Slashdot Mirror
An Anti-DoS Tool That Returns Fire
An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."
Can you see the tech guy trying to explain that their company was knocked off, not by the attack, but by the counter attack?
"It's okay, sir. It was friendly fire.
===== Murphy's Law is recursive. =====
This has already been discussed on the NANOG mailing list, the general consensus is that _this_ will be the next
source of attacks against systems as people spoof attacks at it. (Much like smurf attacks)
Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
Just because you disagree doesn't make it offtopic or flamebait.
"In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare", which they say should be part of corporate security policy to help companies determine their exact response to an incoming attack."
::shudder::
Can you imagine large corporations full of MCSEs engaging in "information warfware"?
libertarianswag.com
Where is the tactical nuke for spam? I want a tool that goes on the offensive against spammers.
Who does SCO attack first? :)
heh, don't link to the company's website, slashdot editors - the /. horde will make with the clicking and they might return fire to your readers. ;)
(oblig. - "Of course, that would require them to be reading the articles")
Symbiot, a Texas-based security firm
Ok, it makes sense now.
entering the word EXIT (followed by pressing the Enter key) is a surefire way to kill those ding-dang DOS session windows.
What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?
Slashdot has been knocked off the web for good, seemingly due to the fact that several of the daily stories it linked too were running the new "counter-attack" DoS protection.
Yes, let's fire back at the machines attacking and DOUBLE the number of packets on the network while breaking the law! That'll solve it! As if the bandwidth from DoSnets and spam wasn't choking the internet down enough already...
How in the hell do ideas like this make it long enough to be publicly announced? It makes me sad that morons have tech jobs making crap and I couldn't even get hired changing toner if I wanted too...
CAn'T CompreHend SARcaSm?
Great. So DDoS victims, in addition to having all of their incoming bandwidth wasted, can now spend all their outgoing bandwidth to strike back at their cunning, ruthless assailants -- you know, like all those clever "Dear friends" who "use this Internet Explorer patch now!".
"More than 500.000 already infected!"
-fren
"Where are we going, and why am I in this handbasket?"
Yes, let's protect ourselves from attacks by attacking the offenders and wreaking even more havoc. That'll go over well. I don't even want to go into how stupid a proposal this is. Let's start with the first detail: it's probably illegal.
I imagine it'll have some sort of military function, though.
Proposed idea:
1) Subject receives DOS attack from Zombie machine
2) Subject returns fire to zombie machine, perhaps with some sort of encoded you're attacking me so I'm attacking you script.
3) From here the following happens, either somebody notices the machine is being attacked, investigates and reacts, leading the original victim to shut off it's counter-attack. Or an automated script in the Zombie machine packet sniffs the retaliatory attack and shuts itself down and/or notifies admin for further action.
This seems like a good idea, while the ethics of a counter-DoS attack are not sound, this could be a way to limit attacks. However Zombie's spoofing other addresses could lead to issues as well...again tho it's well known that DoS's are a pain in the butt to stop so what could work? Dunno...
...in bed
Hrmmm, they go live on March 31 and this sounds too silly to be serious. I vote April Fools Joke.
Get a life, not a lifestyle. - Hikem Bey
You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up.
Okay, now they're crossing the line. You mess with Granny's Lucious Cookies, and you're in for it. This means war!
Show me on the doll where his noodly appendage touched you.
...when stupid people get venture captial money.
It preemptively surrenders even before it's attacked.
So then you forged a message so that it looked like it came from a second victim - and when their mailbox filled up it would bounce them back to the first victim
A fun way to take down T-1 lines back in the day when that was considered more bandwidth than any large university could ever use... Not that I have ever done anything like this
I have mod points and I am not afraid to use them
Bruce Schneier wrote about this way back in Dec2002 cryptogram.
Counterattack
This must be an idea whose time has come, because I'm seeing it talked about everywhere. The entertainment industry floated a bill that would give it the ability to break into other people's computers if they are suspected of copyright violation. Several articles have been written on the notion of automated law enforcement, where both governments and private companies use computers to automatically find and target suspected criminals. And finally, Tim Mullen and other security researchers start talking about "strike back," where the victim of a computer assault automatically attacks back at the perpetrator.
