Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A question for the list...

From: Ray Stirbei <me () highentropy org>
Date: Wed, 21 May 2003 02:04:04 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

I commend your passion to write such a lengthy post and there is no 
disagreement about the negative impact of worms and DoS atacks. I also agree 
with you that such a strike back would probably be effective in mitigating 
these types of attacks. 

For the sake of reference here are the sources of this discussion. Most of 
these have reader feedback:

Tim's original posts and presentation from last summer:
http://www.securityfocus.com/columnists/98
http://www.securityfocus.com/columnists/134
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf

An academic paper presented to IEEE about the same time as Tim's work - summer 
2002 ( Nimda season ). 
http://www.sosresearch.org/publications/ISTAS02hackback.PDF

Here's the argument in 2001
http://www.newsfactor.com/perl/story/14874.html:

And 2000
http://www.nwfusion.com/research/2000/0529feat2.html

You can find references in the IEEE paper when this topic was discussed in 
1999, 1998, etc. 

The IEEE paper deals with the majors issues in a systematic way. In the 
context of your message, a big problem we face is not knowing the identity of 
the attacker. A few years ago IDS vendors introduced the capability to 
dynamically update firewall ACLS to drop all traffic from hosts who 'seemed' 
to attack the network. This concept is called shunning and its a sensible 
idea. The problems started when attackers would launch an common attack (whom 
the IDS sensor is sure to pick up), but masqueraded the traffic to make it 
look like it is from the IDS sensor itself. Surely enough, the IDS responds 
by adding firewall rules which in effect shut down the IDS sensor.  The irony 
is almost Shakespearean. 

A lot of things that makes sense (in the area of self-defense) in the physical 
world, don't hold water on the Intenet. Cars, for example, are powerful tools 
but can also wreak great havoc in irresponsible hands. So we have tight 
federal regulations mandating safety featuresand construction, traffic laws 
at all gov't levels and licensing for all operators. We don't have this on 
the Internet! Moreover, even if US passes laws legalizing a counterstrike, 
there are many other countries in the world (190 to be exact) an attacker can 
choose to attack from.  Even script kiddies these days bounce around the 
world prior to an attack. 

Security is a difficult endeavour and I suspect the long term approach to this 
problem are better secured systems that (passively) react and neutralize the 
threat. Your message brings many great points. In reponse to the Fizzer 
approach, I restate that counter attacking is effective. However, this is a 
complex topic with all types of consequences and just becuase its effective 
doesn't mean it is the right thing to do. 

ray



On Sunday 18 May 2003 02:56 pm, Dave Sharp wrote:

Hi, I'm new to this, so please excuse the posturing and or ignorance. :-)


The discussion,


...........................................................................
. ....................
Here is a link for a report on News.com and it contains some opinions by
legal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lh<<<<<<


A bunch of ideas for discussion pop-up to me... some of these may not be
totally on-topic for this forum, if you can tie something back into
incident response, I'll likely allow it through.


What are the implications down the road?


Notwithstanding any legal implications I can see nothing but good arising
from a responsible associate taking action
against an active malevolent program. In proactively responding to a threat
to their own networks, they are doing the
whole community justice. Whether the malware propagates due to ignorance,
laziness or budget, I think the end justifies the means.

I know what it is like to be on the other end of stick. When Nimda was
released, my ISP (sympatico) was heavily infected. At the time, the only
thing I knew was the internet had slowed to a crawl and my firewall was
racking log entries non stop. My newly installed NOD32 antivirus kept the
worm at bay while my Norton machines were infected and I had no idea what
was wrong. In the end, I had to take my computers and one server off the
WAN due to the constant attacks from my ISP.
After a little research, I did a port scan of my subnet to find that over
100 machines were actively infected on my DSL subnet and wrote to
Sympatico. Never did receive a reply. Wonder why?


-Are there concerns that organizations have with this trend?
Legal?


Precedure?

Given some of the legal tripe that has come down from the courts concerning
networks and the internet in the last year,
I think a precedence could be established in court if one responded to a
crisis situation on a neighboring network and shutdown malware. No sense
elaborating since it would be nothing more than legal speculation. Given
the legal state
of affairs in the US, and their penchant for siding with criminals who is
to say. (no different here in Canada either)

Just to reinforce my first statement.
http://www.freedom-to-tinker.com/archives/000336.html

To put the shoe on the other foot, why shouldn't the infectious networks be
held responsible for
propagating the malware code if preventive measures such as patching the
server exist in the first
place? Is it not their responsibility to ensure that their servers DO NOT
contribute to further infection
if the means exist and are widely known? Could this set a precedent to sue
an enterprise network for
virulent proliferation to extract the costs of infection cleanup?


-Is this any different than a similar activity that installs


malicious code on the target host?

I would say yes. There is currently no mechanism for a network that has
been infected from malware to recover costs
associated from an infection. One could block or otherwise prevent the
spread to their networks through passive means
but what about the loss of bandwidth while the malware constantly hammers
their networks? A properly planned and executed
tactical response against a rogue network responsible for spreading
infection would benefit the internet as a whole.
I cannot see this as being erroneous. If a rogue network is responsible for
spreading infection and can be taken offline or rendered safe, where is the
downside? If it is a matter of moralistic semantics, I believe it to be a
moot point.

