Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

An Anti-DoS Tool That Returns Fire 407

An anonymous reader submits "Security company Symbiot is about to launch a product that can help companies fight back during a DDoS or hacker attack by launching their own counter offensive. A ZDNet UK story quotes security "experts" questioning the legality of such a product and asking how it will will avoid being fooled by hijacked PCs and spoofed IP addresses..."
This discussion has been archived. No new comments can be posted.

An Anti-DoS Tool That Returns Fire

Comments Filter:
  • Friendly fire. (Score:5, Insightful)

    by Jaywalk ( 94910 ) * on Wednesday March 10, 2004 @05:44PM (#8525414) Homepage
    For a company that makes a big deal about "thousands of years" of experience, they clearly have not thought this through. A distributed denial of service counter-attack to a distributed denial of service attack? If both sides have massive numbers of machines engaged in sending bogus messages you can be assured of two things: 1) there won't be enough traffic brought to bear on the offending machines to shut them down. 2) It's going to suck down massive amounts of bandwidth.

    Can you see the tech guy trying to explain that their company was knocked off, not by the attack, but by the counter attack?

    "It's okay, sir. It was friendly fire.

    • Re:Friendly fire. (Score:5, Insightful)

      by abandonment ( 739466 ) <mike.wuetherick@gTIGERmail.com minus cat> on Wednesday March 10, 2004 @05:47PM (#8525459) Homepage
      this is the stupidest idea i've heard of in a long time - if you have the network infrastructure to try and launch a DDOS attack, then you probably have the ability to survive and/or defend from DDOS attacks without resorting to insanity like this. Of course, companies in the US will probably love this, it fits well with their governments' 'first strike' foreign policy directives as pushed by Mr Shrub etc
      • Re:Friendly fire. (Score:5, Insightful)

        by robslimo ( 587196 ) on Wednesday March 10, 2004 @06:01PM (#8525653) Homepage Journal
        Agreed.

        From the article, According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike".

        Given that blacklist maintainers have gotten such an unfriendly response from some quarter that they're starting to operate anonymously (google SPEWS for more), launching your own DDoS would put you in deep doo-doo, no matter how white you think your hat is.

        -RatOmeter
      • Re:Friendly fire. (Score:5, Interesting)

        by jekewa ( 751500 ) on Wednesday March 10, 2004 @06:16PM (#8525823) Homepage Journal
        Reading the entire content of their website (all three pages, two of which are PDF, and hey, isn't that a cool count down on the homepage to when the DDOS starts on their site...), it doesn't say that they're couter attacking by return DOS on the systems attacking them. They claim to have a way to identify the system responsible for the attack, and then exact retribution.

        I suppose that one could theorize a way monitor the network traffic around the attacking system and attempt to gather information about the zombie traffic, for example. That can't be easy, and perhaps their solution is to sell (or otherwise distribute) monitors for us to put on our systems to aid them in monitoring the networks from which DDOS can be attacking... As Wayne and Garth say cha, right.

        Also, doesn't /. sometimes look like a DDOS? Acts like it, maybe. Seems to wipe out more than a few web servers...

      • Of course, companies in the US will probably love this, it fits well with their governments' 'first strike' foreign policy directives as pushed by Mr Shrub etc

        No, no, remember, the government's differentiator is "_we_ get to do things that are illegal for you!"

      • Re:Friendly fire. (Score:3, Insightful)

        by timmarhy ( 659436 )
        This is just corp. rubbish. I can think of 2 reasons this thing will either prove to be emabressingly useless or most probably vapourware. 1: they aren't giving details on HOW they DOS the zombie pc's, which makes me think it's designed to impress investors and clueless gov officals and thats it. 2:The very nature of a DDoS means the attacker will have more bandwidth then you. whats it going to do, in the middle of a slashdot style swamping start sending our MORE data?!?!?
    • Re:Friendly fire. (Score:5, Insightful)

      by koh ( 124962 ) on Wednesday March 10, 2004 @05:49PM (#8525482) Journal
      Hmmm just a thought, but the DOS counter-attack would be issued only from the original target's subnet, so it does make it easier to block...

      However, it sure looks like a really bad idea. Someone is getting overpaid out there...

      • Re:Friendly fire. (Score:5, Interesting)

        by thedillybar ( 677116 ) on Wednesday March 10, 2004 @06:00PM (#8525635)
        ...the DOS counter-attack would be issued only from the original target's subnet...

        Not necessarily.

        What stops company X from making a "pact" with company Y? If company X is getting DoS'd, then company Y helps defend by launching their own counter-strike.

        Dangerous? Yes.
        Liability issues? Yes.
        Effictive? Maybe. Probably more than current methods. If it doesn't stop the current DoS, maybe it will prevent them in the future.

        Surely someone will implement a counter-strike system in the next 5 years. Let's see what happens!

        • Re:Friendly fire. (Score:5, Insightful)

          by Znork ( 31774 ) on Wednesday March 10, 2004 @06:07PM (#8525718)
          "Effictive? Maybe. Probably more than current methods."