The common theme here is vigilantism: citizens and companies taking the law into their own hands and going after their assailants. Viscerally, it's an appealing idea. But it's a horrible one, and one that society after society has eschewed.
Our society does not give us the right of revenge, and wouldn't work very well if it did. Our laws give us the right to justice, in either the criminal or civil context. Justice is all we can expect if we want to enjoy our constitutional freedoms, personal safety, and an orderly society.
Anyone accused of a crime deserves a fair trial. He deserves the right to defend himself, the right to face his accused, the right to an attorney, and the right to be held innocent until proven guilty.
Vigilantism flies in the face of these rights. It punishes people before they have been found guilty. Angry mobs lynching someone suspected of murder is wrong, even if that person is actually guilty. The MPAA disabling someone's computer because he's suspected of copying a movie is wrong, even if the movie was copied. Revenge is a basic human emotion, but revenge only becomes justice if carried out by the State.
And the State has more motivation to be fair. The RIAA sent a cease-and-desist letter to an ISP asking them to remove certain files that were the copyrighted works of George Harrison. One of the files: "Portrait of mrs. harrison Williams 1943.jpg." The RIAA simply Googled for the string "harrison" and went after everyone who turned up. Vigilantism is wrong because the vigilante could be wrong. The goal of a State legal system is justice; the goal of the RIAA was expediency.
Systems of strike back are much the same. The idea is that if a computer is attacking you -- sending you viruses, acting as a DDoS zombie, etc. -- you might be able to forcibly shut that computer down or remotely install a patch. Again, a nice idea in theory but one that's legally and morally wrong.
Imagine you're a homeowner, and your neighbor has some kind of device on the outside of his house that makes noise. A lot of noise. All day and all night. Enough noise that any reasonable person would claim it to be a public nuisance. Even so, it is not legal for you to take matters into your own hand and stop the noise.
Destroying property is not a recognized remedy for stopping a nuisance, even if it is causing you real harm. Your remedies are to: 1) call the police and ask them to turn it off, break it, or insist that the neighbor turn it off; or 2) sue the neighbor and ask the court to enjoin him from using that device unless it is repaired properly, and to award you damages for your aggravation. Vigilante justice is simply not an option, no matter how right you believe your cause to be.
This is law, not technology, so there are all sorts of shades of gray to this issue. The interests at stake in the original attack, the nature of the property, liberty or personal safety taken away by the counterattack, the risk of being wrong, and the availability and effectiveness of other measures are all factors that go into the assessment of whether something is morally or legally right. The RIAA bill is at one extreme because copyright is a limited property interest, and there is a great risk of wrongful deprivation of u
Free XBox, PS2
To me, what's really scary about this isn't that the idea is counterproductive, bone-headed, and probably illegal. It's that any company would propose something like this... which leads me to think that this is the type of story that is promoted just to get a rise out of people and we've taken the bait.
The company is obviously trying to jump on the media-whore bandwagon by proposing such an idea, but look who they are and where they're from. Texans' historical idea of security hasn't been impressive.
Shame on ZDNet for creating this troll in the first place. Shame on Slashdot for referencing this troll. Shame on us for being so outraged by it and taking the bait.
We know this idea will never fly. But now we've given this loser company 15 minutes of fame. This story belongs on a Darwin Business Awards list or Fark.com, not here.
While just DOSing the poor guy back is just silly I could see some usefull applications mostly with worms. Your site gets hit with tcp based worm lets call its wormE now wormE is a known worm and your running a nice honeypot type setup possibly in side the firewall or proxy. Since we know how wormE propigates you could go and fix the problem with wormE using the same hole. I'm not talking about intentialy doing damage but rather killing the worm process possibly poping up a message box on console with patch instructions and stopping the offending process.
Now since it's tcp and a 2 way connections we can be fairly confident that at the time of the connection reverse routing paths go to the attacker otherwise syn fin ack would have been problematic.
