In December, when protesters were rampaging through Seattle in an attempt to disrupt the World Trade Organization (WYO) summit meeting, other activists were launching a denial of service (DOS) attack on the WTO Web site.
But the WTO’s Web-hosting service spotted the attack and repelled it, bouncing the flood of page download requests back to the origin server, which was run by a group calling itself electrohippies.
The e-hippies coalition, based in the U.K., never publicly acknowledged that the attack had been turned back on its own server. But the next day, a notice appeared on the e-hippies site apologizing that “people have had problems getting through” to its site.
To retaliate or not to retaliate? In cyberspace, there is no simple answer.
Conxion, the San Jose, Calif. hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server.
“So we told our filtering software to redirect any packets coming from these machines back at the e-hippies Web server,” says Brian Koref, senior security analyst at Conxion Corp.
Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident. However, the reaction among IT professionals to the counterstrike was decidedly mixed.
Most IT professionals interviewed for this story said they would not strike back in cyberspace, for fear of hitting an innocent bystander. But they’re not averse to taking some action when they’re sure of the perpetrator ‘s identity.
If vendor tools are any indication, fighting back may indeed be gathering acceptance in the IT community. Intrusion detection tools, for example, can be configured to reverse attacks. New reactive tools are also popping up in the marketplace, and freeware attack-reversing tools abound on the Web.
Gray areas
Opponents of retaliation say reversing an attack is akin to taking the law into their own hands. They worry that they may inadvertently bounce the attack back to an innocent target and bring the law down on themselves.
“Fighting back is a bad idea. I wouldn’t do it,” says Al Potter, manager of network security labs at ICSA Labs in Carlisle, Penn. “If it’s illegal for them to attack you, then it ‘s also illegal to attack them. And then we have this whole problem of crossing state and national boundaries. I don’t even want to go there.”
Lt. Commander Chris Malinowski, who heads the New York City Police Department’s computer crime unit, agrees: “Just because you’re a victim, doing it back to the bad guy doesn’t make it any less of a crime.”
Both Potter and Malinowski say Conxion’s actions fall in a gray area. Malinowski says what Conxion did could qualify as denying mail and returning it to the sender, something that in the eyes of the law would be legal.
“If they’re functioning solely within their own system to take preventative action during an attack, there should not be a problem,” Malinowski says. “Rejecting mail is a normal system administration function. Now if they were inserting their own mail and sending that back to the e-hippie site, you may have a problem.”
Know thy target
Conxion had a clear IP address trail to the e-hippies server, so it was simple to bounce the mail back to that address.
But consider that most crackers launch their attacks through hijacked IP addresses. The February distributed DOS attacks that crippled Amazon.com, eBay and others were launched from innocent “zombie” machines that had been hacked and were then commanded to do the bidding of the attacker. Had the victims retaliated by volleying the packets back to the source IP address, they would have shut down servers at legitimate businesses that had no knowledge of their part in the attacks.
“It would be blind luck to be placed into a situation where somebody is actually attacking your site from their own machine. The more typical case is the cracker has compromised one or several ISPs, telneting from one to the next, creating a nearly untraceable trail through the Internet,” says Greggory Peck, a security analyst at a Fortune 500 company and editor of the “HappyHacker.org” newsletter.
Lance Dubsky, a security manager for a government agency he doesn’t want named, knows of a case in which a system administrator at a private company hacked back.
Unfortunately, the IP address was fake and the administrator slammed an innocent target, which, in turn, traced the DOS attack back to the system administrator and alerted his superiors. The system administrator lost his job.
Vendor approved?
Object lessons like that, however, are not stopping vendors from bringing a number of new reactive technologies to market. For example, Recourse Technologies in Palo Alto, Calif., and GTE Federal Network Systems in Arlington, Va., peddle cracker-trapping technologies called honey pots.
These are network boxes that act like fly traps, luring crackers so network monitors can observe the attacker’s actions and gather the attacker’s identifying information.
“There’s a fine line between privacy and taking aggressive countermeasures,” says Frank Huerta, Recourse’s president and CEO. “Our Mantrap tool is more like using video surveillance in stores.”
Watching for suspicious activity and gathering evidence against attackers is one thing. But other vendors — particularly intrusion detection vendors — offer the capability to configure their tools to take more action than just killing incoming connections. They also could be configured to trace the IP address and return a DOS attack, says Peck and others.
Peck says salespeople from security vendors have told him they wouldn’t recommend launching a retaliatory strike, but they also boasted that their product was capable of being programmed to launch one.
Vendor-assisted or not, you still run into the problem of hitting an innocent target.
“If the intrusion-detection system is programmed for an automated response, you could deny service to an innocent party by sending the attack back to a forged IP address,” says Scott Blake, security program manager at Bindview, an Internet security vendor in Houston.
Bindview also sells a reactive tool called the Zombie Zapper, which was released in March as a response to the distributed DOS threats. Instead of returning the DOS attack at the offending IP address, it impersonates the “master” of the slave machines and sends an order to those slaves to stop sending DOS packets. According to Blake, Zombie Zapper was downloaded more than 7,000 times in the two weeks following its posting.
With a number of freeware vigilante tools being posted on the Web, how far will commercial vendors go? And will network management professionals use these reactive tools?
ICSA’s Potter, who says that most of these legitimate vendor products offer some of this reactive capability as “eye candy,” thinks this trend won’t go much further. Vendors, he says, will ultimately offer what buyers want, and buyers would prefer to see better passive protection in existing tools than new reactive capabilities.
But corporate network and security managers are becoming increasingly frustrated with Internet crime — cybercops can’t keep up with it. Cracking comes at a hefty cost to corporations, with financial losses due to computer crime costing 273 U.S.-based organizations nearly US$266 million last year, according to a March report by the Computer Security Institute in San Francisco and the FBI.
“My experience, I’m sad to say, is that unless you are a very large organization — a multibillion-dollar company that is publicly traded and frequently in the media — whatever help is forthcoming from agencies like the FBI will certainly take a long time,” Peck says. “But you, acting as your own security analyst, can accomplish a great deal more than can, say, the FBI.”
Capt. John Jarrett, computer crime investigator with the Show Low Police Department in northeastern Arizona, would like to see more organizations get involved in actively protecting their assets. “I’d actually hope people get tired of things and take a stand,” he says.
At the very least, Jarrett would like to see corporations do more of their own tracking of e-criminals so they can present evidence to the district attorney’s office. But he, like Malinowski and other law enforcement officers, stops short of advocating retaliation.
So what’s the solution? Start by building up your offensive posture. That means tightening and then testing the security in your network infrastructure, starting with your operating systems and working out to your perimeter firewalls and routers.
Brace your networks for more distributed attacks, nastier viruses and more chaos until these issues sort themselves out.
“[Cybercrime is] going to get worse before it gets better,” Potter says.