          It would be even worse if it was effective. Imagine the first time some joined corps get hit by a distributed reflection DOS attack and their little vigilante group of automated systems take out CNN, AOL, Yahoo, Google, etc in the counterstrike.
          • by jazman_777 ( 44742 ) on Wednesday March 10, 2004 @06:30PM (#8525958) Homepage
            It would be even worse if it was effective. Imagine the first time some joined corps get hit by a distributed reflection DOS attack and their little vigilante group of automated systems take out CNN, AOL, Yahoo, Google, etc in the counterstrike.

            Just write it off as regrettable "collateral damage" in the "war on cyberterrorism" and reload.

        • by PacoTaco ( 577292 ) on Wednesday March 10, 2004 @06:33PM (#8525999)
          What stops company X from making a "pact" with company Y? If company X is getting DoS'd, then company Y helps defend by launching their own counter-strike.

          You're fine until someone kills Archduke Ferdinand.

    • by Wraithlyn ( 133796 ) on Wednesday March 10, 2004 @05:49PM (#8525492)
      Then of course there's version 2, which preemptively attacks any remote hosts that could conceivably pose a threat. Inspired by official US Foreign Policy. Ba-dum-ching. ;)
    • Re:Friendly fire. (Score:3, Informative)

      by pilgrim23 ( 716938 )
      Never underestimate the power of human stupidity. I am constantly amazed at how really smart people can, and do repeatedly, act so so dumb.
    • Re:Friendly fire. (Score:5, Insightful)

      by jamshid42 ( 218149 ) on Wednesday March 10, 2004 @05:50PM (#8525504) Homepage
      Actually, could you see if two different companies had an automatic DDoS system like this and someone spoofed their DDoS to attack Company A and made it look like it was coming from Company B? Company A's auto-attack would then attack Company B, which would, in turn, attack Company A. Not only would the continual volleys take out both companies, there would also be a huge impact on the network paths between them.
      • by MerlynEmrys67 ( 583469 ) on Wednesday March 10, 2004 @05:53PM (#8525551)
        Anyone remember the old days when you would mailbomb someone until their mailbox filled up so the mail server would bounce the message back

        So then you forged a message so that it looked like it came from a second victim - and when their mailbox filled up it would bounce them back to the first victim

        A fun way to take down T-1 lines back in the day when that was considered more bandwidth than any large university could ever use... Not that I have ever done anything like this

        • mailbomb someone until their mailbox filled up so the mail server would bounce the message back
          BR

          IIRC, you didn't need to fill up an account. Simply sending a message from invalidAddy@server1.net to invalidAddy@server2.net usually did the trick. Server2 would bounce the invalid message back to Server1 rinse and repeat. Not that I have any first hand expirience.
      • Re:Friendly fire. (Score:3, Interesting)

        by gcaseye6677 ( 694805 )
        This is just one reason why an automated counter attack system would never be a good idea. If, however, your organization were repeatedly victimized by a DOS attack, and you could accurately identify who was responsible, counter attacking would make all the sense in the world. Not only would it make the attacker unable to perform new attacks, but if the company got lucky the attacker might even try to sue them. Why is this a good thing? You have to identify yourself to sue someone. Then the company knows wh
    • Re:Friendly fire. (Score:4, Interesting)

      by orion024 ( 694922 ) on Wednesday March 10, 2004 @05:52PM (#8525528)
      I interpreted the article the same as you did the first time through, reading that the counter-attack would also be a DDoS. Second time I read that sentence though, I wonder if maybe this guy who was speaking meant to say that this is simply a counter-attack to DDoS, not a DDoS counter-attack. Who knows.

      A DDoS _as_ the counter-attack is a ship with many holes in it.
    • by Anonymous Coward on Wednesday March 10, 2004 @05:53PM (#8525543)

      "Look out, we're being attacked by 127.0.0.1! Return fire!"
    • Re:Friendly fire. (Score:5, Interesting)

      by bkowitz ( 263712 ) on Wednesday March 10, 2004 @06:05PM (#8525697)
      John Draper (aka captain crunch) visited UIUC a few years ago. I hung out with him at a party and he began telling us about how the CrunchBox could be configured to launch counter attacks. I'm not sure it it's available in the present configuration - but it was definitely under consideration at one time.

      http://www.shopip.com/
  • by poptix_work ( 79063 ) * on Wednesday March 10, 2004 @05:45PM (#8525425) Homepage
    This has already been discussed on the NANOG mailing list, the general consensus is that _this_ will be the next
    source of attacks against systems as people spoof attacks at it. (Much like smurf attacks)

    Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
    • by malraid ( 592373 ) on Wednesday March 10, 2004 @05:52PM (#8525526)
      Right, it should be easy (if not trivial) to create an attack to someone, and spoof the real target's address. Then you can have cross-fire between two inocent parties. Microsoft and SCO anyone? ...kind of pointless.
      • Given the amount of thought that seems to have gone into this, what do you want to bet that they forgot the "if (attacker == self) return;" clause? As such how about SCO versus SCO and leave the backbone out of it?
      • Their white paper does at least pay lip service to having enough "eyes on target" to provide "positive identification". What I didn't see was awareness of how difficult that was, or of the issues of attacks launched from neutral territory.
        • Their white paper does at least pay lip service to having enough "eyes on target" to provide "positive identification".

