Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aggressive Network Self-Defense

Posted by timothy on from the scenario-based dept.

nazarijo (Jose Nazario) writes "Continuing in the new theme of fiction and technical how-to, Aggressive Network Self-Defense brings together several authors to provide a wide range of material. Syngress' niche in this space seems to be breaking new ground -- and for the most part, it works. While you don't get as in-depth a treatment as a typical technical book gives you, there is an added dimension: namely, a more realistic scenario of how these tools fit together in a real, live series of actions." Read on for the rest of Nazario's review. Agressive Network Self-Defense author Neil Archibald, Seth Fogie, Chris Hurley, Dan Kaminsky, Johnny Long, Haroon Meer, Bruce Potter, Roelof Temmingh, Neil R. Wyler, Timothy Mullen pages 416 publisher Syngress rating 8 reviewer Jose Nazario ISBN 193183625 summary take your security into your own hands to identify, target, and nullify your adversaries

Not being a big fan of most fiction (I tend to prefer history), it's hard to say definitively good or bad things about the quality of the writing. What I can say is that it's infinitely less irritating, and far more realistic, than Neal Stephenson's Cryptonomicon or Gibson's Neuromancer. No over-the-top smearing of adjectives to describe the mundane, and no unrealistic sequences of events. Then again, there's no character development and no real story progression, so it's not great fiction.

As a series of hacker vignettes, the book works just fine, and very well for the purposes at hand. Basically, what the authors want you to get from the book is two-fold: First, they want you to debate the issues around "strike back" attack methodologies. Several of the authors are open advocates of what are legal grey areas and open moral questions in the field of network security. Secondly, they want you to see how it's done, what you do when you actually use a tool to achieve a goal. Most books that do this, like Hacking Exposed, cover far more tools, but they usually do so without showing you each tool's use in a real-world scenario.

I won't bore you with a lengthy, detailed overview of the first part of the book. Like I said, it's a series of part fiction, part tutorial series of short stories. In them, you'll see tools like Metasploit, virus creation, some nmap, sniffers, and keystroke loggers, all in action, being used as an operator would use them, and achieving real goals. This is more valuable than a basic manual, and the stories themselves act as a nice setting. While not great fiction writers, the authors are decent enough at the job, and they write the technical material clearly.

The second part of the book is interesting. It makes up about a fifth of the book in volume, but a lot more in technical weight. The book bills this section as "The technologies and concepts behind network strike-back," and that's an accurate summary. It's a series of four unique perspectives and technical chapters that complement the rest of the book quite well.

The first introduces ADAM, the "Active Defense Algorithm and Model," which develops a methodology for network administrators to actively defend their networks against attacks. It's quite interesting, and brings together a number of risk models in an uncommon take. The authors are academic researchers from the University of Idaho, so it's a lot more academic than the previous material in Aggressive Network Self-Defense, but it formalizes a lot of the thinking that was present in the writing of the stories and techniques.

The second is Tim Mullen's classic "Defending your right to defend." This is the original position paper shared by Mullen with the information security community in 2002 or so. Here, Mullen makes a compelling case for actually striking back at worm infected hosts. After all, the position holds, someone should do something about them to help clean up the Internet. While it's a position I disagreed with at the time and still do, Mullen's writing is articulate and an important read. It really helps you understand a lot of the thinking that went into the book itself.

Dan Kaminsky wrote the next chapter, "MD5 to be considered harmful someday." Largely considered to be a follow-on to Joux and Wang's one-way hash function research, what it shows is how practical such an attack can be. Kaminsky never fails to come up with interesting ideas he puts into practice, and he adds another level of depth to this book.

Finally, Aggressive Network Self-Defense ends with an interesting paper, "When the tables turn: Passive strike-back." Like any good paper, it has a clear and thoughtful motivation, and really demonstrates the principles at play, namely building network resources that don't simply lure the attacker in, they trip her up. There are so many ways to do this, the authors show us, and ultimately it's almost fun. A good way to end the book.

