Full Disclosure mailing list archives
Re: Counter-Attacking hackers? Is this really a good idea?
From: Martijn Lievaart <m () rtij nl>
Date: Mon, 08 Mar 2004 14:48:52 +0100
technocrat () hush ai wrote:
This company... http://www.symbiot.com/ Is claiming to have the "first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures ? effectively fighting fire with fire." Are these guys nuts? I'm not sure if this is a good idea or not. I don't want to promote them, but on the other hand this seems to be a topic that should be discussed by information security professionals. If the community as a whole thinks this is a good idea, then there should be some type of standard agreed to by the masses of administrators that will have to put up with the results of such a system. Again, just thought this should be openly discussed and that we should all be aware of it. I even thought about posting thier white papers to my personal site in an effort to stick to the 'discussion not promotion' agenda I have, but then I don't want to get 'Couter-Attacked' now do I ;)
Yup, they are nuts. At least here in .nl this will negate any courtcase you might have had and open yourself up to lots of claims from others. Think about that, you get attacked and subsequently sued.
Besides, there is always the risk of false positives. You're going to be responsible for such a system? Maybe if you're the NSA, but otherwise I think not.
Don't fight fire with fire. But a good IDS system like they describe with passive countermeasures may make sense from time to time. I use one myself and it works perfectly after the initial tuning. I recently saw a very good one implemented where the attacker got nullrouted if he triggered certain rules above a certain threshold. Very effective, yet a few simple scripts suffice. True, this does nothing against most DOS attacks[0], but then the system from symbiot will not either.
Greetz, M4[0] This looks like it could be very effective against syn type of attacks, but the problem of false positives versus impact will make you look at a decent firewall instead.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Counter-Attacking hackers? Is this really a good idea? technocrat (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? Harlan Carvey (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? Joe Stewart (Mar 08)
- RE: Counter-Attacking hackers? Is this really a good idea? Mike Fratto (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? the lumpalaya (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? the lumpalaya (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? Martijn Lievaart (Mar 08)
- Re: Counter-Attacking hackers? (wtf) phased (Mar 08)
- Re: Counter-Attacking hackers? (wtf) Cael Abal (Mar 08)
- Re: Counter-Attacking hackers? (wtf) Valdis . Kletnieks (Mar 08)
- Re: Counter-Attacking hackers? (wtf) Cael Abal (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? Gregory A. Gilliss (Mar 08)
- Re: Counter-Attacking hackers? Is this really a good idea? Exibar (Mar 08)
- <Possible follow-ups>
- Re: Counter-Attacking hackers? Is this really a good idea? DAN MORRILL (Mar 08)
- Counter-Attacking hackers? Is this really a good idea? harry (Mar 09)
- Re: Counter-Attacking hackers? Is this really a good idea? Harlan Carvey (Mar 08)