          Their 'white paper' reads more like a babble generator [google.com] preloaded with military phrases rather than geek [siliconhell.com] or Star Trek [pathcom.com] phrases. It's sounds impressive as hell, but it's utterly meaningless.

    • by bcolflesh ( 710514 ) on Wednesday March 10, 2004 @05:56PM (#8525590) Homepage
    • Not just hosts. (Score:3, Insightful)

      by pheared ( 446683 )
      Don't forget that there are plenty of ISPs at fault too. They neglect to implement egress and ingress filtering to sanitize the traffic that flows through their network. Easy example: CPE routers should not allow traffic inbound (outbound from customer) that does not belong to the customer's range of IPs.
    • by tessaiga ( 697968 ) on Wednesday March 10, 2004 @06:26PM (#8525925)
      Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.
      This is the obvious solution (after all, no zombies = no DDoS-nets), but the problem is there's no practical way to achieve it. As things stand today, there's no incentive pushing owners of compromised machines to react quickly to remove them from the net -- there's no financial cost for many home users if they don't do so, and they're shielded from liability by the "I didn't know I was infected" defense.

      A second problem is that for the average computer user, it can be very difficult to tell casually if your computer's been infected and is packeting someone else. The fraction of the computer population that checks their firewall to measure their traffic, or goes over the processes running in memory every once in a while, is probably fairly small. This means that infected computers tend to stay infected for a long time. There's also no real, efficient way for a DDoS target to notify thousands of machines about the problem, much less expect a significant proportion of them to respond in any short amount of time.

      I think the goal of this approach was to try to make it inconvenient for the compromised machines by taking down their net connection, and thus push the owners to investigate what the problem was. A friend of mine recently discovered that her brother's laptop was riddled with trojans and spyware, after he brought it to her complaining that it was "running slow". Turned out he was oblivious to the problem for a long time until so many processes had loaded down his machine that it was running at 100% utilization even when it was "idle". In the meantime, it was potentially available to be a participant in DDoS attacks. It wasn't until it was inconvenient for him that he took any steps to figure out what was wrong with it.

      Of course, many of the other posts have already explained why this particular approach is bad -- everything from spoofing causing innocent victims to be hit with counter-attacks, to the problem of having enough bandwidth to DOS a distributed attack in the first place. The challenge is going to be to develop a practical way of creating incentives for people with compromised machines to fix them quickly.

      • by PacoTaco ( 577292 ) on Wednesday March 10, 2004 @06:53PM (#8526218)
        The challenge is going to be to develop a practical way of creating incentives for people with compromised machines to fix them quickly.

        I think we need to focus on ISPs who allow large numbers of these infected machines to remain on their networks. These ISPs could easily set their gateways to log suspicious outgoing traffic (like lots of connection attempts to different hosts on port 135), compile a list of potentially infected machines, and then contact the end users to help them clean and patch. I imagine a well-designed ISP liability law (with warning provisions to help overcome corporate inertia) could help a lot.

      • Some day people will realize the answer is to remove the vulnerable hosts that are being used as attack sources.

        This is the obvious solution (after all, no zombies = no DDoS-nets), but the problem is there's no practical way to achieve it.

        I think I see a way:

        First: A counter-probe to identify whether a suspected site actually is a zombie. This would eliminate friendly-fire counterattacks and lets-you-and-him-fight scenarios.

        A good signature is the presence of a controlling port for the zombie (thou
  • by bc90021 ( 43730 ) * <bc90021@bc9BLUE0021.net minus berry> on Wednesday March 10, 2004 @05:45PM (#8525431) Homepage
    "In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare", which they say should be part of corporate security policy to help companies determine their exact response to an incoming attack."

    Can you imagine large corporations full of MCSEs engaging in "information warfware"? ::shudder::
  • by mkmoose ( 759477 ) on Wednesday March 10, 2004 @05:45PM (#8525434)
    Where is the tactical nuke for spam? I want a tool that goes on the offensive against spammers.
  • by Cruciform ( 42896 ) on Wednesday March 10, 2004 @05:46PM (#8525441) Homepage
    Who does SCO attack first? :)
  • Dude! (Score:5, Funny)

    by Anonymous Coward on Wednesday March 10, 2004 @05:46PM (#8525448)
    heh, don't link to the company's website, slashdot editors - the /. horde will make with the clicking and they might return fire to your readers. ;)

    (oblig. - "Of course, that would require them to be reading the articles")
  • ahhhh (Score:5, Funny)

    by humankind ( 704050 ) on Wednesday March 10, 2004 @05:46PM (#8525453) Journal
    Symbiot, a Texas-based security firm

    Ok, it makes sense now.
    • Re:ahhhh (Score:5, Funny)

      by sheetsda ( 230887 ) <doug DOT sheets AT gmail DOT com> on Wednesday March 10, 2004 @05:56PM (#8525584)
      Nah, it'll start making sense when your network starts deciding to pre-emptively destroy threats. "11.245.21.4 has weapons of mass DDoSing, observe these reports where he pinged us 3 times. Packet bomb him." In the aftermath your network will discover that the IP address actually had no DDoS zombies, but was simply a NAT, the nodes behind which needed to be "liberated" from the NATs tyranny.
  • by Anonymous Coward on Wednesday March 10, 2004 @05:47PM (#8525454)
    entering the word EXIT (followed by pressing the Enter key) is a surefire way to kill those ding-dang DOS session windows.
  • please.. (Score:2, Funny)

    by cmacmanus ( 713176 ) *
    Another dot-com hoping to sink their feet? Oh yeah, what's this API [google.com] business? There's dozens of pages of googlecached stuff relevant to it.
  • Next step (Score:2, Redundant)

    Preemptive Defensive Web Attacks

    I think the government will back me up.

  • Endless Loop (Score:4, Insightful)

    by dcocos ( 128532 ) on Wednesday March 10, 2004 @05:48PM (#8525476)
    What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?
    • What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?

      Don't worry, by that point we'll be reduced to using pen and paper anyway because of all the spam we're recieving.

    • "What happens when someone gets smart and creates one that looks for other Symbiot boxes and basicly has them fighting each other?"

      Well at a guess, Symbiot will have sold at least two installations.

      (whether their customers' net connections will survive is another question...)

      As an ISP, what would you rather have:
      (a) someone who double-clicks on the attachments
      (b) something which tries to DoS whoever it thinks is attacking it
  • by Eagle5596 ( 575899 ) <slashUser.5596@org> on Wednesday March 10, 2004 @05:49PM (#8525481)
    Slashdot has been knocked off the web for good, seemingly due to the fact that several of the daily stories it linked too were running the new "counter-attack" DoS protection.
  • Dumbest. Idea. Ever. (Score:5, Interesting)

    by Tokerat ( 150341 ) on Wednesday March 10, 2004 @05:49PM (#8525485) Journal

    Yes, let's fire back at the machines attacking and DOUBLE the number of packets on the network while breaking the law! That'll solve it! As if the bandwidth from DoSnets and spam wasn't choking the internet down enough already...

    How in the hell do ideas like this make it long enough to be publicly announced? It makes me sad that morons have tech jobs making crap and I couldn't even get hired changing toner if I wanted too...
    • How in the hell do ideas like this make it long enough to be publicly announced?

      Good marketing. Marketing makes decisions independant of intelligence, feasability, or any of the other things that people with a normal IQ would consider important aspects of the plan. Managers know that if the plan somehow succeeds (they're managers, they have no way of guaging the feasability or intelligence of anything more technical than simple addition) they can take credit for lending muscle and support to it. If it

  • Pointless (Score:5, Insightful)

    by frenetic3 ( 166950 ) * <`houston' `at' `alum.mit.edu'> on Wednesday March 10, 2004 @05:49PM (#8525489) Homepage Journal
    Great. So DDoS victims, in addition to having all of their incoming bandwidth wasted, can now spend all their outgoing bandwidth to strike back at their cunning, ruthless assailants -- you know, like all those clever "Dear friends" who "use this Internet Explorer patch now!".

    "More than 500.000 already infected!"

    -fren
  • I can see someone using this system to direct an attack on someone's network. For instance. Cracker Hijacks network A to Attack B B attacks A. Then B Attacks A. Both networks go down in flames. Have we not learned anything from War Games.
  • What a great idea! (Score:2, Insightful)

    by slash-tard ( 689130 )
    Technically its useless but Im sure plenty of ignorant CEO's and CTO's will sign up for it right away.
  • by b0r0din ( 304712 ) on Wednesday March 10, 2004 @05:50PM (#8525496)
    Yes, let's protect ourselves from attacks by attacking the offenders and wreaking even more havoc. That'll go over well. I don't even want to go into how stupid a proposal this is. Let's start with the first detail: it's probably illegal.

    I imagine it'll have some sort of military function, though.
  • What if the hacker spoofed some grandma's IP and used that to attack me? Then I automatically go on offense against grandma's PC.

    The possibilities are endless.

  • by tekiegreg ( 674773 ) * <tekieg1-slashdot@yahoo.com> on Wednesday March 10, 2004 @05:51PM (#8525509) Homepage Journal
    Proposed idea:

    1) Subject receives DOS attack from Zombie machine
    2) Subject returns fire to zombie machine, perhaps with some sort of encoded you're attacking me so I'm attacking you script.
    3) From here the following happens, either somebody notices the machine is being attacked, investigates and reacts, leading the original victim to shut off it's counter-attack. Or an automated script in the Zombie machine packet sniffs the retaliatory attack and shuts itself down and/or notifies admin for further action.
    This seems like a good idea, while the ethics of a counter-DoS attack are not sound, this could be a way to limit attacks. However Zombie's spoofing other addresses could lead to issues as well...again tho it's well known that DoS's are a pain in the butt to stop so what could work? Dunno...
  • the last paragraph of the article is interesting in which they say the government is going to start using hacker tools also _ don"t they already?
  • March 31 + 1 (Score:5, Insightful)

    by dclydew ( 14163 ) <dclydew@gmail.com> on Wednesday March 10, 2004 @05:51PM (#8525516)
    Hrmmm, they go live on March 31 and this sounds too silly to be serious. I vote April Fools Joke.

