O'Reilly Revisits Online Countermeasures

← Back to Stories (view on slashdot.org)

O'Reilly Revisits Online Countermeasures

Posted by timothy on Wednesday June 15, 2005 @08:41AM from the take-that-you-basement-dwelling-twit dept.

An anonymous reader writes "I just saw that late last night an editor at O'Reilly published a blog that takes a look at 'countermeasures' and 'striking back' technologies a year after a startup in Austin, TX published a white paper on the subject that caused a lot of controversy. It also links to a blog by Symbiot founder William Hurley's entitled: Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net. which IMHO is a damn interesting read (even though I'm personally at odds with people who want to 'strike back')."

17 of 199 comments (clear)

Min score:

Reason:

Sort:

What can you do back that's legal? by Enigma_Man · 2005-06-15 08:43 · Score: 3, Insightful

Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).

-Jesse

--
Nothing says "unprofessional job" like wrinkles in your duct tape.
1. Re:What can you do back that's legal? by Orion+Blastar · 2005-06-15 08:48 · Score: 3, Informative
  
  Imaging if IP spoofing is used. You can trick one of these networks into launching attacks towards the IP your program is spoofing as. Spoof as the Microsoft.com IP address and watch as Microsoft turns around and tries to sue the company that launched the counter-attack.
  
  \/\/3 0wn y0u, |\/|1(r050f7, 7h3 5(r1p7-k1dd135.
  
  --
  Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
2. Re:What can you do back that's legal? by ImaLamer · 2005-06-15 08:57 · Score: 4, Insightful
  
  I would suspect that it is equally illegal to attack back - as well it should be. From both a moral and legal standpoint you have to ask yourself if it is okay anywhere else in society?
  
  Self defense is one thing, but attacking back is another. If someone steals from you, should you steal from them or hurt them? I would say no, and most moral philosophy would also say so too. From a legal standpoint, this is America dammit! Even if I try to take down slashdot.org their return attack has violated my rights to due process. Yeah, I know that it sucks that criminals often seem to get protected more than the victims, but that is the way the system works.
  
  If everyone took the law into their own hands there wouldn't be "the law" anymore - just street justice. Due process exists in order to protect the wrongfully accussed, and millions of zombie PC owners thank you for that. Just think, most attacks are launched from the actual attackers PC or server. How can you even be sure who to attack?
  
  If you are so sure, go to the proper authorities. No need to make all the white hats grey.
  
  --
  Get your Unix fortune now!
3. Re:What can you do back that's legal? by yasth · 2005-06-15 09:02 · Score: 3, Insightful
  
  Imagine a compromised laptop is brought onto a lan at say IBM and begins an attack say on Apple. Apple's IDT track the attack at the firewall, and the countermeasures respond, IBM which may well have already noted and killed the offeneding laptop, notes the attack and trys to "counter" it. Boom goes london boom goes Berlin.
  
  It is like defending yourself with hand grenades in a crowded room, even if you didn't have a double back situation, imagine the collateral damage on all the other people who happen to be on the same ISP as the one attacking.
  
  That said sometimes countermeasures (like propagating an uninstall script through a zombie net) are the only way to stop the problem, but it is a last ditch thing.
  
  --
  I'd do something interesting, but my server can't handle a slashdotting.
4. Re:What can you do back that's legal? by Disoculated · 2005-06-15 09:15 · Score: 3, Interesting
  
  You're absolutely right that overall, from a moral and legal standpoint, striking back at people who try to hack you by hacking them back is wrong in just about the entire civilized world. But there's a part of the equation that's missing here. It's wrong because there's suppossed to enforcement of that due process on the side of the government, and we don't get it on teh intarweb.
  
  Have you ever tried to call your local police when your box gets hacked? Pointless. You're left feeling frustrated and powerless. The security experts just tell you to harden your defenses, but that's like telling you to put a moat and wall around your house (and builds a business for same said security experts). You're totally on your own out there when you should have the support of the authorities, despite having paid them your taxes and freedoms.
  
  So until governments actually start prosecuting the common internet criminal, you're left alone with your interfaces exposed to any idjit with nmap and some root kits, all you can rely on is yourself and other people you know who've been in the same boat. And hey, if the gov-mint aint prosecuting the people that attack you, they ain't gonna do shit about you attacking back either.
  
  The ultimate solution would be punishing all the assholes that are scripting exploits across the web with real, visceral penalties. Until then you'll have to get justice where you can. Be it street or fiber, it's all you can get.
5. Re:What can you do back that's legal? by BlogPope · 2005-06-15 09:33 · Score: 3, Insightful
  
  If you're standing in a bar and get hit in the face, well, you've just been hit in the face.
  Except you can't be sure who hit you; and its more like being hit in the back of the head with a brick that has a name written on it. Is it the name of the guy who threw it? or did he write some elses name on it? You might as well grab some random guy and start a bar brawl while the guy with the brick sits back and laughs at you.
  
