Slashdot Mirror
O'Reilly Revisits Online Countermeasures
An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."
Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
It worked for Silent Jay & Bob, and arguably the Empire...
I
Man what a lame article. A little lacking in substance, I'd say. Why, I've got half a mind to email bomb the author!
Wanted: witty unique signature. Must be willing to relocate.
If you read the actual blog, it doesn't really contain any information or opinion or whatever. One of the comments on the blog provides more useful information - for older and more informative papers go here: http://www.oreillynet.com/pub/a/security/2004/08/0 3/symbiot.html and
http://www.onlamp.com/pub/a/security/2004/03/10/sy mbiot.html
----- One learns to itch where one can scratch.
I just wonder how aften these strikeback or countermeasures backfire. I remember reading a story awhile back where a gambling site repulsed a DDos attack. The really interesting thing was that it cost the company way more to fight the attack than it would have cost to pay off the extortionist.
While I understand the desire to stick it to these creeps, from a purely cost/benefit analysis point-of-view, it doesn't seem to me to make a lot of sense
Is it wise to slashdot a site advocating "fighting back" web attacks?
I'm gonna wait an... [NO CARRIER]
You can't take the sky from me...
Here's an interesting example of an escalation, going on right now. It seems that anti-p2p organizations are trying to pollute some torrents for TV shows such as six feet under (see discussion here).
What they do is put out a file of the same size but with random data. Since the torrent file has segment hashes to verify integrity, any segments downloaded from the bogus file will fail the checksum and waste downloaders' bandwidth. The community of downloaders is fighting back by spreading black lists with the IP addresses of the bogus clients.
See charts for twitter trends on Trendistic
even though I'm personally at odds with people who want to 'strike back'
In the UK, when somebody files a lawsuit and loses, not only do they have to pay for their own court expenses, but also those of the defendant. This isn't the case in the US, which is why we are the most litigious country in the world.
Now, let's look at computing. If we just let the asshole hackers get away with their crime without a fight, they will keep on hitting us hard. But, if we had a mechanism that would "fight back" and destroy a 15 year-old script kiddie's computer that mommy and daddy bought, well, maybe they'd think twice.
IGB: More fun than eating oatmeal!
The Cisco self-defending networks I saw on the tv show 24 ? Right after Chloe said that CTU had a proprietory algorithm for cracking blowfish they show some Cisco graphics on a screen and they blow off DOS attacks like, "ohh, we're protected by these self defending cisco networks" or some crap like that. 24 = pentagon & corporate propaganda.
...A guy on the pulltheplug irc network ran a tutorial on writing exploits for exploits. Basically, they'd run a process that looks like a vulnerable server, and when someone comes along and takes the bait, they end up rooted.
Considering the huge horsepower of things like the SETI screensavers and P2P networks, I don't think it's a question of whether or not a conflict between spare-CPU/BW Good Guys and zombie-army bad guys could be won by the good guys. Or at least, make things painful for the bad guys. The main issue is counter-counter-counter-craftiness that might stealthily turn such a network to the dark side.
Several sys admins I know who have never had the time or inclination to put up a honeypot or opt for similar tactics absolutely light up at the prospect of actually making the attackers miserable. In fact, it's not even the attackers they complain about, it's the ISPs that (with copious documentation about the bad acts of specific customers) don't do anything about it. To the extent that foreign governments are those ISPs, well, same sentiment.
So, the real issue is governance of such a system. It's sort of like sharing time on a big research telescope. What committee can be trusted to put the resource to use effectively? I know that a lot of people with network resources are so fed up with the probes, the phishing, the DoS extortion and all the rest that they'd have absolutely no problem deploying a box or two, and a couple of MB/sec to the cause. But the liability(ies) for having it used unwisely are pretty scary, so I'm all ears if someone comes up with an interesting approach. If the worst thing that happens is I get a block of my IPs null routed on their way to Moscow, well, goshky, I'll take that deal.
Some things we have to take into our own hands. And just turning the other cheek with more and fancier firewalls and intrustion detection is too passive for my taste, at least in the face of concerted, bad-to-the-core coordinated efforts by professional, organized crackers. Have I wanted to burn up every inch of some basement-dwelling script kiddie's DSL before? Sometimes. But nothing like I've wanted to blot out entire pieces of some Asian and eastern-European networks. And not just for my sake - for all of my clients, and their clients, and everyone it impacts.
Don't mean to rant, but I've just spent all morning explaining this stuff to a suffering dot-com. His much-repeated question was "Why can't we just do this back at him until he quits? I'll spend the money... this is pissing me off."