  • Cookies (Score:5, Funny)

    by pyrrhonist ( 701154 ) on Wednesday March 10, 2004 @05:51PM (#8525518)
    From the article:

    You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up.

    Okay, now they're crossing the line. You mess with Granny's Lucious Cookies, and you're in for it. This means war!

  • They are planning to use Slashdot. The ultimate DDOS generation service.
  • by Anonymous Coward on Wednesday March 10, 2004 @05:52PM (#8525533)
    ...when stupid people get venture captial money.
  • possibly slightly (Score:2, Interesting)

    "... innocent -- although possibly slightly negligent -- party."

    innocent, possibly and slightly are not 3 words I use to describe people who allow their computeres to become zombies for DDoS attacks. It's in appropriate to say the 3 words I would use in public.

  • The article linked [zdnet.co.uk] within the original story is also on-topic for this discussion.

    Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries,
  • Bruce Schneier (Score:5, Informative)

    by savagedome ( 742194 ) on Wednesday March 10, 2004 @05:55PM (#8525571)
    Bruce Schneier wrote about this way back in Dec2002 cryptogram.

    Counterattack

    This must be an idea whose time has come, because I'm seeing it talked about everywhere. The entertainment industry floated a bill that would give it the ability to break into other people's computers if they are suspected of copyright violation. Several articles have been written on the notion of automated law enforcement, where both governments and private companies use computers to automatically find and target suspected criminals. And finally, Tim Mullen and other security researchers start talking about "strike back," where the victim of a computer assault automatically attacks back at the perpetrator.

    The common theme here is vigilantism: citizens and companies taking the law into their own hands and going after their assailants. Viscerally, it's an appealing idea. But it's a horrible one, and one that society after society has eschewed.

    Our society does not give us the right of revenge, and wouldn't work very well if it did. Our laws give us the right to justice, in either the criminal or civil context. Justice is all we can expect if we want to enjoy our constitutional freedoms, personal safety, and an orderly society.

    Anyone accused of a crime deserves a fair trial. He deserves the right to defend himself, the right to face his accused, the right to an attorney, and the right to be held innocent until proven guilty.

    Vigilantism flies in the face of these rights. It punishes people before they have been found guilty. Angry mobs lynching someone suspected of murder is wrong, even if that person is actually guilty. The MPAA disabling someone's computer because he's suspected of copying a movie is wrong, even if the movie was copied. Revenge is a basic human emotion, but revenge only becomes justice if carried out by the State.

    And the State has more motivation to be fair. The RIAA sent a cease-and-desist letter to an ISP asking them to remove certain files that were the copyrighted works of George Harrison. One of the files: "Portrait of mrs. harrison Williams 1943.jpg." The RIAA simply Googled for the string "harrison" and went after everyone who turned up. Vigilantism is wrong because the vigilante could be wrong. The goal of a State legal system is justice; the goal of the RIAA was expediency.

    Systems of strike back are much the same. The idea is that if a computer is attacking you -- sending you viruses, acting as a DDoS zombie, etc. -- you might be able to forcibly shut that computer down or remotely install a patch. Again, a nice idea in theory but one that's legally and morally wrong.

    Imagine you're a homeowner, and your neighbor has some kind of device on the outside of his house that makes noise. A lot of noise. All day and all night. Enough noise that any reasonable person would claim it to be a public nuisance. Even so, it is not legal for you to take matters into your own hand and stop the noise.

    Destroying property is not a recognized remedy for stopping a nuisance, even if it is causing you real harm. Your remedies are to: 1) call the police and ask them to turn it off, break it, or insist that the neighbor turn it off; or 2) sue the neighbor and ask the court to enjoin him from using that device unless it is repaired properly, and to award you damages for your aggravation. Vigilante justice is simply not an option, no matter how right you believe your cause to be.

    This is law, not technology, so there are all sorts of shades of gray to this issue. The interests at stake in the original attack, the nature of the property, liberty or personal safety taken away by the counterattack, the risk of being wrong, and the availability and effectiveness of other measures are all factors that go into the assessment of whether something is morally or legally right. The RIAA bill is at one extreme because copyright is a limited property interest, and there is a great risk of wrongful deprivation of u
    • by Beryllium Sphere(tm) ( 193358 ) on Wednesday March 10, 2004 @06:33PM (#8525998) Journal
      A mob lynches a "witch" -- vigilantism.

      A woman carries out a devastating martial arts move on someone about to rape her -- self defense.

      Self defense is immediate, and it's aimed at stopping an attack in progress. Self defense doesn't excuse harming innocent third parties: if you use a hand grenade to stop a mugger, the law will rightly punish you.