  --
  My other car is a Popemobile
Striking back by UnixRawks · 2005-06-15 08:44 · Score: 3, Funny

"...even though I'm personally at odds with people who want to 'strike back'"
It worked for Silent Jay & Bob, and arguably the Empire...

--
I
Low on actual information by InternationalCow · 2005-06-15 08:45 · Score: 4, Informative

If you read the actual blog, it doesn't really contain any information or opinion or whatever. One of the comments on the blog provides more useful information - for older and more informative papers go here: http://www.oreillynet.com/pub/a/security/2004/08/0 3/symbiot.html and http://www.onlamp.com/pub/a/security/2004/03/10/sy mbiot.html

--
----- One learns to itch where one can scratch.
what about the counter-counter measures by udderly · 2005-06-15 08:49 · Score: 3, Interesting

I just wonder how aften these strikeback or countermeasures backfire. I remember reading a story awhile back where a gambling site repulsed a DDos attack. The really interesting thing was that it cost the company way more to fight the attack than it would have cost to pay off the extortionist.

While I understand the desire to stick it to these creeps, from a purely cost/benefit analysis point-of-view, it doesn't seem to me to make a lot of sense
1. Re:what about the counter-counter measures by Anonymous Coward · 2005-06-15 08:53 · Score: 5, Insightful
  
  As Rudyard Kipling put it:
  
  IT IS always a temptation to an armed and agile nation,
  To call upon a neighbour and to say:--
  "We invaded you last night--we are quite prepared to fight,
  Unless you pay us cash to go away."
  And that is called asking for Dane-geld,
  And the people who ask it explain
  That you've only to pay 'em the Dane-geld
  And then you'll get rid of the Dane!
  
  It is always a temptation to a rich and lazy nation,
  To puff and look important and to say:--
  "Though we know we should defeat you, we have not the time to meet you.
  We will therefore pay you cash to go away."
  
  And that is called paying the Dane-geld;
  But we've proved it again and again,
  That if once you have paid him the Dane-geld
  You never get rid of the Dane.
  
  It is wrong to put temptation in the path of any nation,
  For fear they should succumb and go astray,
  So when you are requested to pay up or be molested,
  You will find it better policy to says:--
  
  "We never pay any one Dane-geld,
  No matter how trifling the cost,
  For the end of that game is oppression and shame,
  And the nation that plays it is lost!"
Arms race example in the p2p world by stripmarkup · 2005-06-15 08:52 · Score: 3, Interesting

Here's an interesting example of an escalation, going on right now. It seems that anti-p2p organizations are trying to pollute some torrents for TV shows such as six feet under (see discussion here).

What they do is put out a file of the same size but with random data. Since the torrent file has segment hashes to verify integrity, any segments downloaded from the bogus file will fail the checksum and waste downloaders' bandwidth. The community of downloaders is fighting back by spreading black lists with the IP addresses of the bogus clients.

--
See charts for twitter trends on Trendistic
You know... by LegendOfLink · 2005-06-15 08:52 · Score: 4, Insightful

even though I'm personally at odds with people who want to 'strike back'

In the UK, when somebody files a lawsuit and loses, not only do they have to pay for their own court expenses, but also those of the defendant. This isn't the case in the US, which is why we are the most litigious country in the world.

Now, let's look at computing. If we just let the asshole hackers get away with their crime without a fight, they will keep on hitting us hard. But, if we had a mechanism that would "fight back" and destroy a 15 year-old script kiddie's computer that mommy and daddy bought, well, maybe they'd think twice.

--
IGB: More fun than eating oatmeal!
1. Re:You know... by chez69 · 2005-06-15 08:54 · Score: 3, Informative
  
  if you file a lawsuit against IBM and loose, your financially screwed for life. not the kind of position I would like to be in.
  
  --
  PHP is the solution of choice for relaying mysql errors to web users.
Law enforcement can't do it all by ScentCone · 2005-06-15 09:05 · Score: 3, Interesting

Considering the huge horsepower of things like the SETI screensavers and P2P networks, I don't think it's a question of whether or not a conflict between spare-CPU/BW Good Guys and zombie-army bad guys could be won by the good guys. Or at least, make things painful for the bad guys. The main issue is counter-counter-counter-craftiness that might stealthily turn such a network to the dark side.

Several sys admins I know who have never had the time or inclination to put up a honeypot or opt for similar tactics absolutely light up at the prospect of actually making the attackers miserable. In fact, it's not even the attackers they complain about, it's the ISPs that (with copious documentation about the bad acts of specific customers) don't do anything about it. To the extent that foreign governments are those ISPs, well, same sentiment.

