Slashdot Mirror
O'Reilly Revisits Online Countermeasures
An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."
Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
...why not Joe Schmoe Network Admin?
"It's not rocket science, Smithers! It's only brain surgery!" --Mr. Burns
It worked for Silent Jay & Bob, and arguably the Empire...
I
Man what a lame article. A little lacking in substance, I'd say. Why, I've got half a mind to email bomb the author!
Wanted: witty unique signature. Must be willing to relocate.
The fact that someone at O'Reilly would even suggest this as a solution is sickening.
Anyone who even has a shred of a clue about networking will realize that a DDoS attack doesn't just affect the person getting flooded; it affects anyone who's routed through the systems that connect the two at the same time.
the "article"
-----
William Hurley has just put up a justification of the field of network security countermeasures (a term he clearly prefers to the term critics like to use--"vigilantism") along with a brief history.
Like most people interested in pushing forward technology, I have often been interested in those who try things that other people say shouldn't or couldn't be done. That's what led me to investigate early P2P filesharing systems in 2000, for instance. I was interested then in the technical and social movements Gnutella and Freenet represented, not the particular usage of avoiding the legal ramifications of sharing files.
Countermeasures of the types Hurley describes (rather than some of the crude and immature attacks promoted by others) look like another such fertile area. The social interaction component, as with P2P, is fascinating. Hurley is trying, through the open-source OpenSIMS project, to develop a completely transparent way to identify and protect against attackers, and to get people around the world to collaborate on this project. He's even approached the Apache Foundation for help.
There's a lot of talk about who can ensure security in our society--and it's not generally the authorities. I put forward the idea in 1998 in an article titled Cyber Hygiene, Not Cyber Fortress Protects Our Networks. Isn't OpenSIMS thinking along the same lines?
---
yeah most insightful
now keep clicking those adverts
They are in 500 hell, so much for striking back!
If you read the actual blog, it doesn't really contain any information or opinion or whatever. One of the comments on the blog provides more useful information - for older and more informative papers go here: http://www.oreillynet.com/pub/a/security/2004/08/0 3/symbiot.html and
http://www.onlamp.com/pub/a/security/2004/03/10/sy mbiot.html
----- One learns to itch where one can scratch.
I just wonder how aften these strikeback or countermeasures backfire. I remember reading a story awhile back where a gambling site repulsed a DDos attack. The really interesting thing was that it cost the company way more to fight the attack than it would have cost to pay off the extortionist.
While I understand the desire to stick it to these creeps, from a purely cost/benefit analysis point-of-view, it doesn't seem to me to make a lot of sense
I clicked through and tried to read the blogspot article, but every link on the blogspot article defining important terms like "countermeasure" for example, that would help me understand precisely what they are talking about, NONE of those links work. I can't tell what exactly they are talking about doing to prevent DDoS etc, except that it will involve a "network" of volunteers.
Is it wise to slashdot a site advocating "fighting back" web attacks?
I'm gonna wait an... [NO CARRIER]
You can't take the sky from me...
Here's an interesting example of an escalation, going on right now. It seems that anti-p2p organizations are trying to pollute some torrents for TV shows such as six feet under (see discussion here).
What they do is put out a file of the same size but with random data. Since the torrent file has segment hashes to verify integrity, any segments downloaded from the bogus file will fail the checksum and waste downloaders' bandwidth. The community of downloaders is fighting back by spreading black lists with the IP addresses of the bogus clients.
See charts for twitter trends on Trendistic
even though I'm personally at odds with people who want to 'strike back'
In the UK, when somebody files a lawsuit and loses, not only do they have to pay for their own court expenses, but also those of the defendant. This isn't the case in the US, which is why we are the most litigious country in the world.
Now, let's look at computing. If we just let the asshole hackers get away with their crime without a fight, they will keep on hitting us hard. But, if we had a mechanism that would "fight back" and destroy a 15 year-old script kiddie's computer that mommy and daddy bought, well, maybe they'd think twice.
IGB: More fun than eating oatmeal!
The Cisco self-defending networks I saw on the tv show 24 ? Right after Chloe said that CTU had a proprietory algorithm for cracking blowfish they show some Cisco graphics on a screen and they blow off DOS attacks like, "ohh, we're protected by these self defending cisco networks" or some crap like that. 24 = pentagon & corporate propaganda.