      There's plenty of room for argument about this, but remote patching of the machines that are DDoSing you might be self defense. Any counterattack that is based on military principles, like the product under discussion here, is vigilantism.

      Notice that everything Schneier says is based on the assumption that regulated police and courts of law exist. Before those are set up on a lawless frontier, experience shows that citizens will set up a Committee of Vigilance.
  • Useless... (Score:3, Insightful)

    by LostCluster ( 625375 ) * on Wednesday March 10, 2004 @05:57PM (#8525592)
    This has no way of working, it can only make a DDoS worse.

    A basic denial of service attack is simply nothing more than somebody using all of their available bandwidth to send meaningless information to the victim host. If such an attack is greater than the available incoming bandwidth the victim has, then their legitimate incoming traffic gets delayed or dropped after being timed out.

    However, even if the IP addresses are being spoofed, it's pretty easy to trace back through the routers where these packets are coming from, and that'll lead you to the point where the attack is coming from. That doesn't tell you who the hacker was per se, but it at least ends the attack.

    A DDoS is nothing more than the result of hundreds or thousands of machines all directing a DoS at the same place. Now it's not so easy to trace back... effectively, they're coming from everywhere! The DDoS victim has nothing they can do for themselves other than order enough bandwidth to have more incoming bandwidth than the attackers have to throw at them, and that's not a cheap or fast solution. They're more or less waiting for whatever virus or worm touched off the storm to be cleaned up by the antivirus vendors.

    Hacking back your attackers is only going to cause other people to start wondering why you're scanning and hacking them... isn't not going to do much towards stopping the useless data that's streaming at you. The worst case situation is where two of these hacking systems meet it each other... and therefore an automated hacking war between identical systems go on forever while never disabling a real hacker.

    Seems like all this product does is appeal to over-agressive personalites who are in IT positions and hate the concept of there being an attack that there's a possible attack that there's no possible way to defend against. It doesn't have to work, it just has to seperate dumb people from their money.
  • by Dachannien ( 617929 ) on Wednesday March 10, 2004 @05:58PM (#8525618)
    One interesting thing that didn't really get picked up on was the idea of monitoring and blacklisting networks hosting a lot of zombied machines. This could be the incentive that ISPs will finally need to start adding egress filtering to their routing devices, which at the very least, will allow victims of DDoS an easier time of maintaining their defensive measures.

  • by humankind ( 704050 ) on Wednesday March 10, 2004 @06:04PM (#8525687) Journal
    To me, what's really scary about this isn't that the idea is counterproductive, bone-headed, and probably illegal. It's that any company would propose something like this... which leads me to think that this is the type of story that is promoted just to get a rise out of people and we've taken the bait.

    The company is obviously trying to jump on the media-whore bandwagon by proposing such an idea, but look who they are and where they're from. Texans' historical idea of security hasn't been impressive.

    Shame on ZDNet for creating this troll in the first place. Shame on Slashdot for referencing this troll. Shame on us for being so outraged by it and taking the bait.

    We know this idea will never fly. But now we've given this loser company 15 minutes of fame. This story belongs on a Darwin Business Awards list or Fark.com, not here.
  • by silas_moeckel ( 234313 ) <silas@dsmi[ ]corp.com ['nc-' in gap]> on Wednesday March 10, 2004 @06:09PM (#8525748) Homepage
    While just DOSing the poor guy back is just silly I could see some usefull applications mostly with worms. Your site gets hit with tcp based worm lets call its wormE now wormE is a known worm and your running a nice honeypot type setup possibly in side the firewall or proxy. Since we know how wormE propigates you could go and fix the problem with wormE using the same hole. I'm not talking about intentialy doing damage but rather killing the worm process possibly poping up a message box on console with patch instructions and stopping the offending process.

    Now since it's tcp and a 2 way connections we can be fairly confident that at the time of the connection reverse routing paths go to the attacker otherwise syn fin ack would have been problematic.

    Things liek this have been discussed on NANOG etc before and a lot of people hate it obviously. I think if you could find exploits in the worms themselves and reply back with something to disable the worm inside the same request that would be acceptable as I should have the right to respond to any request from the internet with whatever I desire inside one session, though some would disagree.
  • by Frennzy ( 730093 ) on Wednesday March 10, 2004 @06:11PM (#8525767) Homepage
    It's obviuously a stupid idea. By definition, a DDoS is going to be launched from compromised machines...with a 99% probability the lowner of said machine has no idea what's going on.

    But, most DDoS attacks do have easily verifiable signatures. (Ping floods, excessive SYNs from spoofed source addresses, among many others.)

    Why not start helping ISP's to block this crap at the source? They are, essentially, what allowed these machines to be zombified in the first place. Aggregators and headends should already have the intelligence to block IP spoofs, which eliminates SYN floods. It shouldn't be too difficult to imagine blocking an excessive amount of outbound (inbound from the ISP's customer base) ICMP packets...say...10% or more packets are ICMP=no YUO. (arbitrary figure, it could be less, it could be more).

