O'Reilly Revisits Online Countermeasures

An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."

What can you do back that's legal?

[Enigma_Man]

Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).

-Jesse

Re:What can you do back that's legal?

[ImaLamer]

I would suspect that it is equally illegal to attack back - as well it should be. From both a moral and legal standpoint you have to ask yourself if it is okay anywhere else in society?

Self defense is one thing, but attacking back is another. If someone steals from you, should you steal from them or hurt them? I would say no, and most moral philosophy would also say so too. From a legal standpoint, this is America dammit! Even if I try to take down slashdot.org their return attack has violated my rights to due process. Yeah, I know that it sucks that criminals often seem to get protected more than the victims, but that is the way the system works.

If everyone took the law into their own hands there wouldn't be "the law" anymore - just street justice. Due process exists in order to protect the wrongfully accussed, and millions of zombie PC owners thank you for that. Just think, most attacks are launched from the actual attackers PC or server. How can you even be sure who to attack?

If you are so sure, go to the proper authorities. No need to make all the white hats grey.

Re:What can you do back that's legal?

[yasth]

Imagine a compromised laptop is brought onto a lan at say IBM and begins an attack say on Apple. Apple's IDT track the attack at the firewall, and the countermeasures respond, IBM which may well have already noted and killed the offeneding laptop, notes the attack and trys to "counter" it. Boom goes london boom goes Berlin.

It is like defending yourself with hand grenades in a crowded room, even if you didn't have a double back situation, imagine the collateral damage on all the other people who happen to be on the same ISP as the one attacking.

That said sometimes countermeasures (like propagating an uninstall script through a zombie net) are the only way to stop the problem, but it is a last ditch thing.

Re:What can you do back that's legal?

[BlogPope]

If you're standing in a bar and get hit in the face, well, you've just been hit in the face.

Except you can't be sure who hit you; and its more like being hit in the back of the head with a brick that has a name written on it. Is it the name of the guy who threw it? or did he write some elses name on it? You might as well grab some random guy and start a bar brawl while the guy with the brick sits back and laughs at you.

You know...

[LegendOfLink]

even though I'm personally at odds with people who want to 'strike back'

In the UK, when somebody files a lawsuit and loses, not only do they have to pay for their own court expenses, but also those of the defendant. This isn't the case in the US, which is why we are the most litigious country in the world.

Now, let's look at computing. If we just let the asshole hackers get away with their crime without a fight, they will keep on hitting us hard. But, if we had a mechanism that would "fight back" and destroy a 15 year-old script kiddie's computer that mommy and daddy bought, well, maybe they'd think twice.

Re:what about the counter-counter measures

As Rudyard Kipling put it:

IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:--
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!

It is always a temptation to a rich and lazy nation,
To puff and look important and to say:--
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:--

"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

Wait wait wait

[cavemanf16]

From the "whurleyvision" blog:
Who knows--in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.

Now, I'm not going to advocate breaking "the law" directly in this post, but allow me to raise an important question to the /. community. Do we really want "a more secure, reliable, networking infrastructure" in the end? Allow me to now elaborate on that question.

A more secure, reliable, networking infrastructure sounds great on the face of it, but what if we were talking about a corporate infrastructure instead of a networking infrastructure? In other words, big barriers to entry for the little guys to innovate, force change, develop new things, and build NEW corporations. Same goes for networking I think. Script kiddies are not innovative as they are simply piggybacking off of others works, BUT they have been innovative in pushing every company to be highly concerned about protecting themselves against cracking and DDOS'ing, which HAS been good for us, the consumers, as the data and services that these companies provide to us is ultimately more secure, reliable, etc. Those who are doing the really devious crack attacks are being more innovative, and are forcing organizations with a 'net presence to build ever better security defenses to guard against these attacks. These new defense mechanisms in turn often get passed on to other like-minded individuals who desire the same security. I guess that ultimately I am trying to say that while we do want "more reliability" at certain levels, at other levels lack of reliability is what helps spur innovation, change, and pre-emptive corrections to problems which left unchecked, could cause massive, long-lasting damage when a chink in the armor is finally exploited.

So is "strike back" a good thing? Almost every time it is not going to help in any way. With our "War on Terror" we certainly had some excellent early gains, but now we're in a long, slow decay of gains due to the loss of life and new difficulties we created through our counterstrikes in Iraq and Afghanistan. Bush may have made the world a safer place immediately after 9/11, but now we have the Patriot Act, thousands of dead soldiers and civilians in a war that ultimately cannot "end", and what I perceive to be a whole new level of various threats to our country because we have only encouraged the terrorists to come up with better and more lethal attacks in response to our counterattack.

So, in summary, yes defending against malicious network activities is good for everyone, but I think that counterstrikes against an amorphous enemy with difficult to define borders (terrorists can come from any country, just as ip addresses can be spoofed to be marked as coming from ANY organization) in response to these attacks pose a serious risk to the network that we call "The Internet" because it will only increase the desire to make more chaos on it ultimately than it will to dissuade it. Then we get more government control, more devestating attacks, and more polarization of "sides" to the war on network intrusion. Let's keep these issues in mind when building our network security plans.

More like Network Judo

[Gary+W.+Longsine]

Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.

Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.