... in that many times, the real source or perpetrators have taken pains to hide their identities and those of their "cause-mates" and/or to make some sorry [perhaps not-so-bright but otherwise innocent] sap take the fall. It's not like we can conveniently follow the missile trajectory back to that known Soviet missile site... A retaliation is likely to cause a large degree of collateral damage and thus the cycle would continue...
...A guy on the pulltheplug irc network ran a tutorial on writing exploits for exploits. Basically, they'd run a process that looks like a vulnerable server, and when someone comes along and takes the bait, they end up rooted.
Considering the huge horsepower of things like the SETI screensavers and P2P networks, I don't think it's a question of whether or not a conflict between spare-CPU/BW Good Guys and zombie-army bad guys could be won by the good guys. Or at least, make things painful for the bad guys. The main issue is counter-counter-counter-craftiness that might stealthily turn such a network to the dark side.
Several sys admins I know who have never had the time or inclination to put up a honeypot or opt for similar tactics absolutely light up at the prospect of actually making the attackers miserable. In fact, it's not even the attackers they complain about, it's the ISPs that (with copious documentation about the bad acts of specific customers) don't do anything about it. To the extent that foreign governments are those ISPs, well, same sentiment.
So, the real issue is governance of such a system. It's sort of like sharing time on a big research telescope. What committee can be trusted to put the resource to use effectively? I know that a lot of people with network resources are so fed up with the probes, the phishing, the DoS extortion and all the rest that they'd have absolutely no problem deploying a box or two, and a couple of MB/sec to the cause. But the liability(ies) for having it used unwisely are pretty scary, so I'm all ears if someone comes up with an interesting approach. If the worst thing that happens is I get a block of my IPs null routed on their way to Moscow, well, goshky, I'll take that deal.
Some things we have to take into our own hands. And just turning the other cheek with more and fancier firewalls and intrustion detection is too passive for my taste, at least in the face of concerted, bad-to-the-core coordinated efforts by professional, organized crackers. Have I wanted to burn up every inch of some basement-dwelling script kiddie's DSL before? Sometimes. But nothing like I've wanted to blot out entire pieces of some Asian and eastern-European networks. And not just for my sake - for all of my clients, and their clients, and everyone it impacts.
Don't mean to rant, but I've just spent all morning explaining this stuff to a suffering dot-com. His much-repeated question was "Why can't we just do this back at him until he quits? I'll spend the money... this is pissing me off."
Don't disappoint your bird dog. Go to the range.
Until now I have turned a blind eye to all the basement-dwelling slurs that show up regularly in comments. But for me to find it ingrained in the institutional hierarchy is really too much. I take extreme umbrage at this blatant suggestion from timothy that people who spend a lot of time in their basement are unpleasant. I finish basements for a living, and your thoughtless remarks have destroyed my livelihood. During the boom many geeks^H^H^H^H^Hinformation technology entreprenuers persuaded their moms^H^H^H^Hinvestment partners to purchase my services. My staff constantly had dehumidifiers, star wars wall hangings, and industrial strength aeron chairs on backorder. Things were going so well I finally made the downpayment on that bass boat I'd always dreamed of. Then certain lowlifes had to log onto the Internet and shame my clientele into washing the cheetos crumbs out of their goatee, wearing business casual attire and applying for jobs at Best Buy. The repo men towed "Finishing Fanny" away yesterday. I can't believe you're still making these hurtful cracks five years after the bubble burst! You people make me sick!
P.S: If you're interested in my services, check my webform. I'm OCBF Certified!
On a much grander scale, we're accelerating towards a global computing grid which will extract unimaginable power from hundreds of thousands of separate computers each with the processing capabilities of our brain. The collective intelligence which emerges will possibly rival our fantasies of artificial intelligence
As we modelled the eye to build cameras, the brain to build computers, the ear to build speakers, we're modeling our autonomic nervous system to build the next evolutionary step in computing. Networks that independently and reflexively self -regulate, configure, repair, optimize, and protect in the same sense as an immune system or an automatic pilot.
This would allow the network to automatically manage server load balancing, process allocation, monitor the power supply, automatic update software and fend off threats without having to consult the administrator.