Things liek this have been discussed on NANOG etc before and a lot of people hate it obviously. I think if you could find exploits in the worms themselves and reply back with something to disable the worm inside the same request that would be acceptable as I should have the right to respond to any request from the internet with whatever I desire inside one session, though some would disagree.
No sir I dont like it.
It's obviuously a stupid idea. By definition, a DDoS is going to be launched from compromised machines...with a 99% probability the lowner of said machine has no idea what's going on.
But, most DDoS attacks do have easily verifiable signatures. (Ping floods, excessive SYNs from spoofed source addresses, among many others.)
Why not start helping ISP's to block this crap at the source? They are, essentially, what allowed these machines to be zombified in the first place. Aggregators and headends should already have the intelligence to block IP spoofs, which eliminates SYN floods. It shouldn't be too difficult to imagine blocking an excessive amount of outbound (inbound from the ISP's customer base) ICMP packets...say...10% or more packets are ICMP=no YUO. (arbitrary figure, it could be less, it could be more).
If nothing else, build some intelligence into backbone packet inspection (yes, I am aware of the vast amount of cycles this would take...but everything can be ported to ASICs at some point), such that vast amounts of packets, with duplicate signatures could be throttled back or dropped if a DDoS is detected.
In short, we know we can't educate the lusers, but if the ISP's distributed the cost of such an implementation among all users, I'd imagine most people wouldn't even notice the cost increase.
There's some other ideas floating around in my head, but they aren't fully formulated yet.
Which launch the "counter-attack" on random servers before it's even attacked, just in case.
What do you know about World Politic? Find out in this quiz
The NSA no longer does Strikebacks in fear of litigation. However if the source is foreign non friendly then they take some action. But it is a big deal. If one of use decides to press the button we automatically go to jail (no passing go/no $200). Inmates at FtLevenworth dont exactly fear a computer guy who pressed the Strikeback button.
A mob lynches a "witch" -- vigilantism.
A woman carries out a devastating martial arts move on someone about to rape her -- self defense.
Self defense is immediate, and it's aimed at stopping an attack in progress. Self defense doesn't excuse harming innocent third parties: if you use a hand grenade to stop a mugger, the law will rightly punish you.
There's plenty of room for argument about this, but remote patching of the machines that are DDoSing you might be self defense. Any counterattack that is based on military principles, like the product under discussion here, is vigilantism.
Notice that everything Schneier says is based on the assumption that regulated police and courts of law exist. Before those are set up on a lawless frontier, experience shows that citizens will set up a Committee of Vigilance.
It shuts down the instant you bring it online. To conserve energy.
"In these cases, the operations center may call for a variety of efforts, including (1) escalated multilateral profiling and blacklisting of upstream providers; (2) distributed denial of service counterstrikes; (3) special operations experts applying invasive techniques; and (4) combined operations which apply financial derivatives, publicity disinformation, and other techniques of psychological operations."
Now how exactly this will help when you have a few hundred to a few thousand virused zombie machines running a DDoS against you and you have no clue who's behind it... is beyond me.
The World Wide Web is dying. Soon, we shall have only the Internet.
It just pretends it has the capability to counter-attack.
Ironically, the word ironically is often used incorrectly.
Heres my take on this, pulled from a recent post to NANOG:
Lovely. So not only do we now have to fend off attacks from script kiddies
and packet monkies, we now have to fend off attacks from idiot sysadmins who
set this tool up and allow it to go all out on supposed 'attacks' against
their systems.
I'll share my favorite goober with firewall story. When I was a
sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from
clueless users all the time. I could identify which tool they used just by
how the body of the message looked and how the 'attack' was described. Got
ones saying that my performance testing server (which sometimes did ping scans
across the dialups to see what the general response time was) was 'attacking'
the user's machine with a single ICMP echo. Or how our IRC server was trying
to attack the user on the ident port every time they tried to connect.
Of course, the best one was when a supposed 'security expert' called up and
complained how my two caching DNS servers for the T1 customers was attacking
his entire network on port 53 UDP. He had naturally filtered the 'attack'
because it was obvious that our Linux DNS servers were infected with one of
the latest Windows viruses going around, and suddenly noone on his network
could browse the web anymore.