One could argue the merits of an individual taking action against such a
network, but what if it were an organization?
Seems to me that there is a need to actively pursue some sort of organized
response against widespread infections in
networked communications. It would have to be more effective and responsive
than a UN type organization. Someone would
have to be responsible and make quick final decisions. It is a problem that
knows no borders or political boundaries and
therefore should not be a consideration. If they infect, they come down,
that simple. Right? If they don't they should
be held responsible for cross network infections as a result of inaction.
Host networks that are offshore could be
blocked altogether. Nonetheless I actively block complete known malicious
networks and subnets from my server as a matter of practice.


-The approach that Tim advocated was significantly less
intrusive


than the approach taken with the Fizzer virus, Tim's approach made no
significant changes on the targeted host, simply blocked the ability of
Nimda to replicate (if I remember correctly), and notify the owner that
they have been compromised and where to go to find help in removing the
infection. The approach taken to actually modify the system to remove
Fizzer seems to go significantly past that. Why was the reaction to Tim's
advocacy of discussion so hostile, and to date, I have seen no negative
criticism of the Fizzer removal.

I can see no relevant argument against such a response. Again, where is the
downside to this? Most times, when a network
is responsibly managed, these infections do not take place. I stress MOST
times. If a network admin were hostile to taking
preventative measures, one would have to ask why and deserve and answer. In
the mean time, down he comes despite the
arguments.


-Is this a catalyst for a group (IETF?) of some kind to


debate these issues to find a resolution? I think that most people would
agree that the increasing risk that these distributed networks pose to
every Internet connected host is grave, and a better method is required to
deal with them. Are there other ideas that don't get us into "arms races"
with malcode writers.

Being new to this (less than a year) and a user of 5 years, I think this is
an idea's who's time has come. A group? Yes.
A responsible group, with authority to take appropriate and swift action.
In fact in the US, could this not be actively
reconciled as part of Homeland Security? Networks compromised by malware
would indeed be ripe for further intrusions and
exploits while being brought to their digital knees. An infected network
could be effectively "quarantined" while the
group takes action to provide effective cleanup and provide network
forensics. Cause and effect have to be established and
preventative measures brought up to speed.


-If this becomes standard practice, will this force the


communication and update channels underground/encrypted (the "arms race"
that I mentioned)

I wouldn't like to think so, but as long as there are malware purveyors
there will always be a war. Taking into account
what is at stake, I believe tactical responses are appropriate and
necessary. Many networks, ISP's and enterprises have
too much to lose not to take a proactive stance in shutting down virulent
networks. The problem is than a large majority
of casual users do not recognize the threat, and a similarly large amount
of network admins do not do their jobs, or
respond inappropriately or ineffectively to an network infection.

At this point, I would have to ask why it took so long for ISP's to respond
appropriately to Nimda and Slammer? Why were
servers not patched and protected? Why after infection did they remain
actively networked for so long? Why are infected
networks not FORCED offline or blocked? Who the hell is in
charge??????????????? If no one, then the question that begs to be answered
is why this is even an issue? If a contentious educated individual who's
network is under attack responds to
that attack in a friendly tactical manner, where is the problem? Who is to
stop him, and why would they want to? If my
server was actively infecting a network and someone stepped up to the
plate, stopped it and informed me of what they did,
I would feel "schooled", and would be thankful for the education. From what
I see from these newsletters, there are many,
many, individuals on this list who meet those criteria.


-What are some of the strategies that organizations are


implementing to control their exposure to these communication channels?

Good question. :-)Lots of talk, lots of available software and hardware not
to mention educational facilities! The Slammer worm is still the proof in
the pudding. One would think that the Nimda worm taught a world wide
lesson, but apparently not. How many of the SQL servers online belonged to
enterprises with large budgets and IT staff. Why did they not take the
appropriate measures to prevent the spread of the slammer worm when so many
avenues of prevention clearly exist is my question? To not patch a server
in my opinion is inexcusable. If you haven't got the budget or the time,
then you shouldn't be networked to others that do.


-If a command can be given in a channel to "shut down" the
network


of hosts, what is the view on the legality of doing this? If you had a host
on your network that was suddenly shut down by a well meaning (or not so
well meaning third party), what would your response be?

Like I said above, I'd feel "schooled". Especially if I received an email
outlining what they did, how they
did it, and why. If I am actively infecting a network or subnet, I should
be thankful. Are we not all members of the same loose community? If a
particular network admin fails in his duties, why should his lack of action
or education serve
as a (loosely)" Typhoid Mary"  for the rest of the net? Shutting down
infectious networks is a responsible reaction.

To use a medical analogy with which the computer community loves to flirt
with,  (Dell Support Interns?)

If the virus was a medical problem, and the code writer a doctor, he would
be deemed a HERO, and not in the
loose terms that it is being used today. I say write and deploy your (SARS)
corrective code who ever you are!


Sincerely,

Dave Sharp

apprentice networking and admin


---------------------------------------------------------------------------
- *** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
---------------------------------------------------------------------------
-

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+yxbbzejBliQ3SdsRAgAEAJ0eeoFtLTJ2UxEmsWSCBMe77wgAdQCgkwad
3V38otXHSxT3TF9/V5UwpAs=
=I4hp
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: