Slashdot Mirror

← Back to Stories (view on slashdot.org)

O'Reilly Revisits Online Countermeasures

Posted by timothy on from the take-that-you-basement-dwelling-twit dept.

An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."

11 of 199 comments (clear)

  1. what about the counter-counter measures by udderly · · Score: 3, Interesting

    I just wonder how aften these strikeback or countermeasures backfire. I remember reading a story awhile back where a gambling site repulsed a DDos attack. The really interesting thing was that it cost the company way more to fight the attack than it would have cost to pay off the extortionist.

    While I understand the desire to stick it to these creeps, from a purely cost/benefit analysis point-of-view, it doesn't seem to me to make a lot of sense

    1. Re:what about the counter-counter measures by mi · · Score: 2, Interesting
      Considering how many spams come at us from zombie PC's owned by clueless users, there could be a lot of innocent bystanders that get stepped on when someone unleashes a DDOS on a spammer.
      Why would you call them "innocent"? Imagine a driver's defense after an accident: "Oh, all this driving things are just too technical." Innocent? I don't think so...

      I'm not going into legalities here, but morally you are responsible for what your things (and kids and pets) do to others (legal responsibility exists too, BTW). And -- just as with other things -- some of the responsibility may be forwarded onto the thing's manufacturer.

      But there is nothing wrong in disabling the clueless' PC to stop it from attacking you and others. If you disagree, you should advocate the removal of the highway railguards, which stop errant cars from doing more damage to others (and, sometimes, themselves).

      --
      In Soviet Washington the swamp drains you.
  2. Arms race example in the p2p world by stripmarkup · · Score: 3, Interesting

    Here's an interesting example of an escalation, going on right now. It seems that anti-p2p organizations are trying to pollute some torrents for TV shows such as six feet under (see discussion here).

    What they do is put out a file of the same size but with random data. Since the torrent file has segment hashes to verify integrity, any segments downloaded from the bogus file will fail the checksum and waste downloaders' bandwidth. The community of downloaders is fighting back by spreading black lists with the IP addresses of the bogus clients.

    --
    See charts for twitter trends on Trendistic
  3. Re:What can you do back that's legal? by einhverfr · · Score: 2, Interesting

    In summary, strike-back technologies turn your network into attack-bots for script-kiddies..... Note that source routing is unnecessary for this sort of attach so filtering out packets based on this is irrelevant. All that is necessary is for the IDS to *think* it is being attacked from a given network. Many attacks can be done either via UDP or without a connection (TCP Syn floods), so it is to be taken really seriously.

    I wish more people realized this...

    I have had one idea regarding a strike-back technology that might actually have some value. Maybe it could automatically look up the attacker's ISP block and send an email to them about the attack and attach relevent log entries. It would still be susceptible to spoofing but not as seriously....

    --

    LedgerSMB: Open source Accounting/ERP
  4. You Know... by ch0p · · Score: 2, Interesting

    ...A guy on the pulltheplug irc network ran a tutorial on writing exploits for exploits. Basically, they'd run a process that looks like a vulnerable server, and when someone comes along and takes the bait, they end up rooted.

  5. Law enforcement can't do it all by ScentCone · · Score: 3, Interesting

    Considering the huge horsepower of things like the SETI screensavers and P2P networks, I don't think it's a question of whether or not a conflict between spare-CPU/BW Good Guys and zombie-army bad guys could be won by the good guys. Or at least, make things painful for the bad guys. The main issue is counter-counter-counter-craftiness that might stealthily turn such a network to the dark side.

    Several sys admins I know who have never had the time or inclination to put up a honeypot or opt for similar tactics absolutely light up at the prospect of actually making the attackers miserable. In fact, it's not even the attackers they complain about, it's the ISPs that (with copious documentation about the bad acts of specific customers) don't do anything about it. To the extent that foreign governments are those ISPs, well, same sentiment.

    So, the real issue is governance of such a system. It's sort of like sharing time on a big research telescope. What committee can be trusted to put the resource to use effectively? I know that a lot of people with network resources are so fed up with the probes, the phishing, the DoS extortion and all the rest that they'd have absolutely no problem deploying a box or two, and a couple of MB/sec to the cause. But the liability(ies) for having it used unwisely are pretty scary, so I'm all ears if someone comes up with an interesting approach. If the worst thing that happens is I get a block of my IPs null routed on their way to Moscow, well, goshky, I'll take that deal.

    Some things we have to take into our own hands. And just turning the other cheek with more and fancier firewalls and intrustion detection is too passive for my taste, at least in the face of concerted, bad-to-the-core coordinated efforts by professional, organized crackers. Have I wanted to burn up every inch of some basement-dwelling script kiddie's DSL before? Sometimes. But nothing like I've wanted to blot out entire pieces of some Asian and eastern-European networks. And not just for my sake - for all of my clients, and their clients, and everyone it impacts.

    Don't mean to rant, but I've just spent all morning explaining this stuff to a suffering dot-com. His much-repeated question was "Why can't we just do this back at him until he quits? I'll spend the money... this is pissing me off."

    --
    Don't disappoint your bird dog. Go to the range.
  6. The Grid Will Soon Take Care of It by Ted+Holmes · · Score: 2, Interesting
    GMail uses the network of thousands who report spam. Patterns are detected, and soon, a particular message is identified as spam even before it reaches you.

    On a much grander scale, we're accelerating towards a global computing grid which will extract unimaginable power from hundreds of thousands of separate computers each with the processing capabilities of our brain. The collective intelligence which emerges will possibly rival our fantasies of artificial intelligence

    As we modelled the eye to build cameras, the brain to build computers, the ear to build speakers, we're modeling our autonomic nervous system to build the next evolutionary step in computing. Networks that independently and reflexively self -regulate, configure, repair, optimize, and protect in the same sense as an immune system or an automatic pilot.

    This would allow the network to automatically manage server load balancing, process allocation, monitor the power supply, automatic update software and fend off threats without having to consult the administrator.

    For example, if an application starts performing badly, it automatically receives increased resources. If software or hardware fails, it doesn't even ripple the end users coffee. An autonomous computing system would roll out new patches, monitor and adjust the resources singular end users need, set up servers... all the mundane stuff.

    The complexity of integrating and managing the latest hardware and software into existing systems is destroying the advantages of economies of scale. Autonomic computing is one way of insulating the IT administrator from the mundane complexities and freeing them to do other more interesting things like understanding the needs of the business more, or modelling and automating existing business processes.

    On a larger scale, it spells an evolutionary move towards a decentralized global self-configuring, self-healing, self-optimizing, and self-protecting nervous system. Since Autonomic Computing can look for patterns in data and extrapolate to predict future events, deployed on a global scale, the spin-offs would be very interesting...

    --

    Thoughts on the Emergence of Computing Intelligence

  7. more substantial items about getting even do exist by museumpeace · · Score: 2, Interesting

    I tried to submit an item about hacker vigilianties who attack phishing sites back on May 31. Unfortunately, I can't spell and coverage of actual effective anti-fraud hacks were not interesting enough.
    We all have a gripe against spammers and phishers and I for one would welcome a book or web page that showed ways to harm the interests of internet and email abusers [ways that could ONLY harm such abusers, otherwise, we just arm the enemy] Is that too tall an order?

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  8. Re:What can you do back that's legal? by Disoculated · · Score: 3, Interesting

    You're absolutely right that overall, from a moral and legal standpoint, striking back at people who try to hack you by hacking them back is wrong in just about the entire civilized world. But there's a part of the equation that's missing here. It's wrong because there's suppossed to enforcement of that due process on the side of the government, and we don't get it on teh intarweb.

    Have you ever tried to call your local police when your box gets hacked? Pointless. You're left feeling frustrated and powerless. The security experts just tell you to harden your defenses, but that's like telling you to put a moat and wall around your house (and builds a business for same said security experts). You're totally on your own out there when you should have the support of the authorities, despite having paid them your taxes and freedoms.

    So until governments actually start prosecuting the common internet criminal, you're left alone with your interfaces exposed to any idjit with nmap and some root kits, all you can rely on is yourself and other people you know who've been in the same boat. And hey, if the gov-mint aint prosecuting the people that attack you, they ain't gonna do shit about you attacking back either.

    The ultimate solution would be punishing all the assholes that are scripting exploits across the web with real, visceral penalties. Until then you'll have to get justice where you can. Be it street or fiber, it's all you can get.

  9. Tarpit the %$#$ out of them. by JimmytheGeek · · Score: 2, Interesting

    Since blocking a particular host at a router/firewall is sufficient "self-defense" that's probably the ethical limit. Notifying the owner of the trespassing host is a time-consuming, but reasonable step. One more thing, possibly more satisfying: tarpits

    The late LaBrea project implemented techniques that did not block attackers/scanners, but rather through protocol manipulation, HELD ON to them as long as possible, through things like tcp window size, etc. they kept the source host on the line sending zero bytes.

    This kept them from bothering other people , and was computationally inexpensive to implement on the destination host. I think the honeyd project has some of this built in.

    I heard of one connection maintained for over 9 months - but I have no link, sorry.

  10. Not the wildwest anymore by Anonymous Coward · · Score: 1, Interesting
    I think that the whole idea is kind of bullshit. I don't want some self-proclaimed admin deciding to attack my network because I ping an address he didn't want me to and he see's that as a security threat. And worse, having that be "socially acceptable" behavior. If there was level of professional administration then I might be willing to grant that but let's face it, the quality of admins isn't universally that high any more. This might even be the litmus test, if you're willing to take active counter measures (not just dropping some IP address at your perimeter but attacking the attacker) if you're willing to do that, then you're probably not a very good admin; that's just a hunch I've got. This isn't the wild west, you drop someone if they persist, you call an admin on their site and if that doesn't work you call their upstream.

    I think that there are some trade offs to being on a shared network. In the late 80's and early 90's, the privacy activists were kind of at a high point, of the people using the net in those days a fair amount of them endorsed anonimity, things were fairly safe, most users were fairly professional. Now that it's so much larger, things like USENET, which used to be glorious back in the day, are damn near useless because of that crap, the very freedoms that people wanted are now the bane. Look at what is happening with email, rather than starting to develop a new legit protocol with security as a concern there are hacks on top of hacks like, sender verification, to try and curb spam. Just the very existance of all those hacks kind of demonstrates the mind set, of course people want to attack back. I'll be first in line for SMTP2 which every peer has to have a signed cert from a trusted CA to take part. I'll be first inline for a USENET2 where everysingle message is signed with SMIME and a signed key or OpenPGP and a key signed by an authority. I also wouldn't be against peer authentication as part of SSL/TLS being used more frequently, right now it's still blind, the client agrees to the trust but the server side doesn't verify anything.