O'Reilly Revisits Online Countermeasures

An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."

What can you do back that's legal?

[Enigma_Man]

Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).

-Jesse

Re:What can you do back that's legal?

[ImaLamer]

I would suspect that it is equally illegal to attack back - as well it should be. From both a moral and legal standpoint you have to ask yourself if it is okay anywhere else in society?

Self defense is one thing, but attacking back is another. If someone steals from you, should you steal from them or hurt them? I would say no, and most moral philosophy would also say so too. From a legal standpoint, this is America dammit! Even if I try to take down slashdot.org their return attack has violated my rights to due process. Yeah, I know that it sucks that criminals often seem to get protected more than the victims, but that is the way the system works.

If everyone took the law into their own hands there wouldn't be "the law" anymore - just street justice. Due process exists in order to protect the wrongfully accussed, and millions of zombie PC owners thank you for that. Just think, most attacks are launched from the actual attackers PC or server. How can you even be sure who to attack?

If you are so sure, go to the proper authorities. No need to make all the white hats grey.

Re:What can you do back that's legal?

[yasth]

Imagine a compromised laptop is brought onto a lan at say IBM and begins an attack say on Apple. Apple's IDT track the attack at the firewall, and the countermeasures respond, IBM which may well have already noted and killed the offeneding laptop, notes the attack and trys to "counter" it. Boom goes london boom goes Berlin.

It is like defending yourself with hand grenades in a crowded room, even if you didn't have a double back situation, imagine the collateral damage on all the other people who happen to be on the same ISP as the one attacking.

That said sometimes countermeasures (like propagating an uninstall script through a zombie net) are the only way to stop the problem, but it is a last ditch thing.

Re:What can you do back that's legal?

[CarrionBird]

You assume that due process actually exists. If the system worked, I would be inclined to agree with you, but such is not the case. In most cases attacks aren't even investigated unless they hit a certain $$ figure in damages or it's a government system that's hit.

Re:What can you do back that's legal?

[ScentCone]

Self defense is one thing, but attacking back is another

This is sophistry. Attacking "back" means by definition that you are responding to someone else's act. If you're standing in a bar and get hit in the face, well, you've just been hit in the face. There's time between that blow, and the next one. Between those blows, you're not "still" being hit in the face, but simply girding yourself for the next blow to the face isn't really enough, morally or practically. Physically stopping such an assault (or the online equivalent) is an appropriate response. And to the extent that disabling your physical attacker is the surest defense against him landing another blow, then you are (in a sense) "attacking back." But it's for defensive reasons, and only in response to an obvious provocation.

I've never seen a network attack from a dedicated, professional bad guy that didn't get repeated if you didn't do something about it. Increasingly, passive defenses don't hold up to the onslaught, and not everyone runs an online casino making enough money to buy $100,000 in instant remediation by some of the firms that specialize in trapping the traffic from gigantic zombie attacks.

When every merchant on the block is being abused by a gang of thugs, and the cops won't (or really, in the case of overseas cyber attacks, can't) do anything about it, it's reasonable for the shopkeepers on the block to band toghether and make attacking any one of them a provocation that is dramatically too expensive, or which takes away the attacker's tools.

Re:What can you do back that's legal?

[Frank+T.+Lofaro+Jr.]

Yes, tar pits and honey pots are quite legal.

It is a valid form of striking back - making the attacker waste his/her/its time.

Re:What can you do back that's legal?

[BlogPope]

If you're standing in a bar and get hit in the face, well, you've just been hit in the face.

Except you can't be sure who hit you; and its more like being hit in the back of the head with a brick that has a name written on it. Is it the name of the guy who threw it? or did he write some elses name on it? You might as well grab some random guy and start a bar brawl while the guy with the brick sits back and laughs at you.

Ridiculous.

The fact that someone at O'Reilly would even suggest this as a solution is sickening.

Anyone who even has a shred of a clue about networking will realize that a DDoS attack doesn't just affect the person getting flooded; it affects anyone who's routed through the systems that connect the two at the same time.

You know...

[LegendOfLink]

even though I'm personally at odds with people who want to 'strike back'

In the UK, when somebody files a lawsuit and loses, not only do they have to pay for their own court expenses, but also those of the defendant. This isn't the case in the US, which is why we are the most litigious country in the world.

Now, let's look at computing. If we just let the asshole hackers get away with their crime without a fight, they will keep on hitting us hard. But, if we had a mechanism that would "fight back" and destroy a 15 year-old script kiddie's computer that mommy and daddy bought, well, maybe they'd think twice.

Re:what about the counter-counter measures

As Rudyard Kipling put it:

IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:--
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!

It is always a temptation to a rich and lazy nation,
To puff and look important and to say:--
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:--

"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

Re:If the Minute Men can do it....

[gg3po]

Despite some popular misconceptions, the Minuteman Project members weren't going around dishing out there own justice... all they did was stand around looking for illegals, calling the border patrol when they spotted some. They actually left all the arresting, etc. to the Border Patrol.

I'd personnally prefer fighting back, but...