Don't disappoint your bird dog. Go to the range.
On a much grander scale, we're accelerating towards a global computing grid which will extract unimaginable power from hundreds of thousands of separate computers each with the processing capabilities of our brain. The collective intelligence which emerges will possibly rival our fantasies of artificial intelligence
As we modelled the eye to build cameras, the brain to build computers, the ear to build speakers, we're modeling our autonomic nervous system to build the next evolutionary step in computing. Networks that independently and reflexively self -regulate, configure, repair, optimize, and protect in the same sense as an immune system or an automatic pilot.
This would allow the network to automatically manage server load balancing, process allocation, monitor the power supply, automatic update software and fend off threats without having to consult the administrator.
For example, if an application starts performing badly, it automatically receives increased resources. If software or hardware fails, it doesn't even ripple the end users coffee. An autonomous computing system would roll out new patches, monitor and adjust the resources singular end users need, set up servers... all the mundane stuff.
The complexity of integrating and managing the latest hardware and software into existing systems is destroying the advantages of economies of scale. Autonomic computing is one way of insulating the IT administrator from the mundane complexities and freeing them to do other more interesting things like understanding the needs of the business more, or modelling and automating existing business processes.
On a larger scale, it spells an evolutionary move towards a decentralized global self-configuring, self-healing, self-optimizing, and self-protecting nervous system. Since Autonomic Computing can look for patterns in data and extrapolate to predict future events, deployed on a global scale, the spin-offs would be very interesting...
Thoughts on the Emergence of Computing Intelligence
Despite some popular misconceptions, the Minuteman Project members weren't going around dishing out there own justice... all they did was stand around looking for illegals, calling the border patrol when they spotted some. They actually left all the arresting, etc. to the Border Patrol.
---
I tried to submit an item about hacker vigilianties who attack phishing sites back on May 31. Unfortunately, I can't spell and coverage of actual effective anti-fraud hacks were not interesting enough.
We all have a gripe against spammers and phishers and I for one would welcome a book or web page that showed ways to harm the interests of internet and email abusers [ways that could ONLY harm such abusers, otherwise, we just arm the enemy] Is that too tall an order?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
...there's always the problem of an innocent or mere idiot getting nailed. If we had layers of defense mechanisms making warnings loud and clear and finally struck back, maybe. But if a fourteen year old script kiddie in Des Moines gets his machine crashed for fooling around, that's a little bit much especially if it is mom and dad's financial info going on the family PC.
We could publish IPs of scorn but we already have such lists on the net of known scum monkeys and the result is basically like that of pro-am net trolls. They got the attention they wanted. And we could blacklist/graylist/scarlet letter the wrong people very easily.
Over time, we may very well have something approaching the world of Ghost in the Shell but right now, we don't need a cyber crime and terrorism unit to go out and whack miscreants down with theatrics and glitz. We need ISPs who give a damn about what their customers are doing and we need to tar and feather THEM. Of course, this hasn't worked for UUNet so YMMV.
I do wish there was some sort of ping-of-death-ability to at least disrupt the connections of people who won't stop knocking on my router or some facility for authorizing specific logging by my ISP. Wouldn't that be something? The ability to sign on to your account and not only manage e-mail but to be able to choose to log specific traffic by port and IP on YOUR connection so you can then cut and paste it in a complaint to the offender's ISP? Probably won't happen, but having the layer 2 as well as layer 3 information in hand would help knock down the "I'm innocent, I was spoofed" defense where you are now put on the spot of having to prove otherwise.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
1) Identify 2 sites that implement "countermeasures,"
2) Start a small DoS attach against each one while spoofing the source address of the other.
3) Sit back and laugh your ass off as they both escalate and take each other out!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Who knows--in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.
Now, I'm not going to advocate breaking "the law" directly in this post, but allow me to raise an important question to the /. community. Do we really want "a more secure, reliable, networking infrastructure" in the end? Allow me to now elaborate on that question.
A more secure, reliable, networking infrastructure sounds great on the face of it, but what if we were talking about a corporate infrastructure instead of a networking infrastructure? In other words, big barriers to entry for the little guys to innovate, force change, develop new things, and build NEW corporations. Same goes for networking I think. Script kiddies are not innovative as they are simply piggybacking off of others works, BUT they have been innovative in pushing every company to be highly concerned about protecting themselves against cracking and DDOS'ing, which HAS been good for us, the consumers, as the data and services that these companies provide to us is ultimately more secure, reliable, etc. Those who are doing the really devious crack attacks are being more innovative, and are forcing organizations with a 'net presence to build ever better security defenses to guard against these attacks. These new defense mechanisms in turn often get passed on to other like-minded individuals who desire the same security. I guess that ultimately I am trying to say that while we do want "more reliability" at certain levels, at other levels lack of reliability is what helps spur innovation, change, and pre-emptive corrections to problems which left unchecked, could cause massive, long-lasting damage when a chink in the armor is finally exploited.