An over-arching concern with the book that I have is the question of ethics. Mullen, in the foreword, states that he hopes the book stirs a debate about the ethics of the actions in the book. However, the book itself falls short in this area. Instead, sometimes the characters get busted, and sometimes they don't, but just because they didn't get caught doesn't mean some ethical lines weren't crossed. All too often the authors leave the ethical debate up in the air. While I prefer this to overt preaching or questions, the style leaves me wondering if this goal was achieved.

So, where do I stand on Aggressive Network Self-Defense? In the end, I like it, more so than a book like Hacking Exposed or other "hacking how-to" types. The style of presentation doesn't lend itself all that well to exploring a very wide number of tools, but it does give you a deeper context to see how they assemble into something larger. For many people I expect it will be a page turner, and I think the format has some utility, as shown here.

You can purchase Aggressive Network Self-Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

26 of 128 comments (clear)

  1. Concise Review... by darth_MALL · · Score: 5, Funny

    Smith and Wesson.

    1. Re:Concise Review... by Effugas · · Score: 2, Insightful

      At least with guns, you know who you're shooting.

      It's much harder with networks. All you really know is that someone sent a message to someone sent a message to someone, and you received something because of it. How do you attack back in such an environment?

      The best way is to prevent a counterattack from working against anyone who's innocent of attacking you in the first place. Embedding a counterattack in a TCP session started by your enemy is one approach; if the session was spoofed, your malicious return payload will not be parsed by the recipient of your packets and they'll be left unharmed. Of course, what if your target was made into a member of a botnet? Then things get tricky -- they're liable for the damage their system is doing, but they acted without intent. And intent matters.

      Tricky scene, this strikeback. I hadn't looked into it that deeply until Grifter approached me...fascinating subject.

      --Dan

    2. Re:Concise Review... by idontgno · · Score: 2, Insightful
      At least with guns, you know who you're shooting.

      Oh, I don't know. Mere possession of a firearm doesn't give you IFF, x-ray low-light vision, or even basic good sight picture. If you want, you can blast away in the general direction of a perceived threat. In fact, aimed fire is pretty rare, even among law-enforcement professionals. And how many innocent cattle die each deer hunting season because "trained" hunters risk shots through cover at a barely-glimpsed "deer"? Hell, how many hunters are fired on under the same circumstances, in spite of mandatory high-visibility clothing?

      No, guns and "active network defense" are very similar, for very much the same reasons: everyone downrange is in the threat space, innocents get hit as easily as the "intended target", it's easy to reaction-fire on an innocent (non-actual) "threat", and the bad guys already know to duck or hide behind innocent "shields". And it doesn't take too much imagination of two different parties of armed personnel attacking the same "bad guy" and inadvertently engaging each other. The military has a few names for it: "fratricide", "friendly fire", "Blue-on-blue".

      No, the weapons analogy stretches pretty well in this case. "Active network defense" may be a wonderful idea or a terrible one, but it certainly has consequences comparable in kind (if not scope) to gunfights in the streets.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  2. You know your admin has read this by Timesprout · · Score: 4, Funny

    when you try to login and your network tells you

    "I know Kung Fu"

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:You know your admin has read this by kyoko21 · · Score: 3, Funny

      "Show me."

    2. Re:You know your admin has read this by Wolfrider · · Score: 2, Funny

      "Do you _really_ think that's _air_ you're breathing, right now? Hmm."

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    3. Re:You know your admin has read this by Anonymous Coward · · Score: 3, Funny

      You know, I was browsing at -1 and got scared for a second thinking this "show me" is a response to this

  3. Integration is the real problem with security by ikewillis · · Score: 2, Insightful

    ...and it's great there's a book covering it. There are so very many security related tools available today, and the real problem nowadays is that few of them integrate in any usable manner. NIDS should integrate with each other and generate more comprehensive, multiperspective data about suspicious looking traffic. Networks should autoadapt to block malicious traffic.