    If nothing else, build some intelligence into backbone packet inspection (yes, I am aware of the vast amount of cycles this would take...but everything can be ported to ASICs at some point), such that vast amounts of packets, with duplicate signatures could be throttled back or dropped if a DDoS is detected.

    In short, we know we can't educate the lusers, but if the ISP's distributed the cost of such an implementation among all users, I'd imagine most people wouldn't even notice the cost increase.

    There's some other ideas floating around in my head, but they aren't fully formulated yet.
  • by PPGMD ( 679725 ) on Wednesday March 10, 2004 @06:14PM (#8525796) Journal
    IMO the best way to stop DOS attacks is to stop the zombies. And the best way to do that is to convince hosting companies and ISP, to configure their routers to reject packets with impossible return addresses.

    Example RR not allowing their users to send packets with a return address that is not a RR IP for the area.

    That won't stop DOS attacks from happening, but it will make it easier to track the zombies, and maybe even get the perp.

  • by An-Unnecessarily-Lon ( 761026 ) on Wednesday March 10, 2004 @06:24PM (#8525905) Journal
    The NSA no longer does Strikebacks in fear of litigation. However if the source is foreign non friendly then they take some action. But it is a big deal. If one of use decides to press the button we automatically go to jail (no passing go/no $200). Inmates at FtLevenworth dont exactly fear a computer guy who pressed the Strikeback button.
  • by TheCrayfish ( 73892 ) on Wednesday March 10, 2004 @06:38PM (#8526065) Homepage
    The creators of this idea should have read this opinion piece [schneier.com] before proceeding with their DDos counterattack initiative.
  • by tomstdenis ( 446163 ) <tomstdenis&gmail,com> on Wednesday March 10, 2004 @06:55PM (#8526243) Homepage
    that DDOS attacks are asymmetric? [e.g. many to one] So what? Customers of this company will have hordes of zombie computers at their control?

    I don't quite get it.

    Though you can tell this is an american idea. the concept of collateral damage [e.g. people with the same ISP or host being tossed offline] isn't relatively important to them...

    Why not make a tool that can find who started the DDOS and then accidentally send them to 20 years in a pound-me-in-the-ass prison? That would be worth money.

    Tom
  • by FooAtWFU ( 699187 ) on Wednesday March 10, 2004 @06:55PM (#8526245) Homepage
    I found the following the most interesting, for it described how they would respond with "asymmetric responses":

    "In these cases, the operations center may call for a variety of efforts, including (1) escalated multilateral profiling and blacklisting of upstream providers; (2) distributed denial of service counterstrikes; (3) special operations experts applying invasive techniques; and (4) combined operations which apply financial derivatives, publicity disinformation, and other techniques of psychological operations."

    Now how exactly this will help when you have a few hundred to a few thousand virused zombie machines running a DDoS against you and you have no clue who's behind it... is beyond me.

  • My take on this (Score:5, Interesting)

    by bruns ( 75399 ) <bruns@NOSPAm.2mbit.com> on Wednesday March 10, 2004 @06:56PM (#8526263) Homepage
    Heres my take on this, pulled from a recent post to NANOG:

    Lovely. So not only do we now have to fend off attacks from script kiddies
    and packet monkies, we now have to fend off attacks from idiot sysadmins who
    set this tool up and allow it to go all out on supposed 'attacks' against
    their systems.

    I'll share my favorite goober with firewall story. When I was a
    sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from
    clueless users all the time. I could identify which tool they used just by
    how the body of the message looked and how the 'attack' was described. Got
    ones saying that my performance testing server (which sometimes did ping scans
    across the dialups to see what the general response time was) was 'attacking'
    the user's machine with a single ICMP echo. Or how our IRC server was trying
    to attack the user on the ident port every time they tried to connect.

    Of course, the best one was when a supposed 'security expert' called up and
    complained how my two caching DNS servers for the T1 customers was attacking
    his entire network on port 53 UDP. He had naturally filtered the 'attack'
    because it was obvious that our Linux DNS servers were infected with one of
    the latest Windows viruses going around, and suddenly noone on his network
    could browse the web anymore.

    So, let me ask the question, do we really want people like that having a tool
    which autoresponds to attacks with attacks? At least when he filtered out our
    DNS traffic, it only affected his network... But imagine if he had launched
    an attack against my DNS servers in response? Yeah, thats a great idea.

    Of course, now that the AHBL does its own proxy testing, we get all sorts of
    fun reports from end users about our 'attacks' against their machines. Latest
    one demanded I tell her why we had scanned her, but wouldn't tell me her IP
    address or when the scan happened exactly, claiming that I had done the scan,
    so I should know what IP she is. Too bad I test over 100,000 IP addresses
    daily for open proxies....

    Lets not even get into the legal consequences for a tool like this, especially
    if it backfires and launches an attack against the NIPC, for example.
  • Wow! (Score:4, Funny)

    by DF5JT ( 589002 ) <slashdot@bloatware.de> on Wednesday March 10, 2004 @07:01PM (#8526306) Homepage
    Let me see:

    We now have a product that produces more shit than ever, has no sound concept behind it other than "Let's nuke the shit out of these &&&%$s", probably costs a shitload of money and appeals to PHBs in the extreme.