So, let me ask the question, do we really want people like that having a tool
which autoresponds to attacks with attacks? At least when he filtered out our
DNS traffic, it only affected his network... But imagine if he had launched
an attack against my DNS servers in response? Yeah, thats a great idea.
Of course, now that the AHBL does its own proxy testing, we get all sorts of
fun reports from end users about our 'attacks' against their machines. Latest
one demanded I tell her why we had scanned her, but wouldn't tell me her IP
address or when the scan happened exactly, claiming that I had done the scan,
so I should know what IP she is. Too bad I test over 100,000 IP addresses
daily for open proxies....
Lets not even get into the legal consequences for a tool like this, especially
if it backfires and launches an attack against the NIPC, for example.
Brielle
Let me see:
We now have a product that produces more shit than ever, has no sound concept behind it other than "Let's nuke the shit out of these &&&%$s", probably costs a shitload of money and appeals to PHBs in the extreme.
I'd say: Let's buy some shares.
Which launches DDoS attacks against itself, but then runs out of money and breaks up into smaller, poorer versions of itself.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
Unfortunately it's not currently legal, but really what would be a better idea is to react to compromised machines based on their infection behavior. I know that when Code Red first came out (and still now, even) my Apache logs were full of attempts to acces CMD.EXE or other windows stuff.
The obvious solution would be to respond to the attacking machine by using the same exploit by which it was initially infected, and cause it to go to sleep or attempt to clean itself. Obvious problems arise if the machine is doing something important, but the question arises: when are you allowed to protect your own property in response to somebody who hasn't properly fixed their own?
Conceptually, the best way to do this would be to log attackers, note how they are infected based on heuristics of common infections, and then wait until they attack has been going on for a certain period of time. If the machine is still coming out strong after a day, one should be justified in taking measured to put it offline...
It's time to stop pandering to sysadmins that don't do their jobs. We have some machines that aren't $1000/minute mission critical, but if one were infected I wouldn't feel overtly upset if somebody put it to sleep for me (so long as the machine itself wasn't damaged). For those that do run $$$$/minute machines, they should be well secured so such things don't happen, or at least not for prolonged periods of time.
It's accountability time for sysadmins... you're not unjustified in shooting somebody who invades your house, so why can't you take out the computer that's attacking your network?
Which denies the attacks ever existed dispite reporting them itself last year.
You need a FREE iPod Nano
Which swears off all forms of attack, unless it involves giant robots or tentacles.
The ______ Agenda
It used to be that you had to use email worms to conscript people's PCs into your private army of DDoS zombies. By packaging the trojan and calling it a security product you can avoid all that hassle.
We Counter Attack with a DDoS before someone who might have "DDoS of mass destruction" attacks us. .then blame the British.
.
.
.
.
The Kruger Dunning explains most post on
This means (effectively) that all the Majority MPs are barred from ever voting their concience or on behalf of their constituents in Pariliament, which i think is wrong, considering thats why we elected them in the first place.
At least in the States, you'll find a break in partisanship as Senators and Congressman often break from the party line to vote the way they feel.
Secondly, their is virtually no separation of the Executive (prime ministers office) and Legislative branches of the Goverment ... which wouldn't matter anyways since we have an unelected and completely ineffective Senate.
Recall the Senator that actually MOVED OUT OF CANADA TO MEXICO and went years between even bothering to show up to work. He still, unfortunately, is a senator to my knowledge
Recall again Mulroney adding 3 extra senators (!!!!) so he could pass his GST bill.
Can you imagine what the American's whould do to a president that violated the constitution to ram a fucking 7% sales tax bill.... ???
All in all though... pretty cool country.
Someone gets this idea every few years. Probably from watching too many bad hacker movies.
Just smile, nod politely, and let the lawyers take care of it.
If there are 2 of these boxes, then a spoofed attack that sets them against each would kill both. I suspect the drawing board needs revisiting.