[suitepotato]

...there's always the problem of an innocent or mere idiot getting nailed. If we had layers of defense mechanisms making warnings loud and clear and finally struck back, maybe. But if a fourteen year old script kiddie in Des Moines gets his machine crashed for fooling around, that's a little bit much especially if it is mom and dad's financial info going on the family PC.

We could publish IPs of scorn but we already have such lists on the net of known scum monkeys and the result is basically like that of pro-am net trolls. They got the attention they wanted. And we could blacklist/graylist/scarlet letter the wrong people very easily.

Over time, we may very well have something approaching the world of Ghost in the Shell but right now, we don't need a cyber crime and terrorism unit to go out and whack miscreants down with theatrics and glitz. We need ISPs who give a damn about what their customers are doing and we need to tar and feather THEM. Of course, this hasn't worked for UUNet so YMMV.

I do wish there was some sort of ping-of-death-ability to at least disrupt the connections of people who won't stop knocking on my router or some facility for authorizing specific logging by my ISP. Wouldn't that be something? The ability to sign on to your account and not only manage e-mail but to be able to choose to log specific traffic by port and IP on YOUR connection so you can then cut and paste it in a complaint to the offender's ISP? Probably won't happen, but having the layer 2 as well as layer 3 information in hand would help knock down the "I'm innocent, I was spoofed" defense where you are now put on the spot of having to prove otherwise.

Wait wait wait

[cavemanf16]

From the "whurleyvision" blog:
Who knows--in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.

Now, I'm not going to advocate breaking "the law" directly in this post, but allow me to raise an important question to the /. community. Do we really want "a more secure, reliable, networking infrastructure" in the end? Allow me to now elaborate on that question.

A more secure, reliable, networking infrastructure sounds great on the face of it, but what if we were talking about a corporate infrastructure instead of a networking infrastructure? In other words, big barriers to entry for the little guys to innovate, force change, develop new things, and build NEW corporations. Same goes for networking I think. Script kiddies are not innovative as they are simply piggybacking off of others works, BUT they have been innovative in pushing every company to be highly concerned about protecting themselves against cracking and DDOS'ing, which HAS been good for us, the consumers, as the data and services that these companies provide to us is ultimately more secure, reliable, etc. Those who are doing the really devious crack attacks are being more innovative, and are forcing organizations with a 'net presence to build ever better security defenses to guard against these attacks. These new defense mechanisms in turn often get passed on to other like-minded individuals who desire the same security. I guess that ultimately I am trying to say that while we do want "more reliability" at certain levels, at other levels lack of reliability is what helps spur innovation, change, and pre-emptive corrections to problems which left unchecked, could cause massive, long-lasting damage when a chink in the armor is finally exploited.

So is "strike back" a good thing? Almost every time it is not going to help in any way. With our "War on Terror" we certainly had some excellent early gains, but now we're in a long, slow decay of gains due to the loss of life and new difficulties we created through our counterstrikes in Iraq and Afghanistan. Bush may have made the world a safer place immediately after 9/11, but now we have the Patriot Act, thousands of dead soldiers and civilians in a war that ultimately cannot "end", and what I perceive to be a whole new level of various threats to our country because we have only encouraged the terrorists to come up with better and more lethal attacks in response to our counterattack.

So, in summary, yes defending against malicious network activities is good for everyone, but I think that counterstrikes against an amorphous enemy with difficult to define borders (terrorists can come from any country, just as ip addresses can be spoofed to be marked as coming from ANY organization) in response to these attacks pose a serious risk to the network that we call "The Internet" because it will only increase the desire to make more chaos on it ultimately than it will to dissuade it. Then we get more government control, more devestating attacks, and more polarization of "sides" to the war on network intrusion. Let's keep these issues in mind when building our network security plans.

Self Defense is Legal and Moral

[RexRhino]

If someone is trying to kill me or rob me, I have the right to defend myself using force. Likewise, if someone is using some sort of data attack or trying to steal my information, I have a right to defend myself using those means.

The police and government protecting me are only an extension to my own right to self defense. There are cases were individuals are not able to defend themselves, or where they might think they are defending themselves but doing the wrong person harm, and so we have professional police, judges, who in theory are better at defending us and preserving a civil society than we would be ourselves. They are specialists, just like a doctor is a specialist in treating disease, and so we assume they doing it more efficiently with the least harm.

BUT, if the profesionals (i.e. the police, judges, etc.) are not able to effectivly defend me and preserve a civil society, I have every moral right to defend myself. Period. Yes, some countries have passed laws against self defense, but the rejection of the right of individual self-defense is part of an overall authoritarian philosophy that rejects any kind of individual rights.

There can be a discussion of the practical problems of self-defense (How can I be sure that the person who appears to be doing a denial of service attack is the perpitrator? Will retaliation have negative effects on innocent people who are not involved? Can these techniques be abused or exploited by a third party? Will I really be defending myself by using this technology?), but all of these are technical/practical discussions. But from the moral perspective, only a few of the most extremly authoritarian or collectivist ideologies would deny a person the right to self defense.

More like Network Judo

[Gary+W.+Longsine]

Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.

Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.