    I'd say: Let's buy some shares.
  • by phorm ( 591458 ) on Wednesday March 10, 2004 @07:06PM (#8526368) Journal
    Unfortunately it's not currently legal, but really what would be a better idea is to react to compromised machines based on their infection behavior. I know that when Code Red first came out (and still now, even) my Apache logs were full of attempts to acces CMD.EXE or other windows stuff.

    The obvious solution would be to respond to the attacking machine by using the same exploit by which it was initially infected, and cause it to go to sleep or attempt to clean itself. Obvious problems arise if the machine is doing something important, but the question arises: when are you allowed to protect your own property in response to somebody who hasn't properly fixed their own?

    Conceptually, the best way to do this would be to log attackers, note how they are infected based on heuristics of common infections, and then wait until they attack has been going on for a certain period of time. If the machine is still coming out strong after a day, one should be justified in taking measured to put it offline...

    It's time to stop pandering to sysadmins that don't do their jobs. We have some machines that aren't $1000/minute mission critical, but if one were infected I wouldn't feel overtly upset if somebody put it to sleep for me (so long as the machine itself wasn't damaged). For those that do run $$$$/minute machines, they should be well secured so such things don't happen, or at least not for prolonged periods of time.

    It's accountability time for sysadmins... you're not unjustified in shooting somebody who invades your house, so why can't you take out the computer that's attacking your network?
  • by Webmoth ( 75878 ) on Wednesday March 10, 2004 @07:13PM (#8526426) Homepage
    How many of you read the headline and imagined smoke billowing out of a 1337 Hax0r's computer?
  • by Minwee ( 522556 ) <dcr@neverwhen.org> on Wednesday March 10, 2004 @07:48PM (#8526793) Homepage
    It used to be that you had to use email worms to conscript people's PCs into your private army of DDoS zombies. By packaging the trojan and calling it a security product you can avoid all that hassle.

  • Again? (Score:5, Funny)

    by Rorschach1 ( 174480 ) on Wednesday March 10, 2004 @08:19PM (#8527072) Homepage
    Someone gets this idea every few years. Probably from watching too many bad hacker movies.

    Just smile, nod politely, and let the lawyers take care of it.
  • by Rich ( 9681 ) on Wednesday March 10, 2004 @08:44PM (#8527306) Homepage
    If there are 2 of these boxes, then a spoofed attack that sets them against each would kill both. I suspect the drawing board needs revisiting.
  • by ajv ( 4061 ) on Thursday March 11, 2004 @08:22AM (#8530616) Homepage
    I am an expert. Not in inverted commas "expert" but a real expert with hard won experience in the last few weeks.

    I have helped a customer who was suffering several DDoS attacks from sub humans from Eastern Europe. The attacks took out an entire Australian state for days at a time and in one 30 minute period, all of Australia at 4.30 in the morning, not just one ISP or one customer. We're not talking small attack fleets here.

    Now... where to start?

    This product is the stupidist, most lame, and idiotic idea I can think of. I don't know what the hell they were thinking, but all I can think of is that they've never ever had a DDoS attack aimed at them.

    In Australia (where I live), this type of counterattack *IS* illegal, and I have real lawyer advice from IAL (I am a lawyer) types at a big firm. If you want to prosecute, you sure as hell should not have retaliated... or you'll end up facing prosecution too, and unlike the scuzz buckets in eastern Molvania, you will go to jail and be Bubba's Vegemite Valley Viking buddy for some time.

    You want to know how to prevent spoofed attacks? Force * by law * Cisco and the two or three other manufacturers of telco equipment (DSLAMs, cable head ends, and digital modems) to not pass packets with spoofed IP addresses. Make it illegal to acquire equipment without these controls. Make it illegal to modify the equipment to allow such usage. Followed up with the "Good" ISPs null routing "Bad" ISPs who pass packets from "customers" (sources) who spoof. ISPs *know* the BGP AS's they route at their edge. They are the best placed not to allow spoofed packets to originate from them. This solution is SO simple, I'm surprised no one has done anything about forcing Cisco et al's hand yet.

    You want to know how to prevent DDoS attacks being used for extortion? Clueful law enforcement. Too many times, the victims of these attacks have to establish an uncontaminated body of evidence, keep a chain of custody for all evidence they collect, and show exactly how they've filtered the raw evidence to demonstrate the links between the few unspoofed packets and the badly written e-mails with the attacks. This is like a mugging victim collecting evidence swabs from themselves, taking the photos, doing a few PCR DNA tests (or three hundred), ensuring all statements are taken, keeping the evidence safe from contamination and doing the leg work of the investigation. ENOUGH! It's time for the police to get a fscking clue and employ real investigators in their "high tech" forces.

    Until then, companies like this one will be allowed to peddle their wares to customers who just want a large piece of 4x2 and to whack someone... anyone. I know because I soooo wanted that 4x2 so many times during January and February.

The major difference between bonds and bond traders is that the bonds will eventually mature.

Working...