  4. Agressive by tcopeland · · Score: 4, Funny
    My compliments on this conservation of the letter 'g'. But why the duplicate 's'?
    [tom@hal ~]$ ruby -e "puts 'Aggressive'.squeeze"
    Agresive
    [tom@hal ~]$
    That's better!
    --
    The Army reading list
  5. Swatch, Snort, Portsentry by BJZQ8 · · Score: 2, Informative

    The only three programs you need to know.

    1. Re:Swatch, Snort, Portsentry by Spy+der+Mann · · Score: 3, Informative

      For those too lazy to cut n paste:

      http://swatch.sourceforge.net/
      http://www.snort.org/
      http://sourceforge.net/projects/sentrytools/

  6. Viability of recommendations. by crottsma · · Score: 4, Funny

    While his proposed recommendations for network defense appear viable, nothing is more effective for protecting your computer than sucker-punching a random script-kiddy in the groin at a local LAN party.

    1. Re:Viability of recommendations. by WormholeFiend · · Score: 2, Funny

      or you could attend a hacker convention, and pretend to want to become friends with the virus/worm crowd.

      Then, when they least expect it, whip out your ASP baton, and start bashing anyone within reach yelling repeatedly "THIS IS YOUR COMPUTER BEING INFECTED!"

  7. So Dan Kaminski wrote the MD5 chapter... by tcopeland · · Score: 4, Interesting

    ...he's got some nifty visualizations of the MD5 attacks on his site; scroll down a page or so to see this and other images...

    --
    The Army reading list
  8. automated responses to probes? by humankind · · Score: 4, Interesting

    One thing that really bothers me are things like this in my logs:

    Mar 2 22:42:37 inetd[32684]: refused connection from 210.29.1.3, service sshd (tcp)
    Mar 2 22:42:38 inetd[1534]: ssh from 210.29.1.3 exceeded counts/min (limit 1/min)
    Mar 2 22:43:09 last message repeated 38 times
    Mar 2 22:45:09 last message repeated 114 times
    Mar 2 22:55:10 last message repeated 644 times
    Mar 2 23:05:10 last message repeated 509 times

    I routinely run into foreign systems hitting my server at extraordinary rates. These seem to be bursts here and there, more looking to probe the system than DoS it but sometimes a DoS condition occurrs.

    I routinely to an IPWHOIS of these locales and send e-mail to the IP administrators, but some of the foreign ones are unresponsive. So what can you do?

    Are there any scripts out there that can automate the process of reporting system probes?

    Is there any recourse in taking aggressive counteraction against, for example, the hoards of chinese IPs that routinely probe and attack domestic hosts?

    1. Re:automated responses to probes? by bobintetley · · Score: 4, Informative

      Is there any recourse in taking aggressive counteraction against, for example, the hoards of chinese IPs that routinely probe and attack domestic hosts?

      No, but I find the simplest thing to do is lookup the netblocks/ips for addresses I will be connecting to my SSH/OpenVPN from (in my case, work and my mobile phone GPRS provider) and then crafting a couple of iptables rules to only allow those addresses to connect. I find this cures half of the far east trying to connect :-)

    2. Re:automated responses to probes? by digitalchinky · · Score: 2, Informative

      Not sure if anyone has mentioned it yet, but port sentry with a little tweaking can clean up what you describe really well - automatically drops the results into a firewall or hosts.deny.

      Only problem is that it's not much of a user friendly program, can on rare occurances block IP addresses that were not intended to be blocked, so it takes a little bit of an active hands on approach.

      http://sourceforge.net/projects/sentrytools/

    3. Re:automated responses to probes? by p38 · · Score: 2, Informative
      Add a rate limit to your incoming ssh syn connections and drop the ones that go over the rate limit. Also, remove password authentication and only allow rsa authentication. With these together, ssh attacks will disappear from your logs.

