Slashdot Mirror
O'Reilly Revisits Online Countermeasures
An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."
If you read the actual blog, it doesn't really contain any information or opinion or whatever. One of the comments on the blog provides more useful information - for older and more informative papers go here: http://www.oreillynet.com/pub/a/security/2004/08/0 3/symbiot.html and
http://www.onlamp.com/pub/a/security/2004/03/10/sy mbiot.html
----- One learns to itch where one can scratch.
Imaging if IP spoofing is used. You can trick one of these networks into launching attacks towards the IP your program is spoofing as. Spoof as the Microsoft.com IP address and watch as Microsoft turns around and tries to sue the company that launched the counter-attack.
\/\/3 0wn y0u, |\/|1(r050f7, 7h3 5(r1p7-k1dd135.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
if you file a lawsuit against IBM and loose, your financially screwed for life. not the kind of position I would like to be in.
PHP is the solution of choice for relaying mysql errors to web users.
The company who fought them, and the consultant who helped out, are now in business together protecting other people from these sorts of attacks, making way more money than it cost to fight the attack. Not only is Kipling correct, but in this case you mention it even made sense from a short-sighted cost/benefit point-of-veiw.
The problem is that the majority of the attacks are from skript kiddie "pWn3d" servers. Sure, they launch their inital attacks from their home machines, but from there they get more and more zombies (for DDoS) or SSH hosts for tunneling.
.
I have had some servers get hit, and start attacking others. Now, if you were the target, and then started attacking one of my servers in retaliation, how does that help me?
From this vantage point, I have not only had one of my servers attacked by a skript kiddie, but now, I am being attacked again by another victim. It probably acceptable for you to take over my system and remove the attacking sofware/exploit and/or notify me. However, if you turn around and DDoS my network because one of my machines was insecure, I now have a worse problem on my hands, and a much larger bandwith bill.
I generally send out emails to companies or universites that have a trojaned machine that regularly attacks one of my machines (that is, shows up in the logs on a consistent basis) otherwise, they are generally dropped into iptables...
For those machines that I do alert the admins about my email generally consists of:
Your machine XXX.XXX.XXX.XXX has been attacking my machine with the following . Here are detailed logfiles of the attack......
Your system has likely been hit with . I discovered this with and here is that report.
I suggest your course of action is
I don't do this "service" often, generally about once or twice a month with an agressive attacker, or when I am testing out new toys. It likely helps the people who own the attacking machines. I know this because when I started out with Linux in 1998 as an admin, I remember getting very similar emails about my servers. It made me a better admin.
Try to hack my 31337 firewall!
You can bet it slows other people down than just the intended victim, any internet traffic does. The internet might not "slow down" but bandwidth is not infinite.
This reminds me of the old 'Blitzkrieg Server' article in Signal magazine some years ago...
s _n114/ai_20783335
(Links follow for a brief description):
http://www.findarticles.com/p/articles/mi_m0CGN/i
http://attrition.org/errata/www/pd.001.html
But, I think that there may actually be room for active-response systems. Also, properly employed, they would be perfectly legal.
There is no reason that such tools be deployed in public networks. Some organizations have networks (including large and complex networks) that are completely and totally privately owned, and totally segregated from public networks. Such organizations may (subject to appropriate risk - reviews) make judicious use of passive and even active response systems.
There are other ways to communicate than IPv4. There are indications in messages that active-response systems can't work becaus of spoofing. Suitable integrity and encryption methods can be used to validate source and ip address data.
There may be more modest active-response methods that may be more generally useful. For example, if traffic is located from a hostile system, the source of the traffic may be back-tracked, and shut off near its source. Not easy - and not necessarily today - but there could be places where such approaches may be deployed.
Sam Nitzberg
dontspamthis_______sam@iamsam.com
http://www.iamsam.com/
http://www.nitzbergsecurityassociates.com/