lovely. So not only do we now have to fend off attacks from script kiddies
and packet monkies, we now have to fend off attacks from idiot sysadmins who
set this tool up and allow it to go all out on supposed 'attacks' against
their systems.
I'll share my favorite goober with firewall story. When I was a
sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from
clueless users all the time. I could identify which tool they used just by
how the body of the message looked and how the 'attack' was described. Got
ones saying that my performance testing server (which sometimes did ping scans
across the dialups to see what the general response time was) was 'attacking'
the user's machine with a single ICMP echo. Or how our IRC server was trying
to attack the user on the ident port every time they tried to connect.
Of course, the best one was when a supposed 'security expert' called up and
complained how my two caching DNS servers for the T1 customers was attacking
his entire network on port 53 UDP. He had naturally filtered the 'attack'
because it was obvious that our Linux DNS servers were infected with one of
the latest Windows viruses going around, and suddenly noone on his network
could browse the web anymore.
So, let me ask the question, do we really want people like that having a tool
which autoresponds to attacks with attacks? At least when he filtered out our
DNS traffic, it only affected his network... But imagine if he had launched
an attack against my DNS servers in response? Yeah, thats a great idea.
Of course, now that the AHBL does its own proxy testing, we get all sorts of
fun reports from end users about our 'attacks' against their machines. Latest
one demanded I tell her why we had scanned her, but wouldn't tell me her IP
address or when the scan happened exactly, claiming that I had done the scan,
so I should know what IP she is. Too bad I test over 100,000 IP addresses
daily for open proxies....
Lets not even get into the legal consequences for a tool like this, especially
if it backfires and launches an attack against the NIPC, for example.
Brielle