So, the real issue is governance of such a system. It's sort of like sharing time on a big research telescope. What committee can be trusted to put the resource to use effectively? I know that a lot of people with network resources are so fed up with the probes, the phishing, the DoS extortion and all the rest that they'd have absolutely no problem deploying a box or two, and a couple of MB/sec to the cause. But the liability(ies) for having it used unwisely are pretty scary, so I'm all ears if someone comes up with an interesting approach. If the worst thing that happens is I get a block of my IPs null routed on their way to Moscow, well, goshky, I'll take that deal.

Some things we have to take into our own hands. And just turning the other cheek with more and fancier firewalls and intrustion detection is too passive for my taste, at least in the face of concerted, bad-to-the-core coordinated efforts by professional, organized crackers. Have I wanted to burn up every inch of some basement-dwelling script kiddie's DSL before? Sometimes. But nothing like I've wanted to blot out entire pieces of some Asian and eastern-European networks. And not just for my sake - for all of my clients, and their clients, and everyone it impacts.

Don't mean to rant, but I've just spent all morning explaining this stuff to a suffering dot-com. His much-repeated question was "Why can't we just do this back at him until he quits? I'll spend the money... this is pissing me off."

--
Don't disappoint your bird dog. Go to the range.
Wait wait wait by cavemanf16 · 2005-06-15 09:22 · Score: 3, Insightful

From the "whurleyvision" blog:
Who knows--in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.
Now, I'm not going to advocate breaking "the law" directly in this post, but allow me to raise an important question to the /. community. Do we really want "a more secure, reliable, networking infrastructure" in the end? Allow me to now elaborate on that question.

A more secure, reliable, networking infrastructure sounds great on the face of it, but what if we were talking about a corporate infrastructure instead of a networking infrastructure? In other words, big barriers to entry for the little guys to innovate, force change, develop new things, and build NEW corporations. Same goes for networking I think. Script kiddies are not innovative as they are simply piggybacking off of others works, BUT they have been innovative in pushing every company to be highly concerned about protecting themselves against cracking and DDOS'ing, which HAS been good for us, the consumers, as the data and services that these companies provide to us is ultimately more secure, reliable, etc. Those who are doing the really devious crack attacks are being more innovative, and are forcing organizations with a 'net presence to build ever better security defenses to guard against these attacks. These new defense mechanisms in turn often get passed on to other like-minded individuals who desire the same security. I guess that ultimately I am trying to say that while we do want "more reliability" at certain levels, at other levels lack of reliability is what helps spur innovation, change, and pre-emptive corrections to problems which left unchecked, could cause massive, long-lasting damage when a chink in the armor is finally exploited.

So is "strike back" a good thing? Almost every time it is not going to help in any way. With our "War on Terror" we certainly had some excellent early gains, but now we're in a long, slow decay of gains due to the loss of life and new difficulties we created through our counterstrikes in Iraq and Afghanistan. Bush may have made the world a safer place immediately after 9/11, but now we have the Patriot Act, thousands of dead soldiers and civilians in a war that ultimately cannot "end", and what I perceive to be a whole new level of various threats to our country because we have only encouraged the terrorists to come up with better and more lethal attacks in response to our counterattack.

So, in summary, yes defending against malicious network activities is good for everyone, but I think that counterstrikes against an amorphous enemy with difficult to define borders (terrorists can come from any country, just as ip addresses can be spoofed to be marked as coming from ANY organization) in response to these attacks pose a serious risk to the network that we call "The Internet" because it will only increase the desire to make more chaos on it ultimately than it will to dissuade it. Then we get more government control, more devestating attacks, and more polarization of "sides" to the war on network intrusion. Let's keep these issues in mind when building our network security plans.
Make them famous! by Anonymous Coward · 2005-06-15 09:58 · Score: 3, Funny

Is there anything that you can do back that isn't illegal itself? Kind of like being able to defend yourself from an attacker with a weapon of your own? (I know I'm being vague about the law, but just for the sake of argument).

Post their URL to slashdot, and let them bask in unwanted fame. :-)
More like Network Judo by Gary+W.+Longsine · 2005-06-15 11:52 · Score: 3, Insightful

Intrusion Suppression techniques like honeypots and tarpits are not really strike-back techniques. They are really more like network judo. When you redirect the energy of the attack, it's not always against the attacker, it's just away from the victim.

Intrusion Suppression techniques actually reduce the network traffic generated by the attacker, and yet also reduce the effectiveness with which the attacker can perform an attack. It's not really a counter-strike.

--
If you mod me down, I shall become more powerful than you could possibly imagine.