For example, if an application starts performing badly, it automatically receives increased resources. If software or hardware fails, it doesn't even ripple the end users coffee. An autonomous computing system would roll out new patches, monitor and adjust the resources singular end users need, set up servers... all the mundane stuff.
The complexity of integrating and managing the latest hardware and software into existing systems is destroying the advantages of economies of scale. Autonomic computing is one way of insulating the IT administrator from the mundane complexities and freeing them to do other more interesting things like understanding the needs of the business more, or modelling and automating existing business processes.
On a larger scale, it spells an evolutionary move towards a decentralized global self-configuring, self-healing, self-optimizing, and self-protecting nervous system. Since Autonomic Computing can look for patterns in data and extrapolate to predict future events, deployed on a global scale, the spin-offs would be very interesting...
Thoughts on the Emergence of Computing Intelligence
Can't syn cookies help against DDOS attacks? I agree that a vigilante approach is not the best way to deal with this, but at the same time, to continue paying off the extortionists will probably only lead to more of the same behavior.
We play the game with the bravery of being out of range
It was a preemptive defensive network attack.
There is an obvious flaw in any internet countermeasures: All an attacker has to do bombard a site that implements countermeasures while spoofing the source address of another site they really want attacked... and the countermeasures site will do their dirty work for them! In an environment where you can never be certain where the attack is actually coming from, striking back would appear to be a fool's errand.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I tried to submit an item about hacker vigilianties who attack phishing sites back on May 31. Unfortunately, I can't spell and coverage of actual effective anti-fraud hacks were not interesting enough.
We all have a gripe against spammers and phishers and I for one would welcome a book or web page that showed ways to harm the interests of internet and email abusers [ways that could ONLY harm such abusers, otherwise, we just arm the enemy] Is that too tall an order?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Great post.
" What is the Singularity? Sometime in the next few years or decades, humanity will become capable of surpassing the upper limit on intelligence that has held since the rise of the human species. We will become capable of technologically creating smarter-than-human intelligence, perhaps through enhancement of the human brain, direct links between computers and the brain, or Artificial Intelligence. This event is called the "Singularity" by analogy with the singularity at the center of a black hole - just as our current model of physics breaks down when it attempts to describe the center of a black hole, our model of the future breaks down once the future contains smarter-than-human minds. Since technology is the product of cognition, the Singularity is an effect that snowballs once it occurs - the first smart minds can create smarter minds, and smarter minds can produce still smarter minds."
We play the game with the bravery of being out of range
...there's always the problem of an innocent or mere idiot getting nailed. If we had layers of defense mechanisms making warnings loud and clear and finally struck back, maybe. But if a fourteen year old script kiddie in Des Moines gets his machine crashed for fooling around, that's a little bit much especially if it is mom and dad's financial info going on the family PC.
We could publish IPs of scorn but we already have such lists on the net of known scum monkeys and the result is basically like that of pro-am net trolls. They got the attention they wanted. And we could blacklist/graylist/scarlet letter the wrong people very easily.
Over time, we may very well have something approaching the world of Ghost in the Shell but right now, we don't need a cyber crime and terrorism unit to go out and whack miscreants down with theatrics and glitz. We need ISPs who give a damn about what their customers are doing and we need to tar and feather THEM. Of course, this hasn't worked for UUNet so YMMV.
I do wish there was some sort of ping-of-death-ability to at least disrupt the connections of people who won't stop knocking on my router or some facility for authorizing specific logging by my ISP. Wouldn't that be something? The ability to sign on to your account and not only manage e-mail but to be able to choose to log specific traffic by port and IP on YOUR connection so you can then cut and paste it in a complaint to the offender's ISP? Probably won't happen, but having the layer 2 as well as layer 3 information in hand would help knock down the "I'm innocent, I was spoofed" defense where you are now put on the spot of having to prove otherwise.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
All of the links on William Hurleys page http://whurleyvision.blogspot.com/2005/06/self-def ending-networks-aggressive.html result in Not Found.
GIGOwiz
I hear those home school teachers are as strict as your parents.
1) Identify 2 sites that implement "countermeasures,"
2) Start a small DoS attach against each one while spoofing the source address of the other.
3) Sit back and laugh your ass off as they both escalate and take each other out!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
why is this news for nerds? if i want to know about right wing talk show host i will listen to clean channel. thank you.