      For example:
      $IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP --dport 22 -j allowed
      $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A allowed -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
      $IPTABLES -A allowed -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] '
      $IPTABLES -A allowed -p TCP -j REJECT
      Note. Only turn on the output to log when you want to see what is going on. Otherwise, just comment out that line.
  9. Here is an md5 hash of the book content... by Anonymous Coward · · Score: 3, Informative

    7f2c83031b3e693a86e2b0cc25df7ef7

  10. character development by Anonymous Coward · · Score: 2, Interesting

    Then again, there's no character development and no real story progression, so it's not great fiction.

    Character development is massively overrated in lit. I'm not sure if this refers to how fleshed out a character is or how much he changes during the course of the story but in either case it saddens me to think that some people think this is the point of fiction.

  11. Excellent! by Grendel+Drago · · Score: 2, Informative

    Excellent work, editors, fixing the title like that. The "we're a bunch of whores" referrer link is still misspelled, with only one copy of the oh-so-precious letter g.

    So close, and yet so far!

    --grendel drago

    --
    Laws do not persuade just because they threaten. --Seneca
  12. Author of ADAM by scaltagi_the_pirate · · Score: 5, Informative

    I am an author of ADAM (Ch 9) in the book, with Deb Frincke. I would like to point out that more information and resources on the topic of active defense and active response can be found at: http://www.activeresponse.org

  13. Re:Network Security App Name by rob_squared · · Score: 2, Funny

    I think InterSlice sounds more frightening.

    --
    I don't get it.
  14. My checklist by Sheepdot · · Score: 5, Interesting

    In order (somewhat):

    1. NMAP the offender.

    2. NSLookup, Whois, etc. I even go so far as to use GeoIP to get city, state, ISP, etc. Get email addresses to send to.

    3. Look for open proxies on the address in the case of SPAM. If so, just drop the search there.

    4. Nessus check for potential vulns that might have been exploited by common/known worms. Essentially, find how they were exploited, and if there is no known reason, assume they are malicious.

    5. Take necessary actions to blacklist or block the IP on the offending protocol, or in some rare cases, kill the IP altogether. (rarer cases, the subnet)

    6. Google. You'd be amazed at what I can do here. I put in the direct IP, I put in email addresses I've collected to find out where the person posts, etc. I get to know the individual, who they are, and further deduce if they are malicious. I used to even go so far as to imiate someone of the opposite sex their age and talk to them on their favorite IM and ask them if they are a h4x0r and can help me "get back at my brother, the bully at school, the girl that stole my boyfriend" etc. (never assume the gender of a /. poster)

    7. Email at a minimum 5 people, including Incident Response (https://forms.us-cert.gov/report/), the offending ISP, any emails off of the website of the IP in question, etc. Half the emails I CC just so that the individuals take the email seriously. Occasionally these will contain logs, IM logs, who the person is, what they do in their spare time, what forums they visit, their picture (if any) and etc. I do this from a TOR-accessed Hushmail account, so no one knows who the hell it is. One time I sent the email to the offender's mother. He sure thanked me with some profanities on that one (which were subsequently forwarded to his mother).

    There's ways of "attacking back" in such a way that script kiddies die out, but you have to totally overwhelm them with your sheer capability to outsmart them.

    Let's face it, we're all guilty of being lax in our network activity and leave IP trails on logs that Google indexes. It makes no sense to sit back and complain about script kiddies when it's quite obvious that we're unwilling to take them to task when they probe. The information is there, you just gotta do some digging and learn how to use Google's Advanced features. It's important to make your response to their actions overwhelming, so they are never tempted to turn back to random probing again.

  15. Counter-argument by Slendro · · Score: 2, Informative

    I wrote an article back in 2002 (http://www.securityfocus.com/guest/16531), which was published on SecurityFocus, in response to Mullen's initial SecurityFocus article.

    Not having read the book, I can't be sure, but according to the review there didn't seem to be much of a dissenting opinion in the book on the question of whether aggressive tactics are desirable (or effective).

    That's unfortunate, since as you'll see in my article, I think a good argument can be made that aggressive network defense is both morally bankrupt and ultimately ineffective.

    --
    God is my Palm Pilot.
  16. Dshield! by JimmytheGeek · · Score: 2, Informative

    http://www.dshield.org/