So is "strike back" a good thing? Almost every time it is not going to help in any way. With our "War on Terror" we certainly had some excellent early gains, but now we're in a long, slow decay of gains due to the loss of life and new difficulties we created through our counterstrikes in Iraq and Afghanistan. Bush may have made the world a safer place immediately after 9/11, but now we have the Patriot Act, thousands of dead soldiers and civilians in a war that ultimately cannot "end", and what I perceive to be a whole new level of various threats to our country because we have only encouraged the terrorists to come up with better and more lethal attacks in response to our counterattack.
So, in summary, yes defending against malicious network activities is good for everyone, but I think that counterstrikes against an amorphous enemy with difficult to define borders (terrorists can come from any country, just as ip addresses can be spoofed to be marked as coming from ANY organization) in response to these attacks pose a serious risk to the network that we call "The Internet" because it will only increase the desire to make more chaos on it ultimately than it will to dissuade it. Then we get more government control, more devestating attacks, and more polarization of "sides" to the war on network intrusion. Let's keep these issues in mind when building our network security plans.
If someone is trying to kill me or rob me, I have the right to defend myself using force. Likewise, if someone is using some sort of data attack or trying to steal my information, I have a right to defend myself using those means.
The police and government protecting me are only an extension to my own right to self defense. There are cases were individuals are not able to defend themselves, or where they might think they are defending themselves but doing the wrong person harm, and so we have professional police, judges, who in theory are better at defending us and preserving a civil society than we would be ourselves. They are specialists, just like a doctor is a specialist in treating disease, and so we assume they doing it more efficiently with the least harm.
BUT, if the profesionals (i.e. the police, judges, etc.) are not able to effectivly defend me and preserve a civil society, I have every moral right to defend myself. Period. Yes, some countries have passed laws against self defense, but the rejection of the right of individual self-defense is part of an overall authoritarian philosophy that rejects any kind of individual rights.
There can be a discussion of the practical problems of self-defense (How can I be sure that the person who appears to be doing a denial of service attack is the perpitrator? Will retaliation have negative effects on innocent people who are not involved? Can these techniques be abused or exploited by a third party? Will I really be defending myself by using this technology?), but all of these are technical/practical discussions. But from the moral perspective, only a few of the most extremly authoritarian or collectivist ideologies would deny a person the right to self defense.
Since blocking a particular host at a router/firewall is sufficient "self-defense" that's probably the ethical limit. Notifying the owner of the trespassing host is a time-consuming, but reasonable step. One more thing, possibly more satisfying: tarpits
The late LaBrea project implemented techniques that did not block attackers/scanners, but rather through protocol manipulation, HELD ON to them as long as possible, through things like tcp window size, etc. they kept the source host on the line sending zero bytes.
This kept them from bothering other people , and was computationally inexpensive to implement on the destination host. I think the honeyd project has some of this built in.
I heard of one connection maintained for over 9 months - but I have no link, sorry.
Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).
:-)
Post their URL to slashdot, and let them bask in unwanted fame.
This reminds me of the old 'Blitzkrieg Server' article in Signal magazine some years ago...
s _n114/ai_20783335
(Links follow for a brief description):
http://www.findarticles.com/p/articles/mi_m0CGN/i
http://attrition.org/errata/www/pd.001.html
But, I think that there may actually be room for active-response systems. Also, properly employed, they would be perfectly legal.
There is no reason that such tools be deployed in public networks. Some organizations have networks (including large and complex networks) that are completely and totally privately owned, and totally segregated from public networks. Such organizations may (subject to appropriate risk - reviews) make judicious use of passive and even active response systems.
There are other ways to communicate than IPv4. There are indications in messages that active-response systems can't work becaus of spoofing. Suitable integrity and encryption methods can be used to validate source and ip address data.
There may be more modest active-response methods that may be more generally useful. For example, if traffic is located from a hostile system, the source of the traffic may be back-tracked, and shut off near its source. Not easy - and not necessarily today - but there could be places where such approaches may be deployed.
Sam Nitzberg
dontspamthis_______sam@iamsam.com
http://www.iamsam.com/
http://www.nitzbergsecurityassociates.com/
Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.
Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.
If you mod me down, I shall become more powerful than you could possibly imagine.