Who knows--in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.
Now, I'm not going to advocate breaking "the law" directly in this post, but allow me to raise an important question to the /. community. Do we really want "a more secure, reliable, networking infrastructure" in the end? Allow me to now elaborate on that question.
A more secure, reliable, networking infrastructure sounds great on the face of it, but what if we were talking about a corporate infrastructure instead of a networking infrastructure? In other words, big barriers to entry for the little guys to innovate, force change, develop new things, and build NEW corporations. Same goes for networking I think. Script kiddies are not innovative as they are simply piggybacking off of others works, BUT they have been innovative in pushing every company to be highly concerned about protecting themselves against cracking and DDOS'ing, which HAS been good for us, the consumers, as the data and services that these companies provide to us is ultimately more secure, reliable, etc. Those who are doing the really devious crack attacks are being more innovative, and are forcing organizations with a 'net presence to build ever better security defenses to guard against these attacks. These new defense mechanisms in turn often get passed on to other like-minded individuals who desire the same security. I guess that ultimately I am trying to say that while we do want "more reliability" at certain levels, at other levels lack of reliability is what helps spur innovation, change, and pre-emptive corrections to problems which left unchecked, could cause massive, long-lasting damage when a chink in the armor is finally exploited.
So is "strike back" a good thing? Almost every time it is not going to help in any way. With our "War on Terror" we certainly had some excellent early gains, but now we're in a long, slow decay of gains due to the loss of life and new difficulties we created through our counterstrikes in Iraq and Afghanistan. Bush may have made the world a safer place immediately after 9/11, but now we have the Patriot Act, thousands of dead soldiers and civilians in a war that ultimately cannot "end", and what I perceive to be a whole new level of various threats to our country because we have only encouraged the terrorists to come up with better and more lethal attacks in response to our counterattack.
So, in summary, yes defending against malicious network activities is good for everyone, but I think that counterstrikes against an amorphous enemy with difficult to define borders (terrorists can come from any country, just as ip addresses can be spoofed to be marked as coming from ANY organization) in response to these attacks pose a serious risk to the network that we call "The Internet" because it will only increase the desire to make more chaos on it ultimately than it will to dissuade it. Then we get more government control, more devestating attacks, and more polarization of "sides" to the war on network intrusion. Let's keep these issues in mind when building our network security plans.
Why just post their address on slashdot! http://www.smallvue.com/
Some settling may occur during posting.
Band stops playing, drums roll...
And the winner, ladies and gentlemen, of the notorious Douchebag of the Day Award...JEFF MERKEY!
Of course...I know I live in the US, that's why I posted as the Anonymous Coward. Suck my ass, Jeff Merkey.
If someone is trying to kill me or rob me, I have the right to defend myself using force. Likewise, if someone is using some sort of data attack or trying to steal my information, I have a right to defend myself using those means.
The police and government protecting me are only an extension to my own right to self defense. There are cases were individuals are not able to defend themselves, or where they might think they are defending themselves but doing the wrong person harm, and so we have professional police, judges, who in theory are better at defending us and preserving a civil society than we would be ourselves. They are specialists, just like a doctor is a specialist in treating disease, and so we assume they doing it more efficiently with the least harm.
BUT, if the profesionals (i.e. the police, judges, etc.) are not able to effectivly defend me and preserve a civil society, I have every moral right to defend myself. Period. Yes, some countries have passed laws against self defense, but the rejection of the right of individual self-defense is part of an overall authoritarian philosophy that rejects any kind of individual rights.
There can be a discussion of the practical problems of self-defense (How can I be sure that the person who appears to be doing a denial of service attack is the perpitrator? Will retaliation have negative effects on innocent people who are not involved? Can these techniques be abused or exploited by a third party? Will I really be defending myself by using this technology?), but all of these are technical/practical discussions. But from the moral perspective, only a few of the most extremly authoritarian or collectivist ideologies would deny a person the right to self defense.
A better write up on the "hero hackers": this story does point out that the suckurity consulting industry goes out of its way to distance itself from hackers who dish out prompt and rough justice.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Since blocking a particular host at a router/firewall is sufficient "self-defense" that's probably the ethical limit. Notifying the owner of the trespassing host is a time-consuming, but reasonable step. One more thing, possibly more satisfying: tarpits
The late LaBrea project implemented techniques that did not block attackers/scanners, but rather through protocol manipulation, HELD ON to them as long as possible, through things like tcp window size, etc. they kept the source host on the line sending zero bytes.
This kept them from bothering other people , and was computationally inexpensive to implement on the destination host. I think the honeyd project has some of this built in.
I heard of one connection maintained for over 9 months - but I have no link, sorry.
1) Should you capitulate to DOSnet blackmailers or figure out some way to survive their attack?
2) Should you attempt to attack those DOSnet blackmailers?
They require two separate cost/benefit... er... analysis... analyses... analysises... calculations.
There are no trails. There are no trees out here.
Cute sig. :P
Slashdot their site. Free and legal if you can get the editors to post it.
It's like Ddos only without the stigmata and virus work.
RTFA again for the best results.
These days it's pretty hard to spoof a tcp connection. UDP/ICMP/Weird,rare, connectionless protocol, sure.
- January/008739.html)
But if they are loading a page over and over via http like in a recent massive DDoS (http://www.dshield.org/pipermail/intrusions/2005
you can be sure that the zombies' source ip is what it says it is. These days zombies are not worth the trouble of hiding, anyway.
I wouldn't retaliate, but I would especially not retaliate unless the completed tcp handshake gave me assurance the source wasn't spoofed.
Interesting comment about the social ramifications of P2P software - I've got another one:
If a reputable company or open-source project had an app that knew how to recognize hacker tactics legitimately and correctly, I'd donate all the time my computers spend sleeping to running an app that allowed thousands of machines to point out which other machines were offending us. Think about it - if you, as a Network Admin of "SmellBouth" networks receives one email about an offender, and you had the resources to follow up on that (individual) complaint, great! But chances are, the Admin might not follow up on single incidents, since the reputation or "worthiness" of that report lies on the word of one subscriber. HOWEVER, if thousands of machines across MANY networks were able to verify the same instances, wouldn't it be easier for the Admin to trust the validity of the hacking claim? I think so.
So, if there is a desire for more reliable, verifiable, "class-action" style reporting or countermeasures anywhere, let me know, 'cause I've got a spot on my HDs for your app.
Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).
:-)
Post their URL to slashdot, and let them bask in unwanted fame.
Write a program that finds the Visual Basic compiler/interpretter on the attacker's machine, and deletes it. Big deal, they'd have to re-install it from the disc. That'd delay them a whole ten minutes? Enough time to change a password....
I love how I hear people in here preaching about relying on our boys in blue to protect us. Isn't this the same board where we all moan about how clueless and stupid Joe-Average Luser is, who cannot even learn not to open an email attatchment after 20 years of having it drummed into his head, and cannot switch to Linux because a disc partition is beyond his grasp? So how do I trust this same luser wearing a uniform to keep me safe?
I think that there are some trade offs to being on a shared network. In the late 80's and early 90's, the privacy activists were kind of at a high point, of the people using the net in those days a fair amount of them endorsed anonimity, things were fairly safe, most users were fairly professional. Now that it's so much larger, things like USENET, which used to be glorious back in the day, are damn near useless because of that crap, the very freedoms that people wanted are now the bane. Look at what is happening with email, rather than starting to develop a new legit protocol with security as a concern there are hacks on top of hacks like, sender verification, to try and curb spam. Just the very existance of all those hacks kind of demonstrates the mind set, of course people want to attack back. I'll be first in line for SMTP2 which every peer has to have a signed cert from a trusted CA to take part. I'll be first inline for a USENET2 where everysingle message is signed with SMIME and a signed key or OpenPGP and a key signed by an authority. I also wouldn't be against peer authentication as part of SSL/TLS being used more frequently, right now it's still blind, the client agrees to the trust but the server side doesn't verify anything.
Of course you have the right to defend your property, but there will always be a bunch of weenies who would rather run away and hide behind mommy...
If some machine is attacking your system with a serious denial of service, then you have the right to root that box and halt it. Effectively, you are just turning the other person's machine off and if you would leave it at that, it would be perfectly reasonable.
Oh well, what the hell...
If you mod me down, I shall become more powerful than you could possibly imagine.
IPtables has delay capabilities - so you can limit the effect of a DOS, by limiting the number of new connections allowed per second. It doesn't really stop the DOS, but it does take the fun out of it, so the attacker will stop after a while. It also protects against dictionary password attacks, by slowing things down to the point where it is infeasible.
Oh well, what the hell...
I used to do this, but gave up some years ago. It was pretty rare to get a useful response of any kind from the owner of the attacking system. Oftentimes they didn't believe the report or didn't understand the problem.
There is one type of "attack" that I continue to try to foil this way -- bogus "you're infected" messages from email antispam gateways. Many email administrators still don't understand that virii can (and do) spew email with fake headers, and don't believe it when it's explained to them. These are the same folk with antivirus email gateway filters that automatically send email to the apparent origin telling them their PC is infected. They really think they are doing the world a huge favor by letting them know, and they are not about to take some Random Guy's word for it. Of course, the virus they warn me about is always a Windows executable virus, and I use a Macintosh, so the reports that I've received have thus far always been in error. It doesn't matter to them. I clearly do not know what I'm talking about.
Sadly, I've never been able to convince a single email administrator to disable this feature. A few have vehemently defended their abusive configuration. Over time, the antivirus vendors seem to be removing this misfeature from their products, so eventually the upgrade cycle will take care of the problem, I hope.
As a touchstone to the main topic, I note that a strike-back technique here would be to spam their own gateway with infected messages which appear to originate from their own account, to demonstrate the point. Unfortunately, that would be wrong.
If you mod me down, I shall become more powerful than you could possibly imagine.
Then when you're done with that guy, you beat the shit out of the guy that was laughing at you.
Ironically, the word ironically is often used incorrectly.
O'Reilly Revisits Online Countermeasures
Here I thought this was going to be about the "caller mute" button, bloviating and the other ways he deals with callers who get the conversational upper hand. Wrong O'Reilly I guess.
Great idea! It's like cockfighting for the 21st century!
Yes, this is a potentially serious issue with any of the active countermeasures. Even simple intrusion suppression techniques like honeypots can fall victim to this kind of redirect attack if exposed directly on the internet.
Fortunately these types of attacks can be detected and modulated. With respect to certain antiworm systems based on honeypot techniques I can safely say that these problems are not insurmountable.
If you mod me down, I shall become more powerful than you could possibly imagine.
This reminds me of the old 'Blitzkrieg Server' article in Signal magazine some years ago...
s _n114/ai_20783335
(Links follow for a brief description):
http://www.findarticles.com/p/articles/mi_m0CGN/i
http://attrition.org/errata/www/pd.001.html
But, I think that there may actually be room for active-response systems. Also, properly employed, they would be perfectly legal.
There is no reason that such tools be deployed in public networks. Some organizations have networks (including large and complex networks) that are completely and totally privately owned, and totally segregated from public networks. Such organizations may (subject to appropriate risk - reviews) make judicious use of passive and even active response systems.
There are other ways to communicate than IPv4. There are indications in messages that active-response systems can't work becaus of spoofing. Suitable integrity and encryption methods can be used to validate source and ip address data.
There may be more modest active-response methods that may be more generally useful. For example, if traffic is located from a hostile system, the source of the traffic may be back-tracked, and shut off near its source. Not easy - and not necessarily today - but there could be places where such approaches may be deployed.
Sam Nitzberg
dontspamthis_______sam@iamsam.com
http://www.iamsam.com/
http://www.nitzbergsecurityassociates.com/
Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.
Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.
If you mod me down, I shall become more powerful than you could possibly imagine.
A DDoS directed by such a worm against certain routers or DNS servers, rather than "a web site" might have a profound impact on performance of the internet as a whole -- as perceived from just about any location on it. Much smaller networks of bots can certainly DDoS a site off the net without affecting the overall performance of the internet, but that's not the only possibility.
If you mod me down, I shall become more powerful than you could possibly imagine.
RWR: beep-beep!
RWR: ring-ring-ring-ring!
Pilot: engaged defensive!
Bitchin' Betty: jammer!
Bitchin' Betty: chaff-flare! chaff-flare!
RWR: ring-ring-ring-ring!
RWR: (quiet)
Not all ISPs are following BCP38 or the similar RFCs, but it's pretty straightforward for ISPs to do uRPF Reverse Path Filtering to block spoofed IP packets from their customers' routers, which block any packets claiming to be "from" an access line that they don't belong on. (Obviously it's more complex if your customer is an ISP, and a bit more complex if the customer is multiply homed.) This blocks most of the direct UDP and ICMP attacks, because it lets the recipient identify the source address and block it, and it prevents attackers from forging the victim's address in amplifier attacks (e.g. broadcasts "from" the victim that get big response traffic.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
.... network struggle doctrine
It is tempting sometimes to subscribe known scam email accounts to some other scam response address, giving them a taste of their own medicine (sic!).
/cc to an address or when it's really obvious. If you get it wrong you end up punishing the innocent.
Note: I've never done this. And if you did you would have to make pretty damn sure that it's not just a fake address (any mta should really stop fake domains nowadays) or someone's hijacked pc. Like when they tell you to send your bank account details
TODO: 753) write sig.
...in the law. It's called "maintaining an attractive nuisance". People who fail to adequately safeguard their property can and have been accused of a crime themselves, ie, your stereotypical open swimming pool in a back yard with no fencing, toddler falls in, drowns. Joe local bar, always allows crack sales, after a lot of busts, they frequently get shut down permanently.
Sometimes ignorance is no excuse, and today, you simply have to be seriously bogus to not be aware at a minimal level of net security. I think people who are chronically zombiefied are having less and less of an excuse to claim stoopid -> "I'm innocent!" over it. I mean, how many years does the net have to be in widespread human usage before some responsibility for ones actions and machines are expected? And how long will multi hundred billion dollar corporations be allowed to have zero responsibilities in terms of adequate security designs for software pushed to be used for internet connectivity?
Let's be frank about this, the excuses used by -insert that company- and it's users have grown old now, they ring hollow and...well... whiny. It's time they grew up and admitted at least some fair-share personal and corporate responsiblity for what befalls them.
In other words, if this "poor victim" company consistently fails to design lockable "doors",but continues to sell them with an illusion of lockability, and its users also willingly invite who knows who into their homes through these unlockable doors,by not even bothering to understand the raw basics of "home owner security", despite millions of warnings to the contrary over the years, then it's time they just admitted they are aiding and abetting crimes upon their own persons and "door" company. It's become criminal masochism in a way, actual bona fide negligence. Once, unfortunate, twice, a coincidence, 8,953 times makes any reasonable person assume that they just don't care,that they actually seem to almost like their perpetual victimhood status, so why should anyone else care beyond...disgust?
So in that sense, I will argue that it is perfectly moral and ethical -although not technically "legal" at this time due to the official government rather lack of application of various other laws- to just go ahead and revenge back on the offending malwarez spewing boxes, if one is sure of their reality and ID. And in a larger sense, that "insecure door" company needs a bunch of class action suits against it, at least in one instance challenging that ridiculous "not our fault" no normal consumer product warranty EULA. They owe the computing public billions and billions from outright consumer fraud. IMO that insecure "door" company makes the Enron crew look like benevolent philanthropists.
It's not that simple a task to work out where packets are really coming from, and sending a flood of packets back in that direction is not going to be a very nice thing to do to all the unrelated machines that are on the way there or nearby.
Say no to black ice!
There's nothing funny about threatening to send an email bomb
Seems to work well.
Doesn't any attack come under the laws where it was instigated? Not every country has relevant laws do they?
And why would you want to retaliate? Isn't that how most war's start? LoL.
Surely protecting your own against maruaders is the best form of attack!
http://www.finjan-uk.com
n) ???
n+1) Profit!
part?
It looks like your plan is flawed.
?SYNTAX ERROR
As a touchstone to the main topic, I note that a strike-back technique here would be to spam their own gateway with infected messages which appear to originate from their own account, to demonstrate the point. Unfortunately, that would be wrong.
;)
Yes... but it would be *FUN*!
Try to hack my 31337 firewall!
Watch for spaces below on URL.
1 23 53545
http://slashdot.org/comments.pl?sid=147388&cid=
~hylas
It was a 'hypotheical' scenario. You know.
I don't have dupe accounts. Who has the time to remember all the passwords? Plus your post is rated a 4. Far from hidden from the masses.
Also remember. it's just a website.