Hack back

[William Knowles <wk () C4I ORG>]

http://www.nwfusion.com/research/2000/0529feat2.html

By Deborah Radcliff
Network World, 05/29/00

Hack back

Virtual vigilante or packet pacifist? Network executives have mixed
feelings about whether to retaliate against an attack

In December, when protesters were rampaging through Seattle in an
attempt to disrupt the World Trade Organization summit meeting, other
activists were launching a denial of service (DOS) attack on the WTO
Web site.

But the WTO's Web-hosting service spotted the attack and repelled it,
bouncing the flood of page download requests back to the origin
server, which was run by a group calling itself electrohippies.

The e-hippies coalition, based in the U.K., never publicly
acknowledged that the attack had been turned back on its own server.
But the next day, a notice appeared on the e-hippies site apologizing
that "people have had problems getting through" to its site.

To retaliate or not to retaliate? In cyberspace, there is no simple
answer.

Conxion, the San Jose hosting service that reversed the attack on the
WTO server, recognized the attack was coming from a single IP address
belonging to the e-hippies server.

"So we told our filtering software to redirect any packets coming from
these machines back at the e-hippies Web server," says Brian Koref,
senior security analyst at Conxion.

Conxion was so proud of having given the attackers a dose of their own
medicine that it issued a press release about the incident. However,
the reaction among IT professionals to the counterstrike was decidedly
mixed.

Most IT professionals interviewed for this story said they would not
strike back in cyberspace, for fear of hitting an innocent bystander.
But they're not averse to taking some action when they're sure of the
perpetrator's identity.

If vendor tools are any indication, fighting back may indeed be
gathering acceptance in the IT community. Intrusion detection tools,
for example, can be configured to reverse attacks. New reactive tools
are also popping up in the marketplace, and freeware attack-reversing
tools abound on the Web.

Gray areas

Opponents of retaliation say reversing an attack is akin to taking the
law into their own hands. They worry that they may inadvertently
bounce the attack back to an innocent target and bring the law down on
themselves.

"Fighting back is a bad idea. I wouldn't do it," says Al Potter,
manager of network security labs at ICSA Labs in Carlisle, Pa. "If
it's illegal for them to attack you, then it's also illegal to attack
them. And then we have this whole problem of crossing state and
national boundaries. I don't even want to go there."

Lt. Commander Chris Malinowski, who heads the New York City Police
Department's computer crime unit, agrees: "Just because you're a
victim, doing it back to the bad guy doesn't make it any less of a
crime."

Both Potter and Malinowski say Conxion's actions fall in a gray area.
Malinowski says what Conxion did could qualify as denying mail and
returning it to the sender, something that in the eyes of the law
would be legal.

"If they're functioning solely within their own system to take
preventative action during an attack, there should not be a problem,"
Malinowski says. "Rejecting mail is a normal system administration
function. Now if they were inserting their own mail and sending that
back to the e-hippie site, you may have a problem."

Know thy target

Conxion had a clear IP address trail to the e-hippies server, so it
was simple to bounce the mail back to that address.

But consider that most crackers launch their attacks through hijacked
IP addresses. The February distributed DOS attacks that crippled
Amazon.com, eBay and others were launched from innocent "zombie"
machines that had been hacked and were then commanded to do the
bidding of the attacker. Had the victims retaliated by volleying the
packets back to the source IP address, they would have shut down
servers at legitimate businesses that had no knowledge of their part
in the attacks.

"It would be blind luck to be placed into a situation where somebody
is actually attacking your site from their own machine. The more
typical case is the cracker has compromised one or several ISPs,
telneting from one to the next, creating a nearly untraceable trail
through the Internet," says Greggory Peck, a security analyst at a
Fortune 500 company and editor of the "HappyHacker.org" newsletter.

Lance Dubsky, a security manager for a government agency he doesn't
want named, knows of a case in which a system administrator at a
private company hacked back.

Unfortunately, the IP address was fake and the administrator slammed
an innocent target, which, in turn, traced the DOS attack back to the
system administrator and alerted his superiors. The system
administrator lost his job.

Vendor approved?

Object lessons like that, however, are not stopping vendors from
bringing a number of new reactive technologies to market. For example,
Recourse Technologies in Palo Alto, Calif., and GTE Federal Network
Systems in Arlington, Va., peddle cracker-trapping technologies called
honey pots.

These are network boxes that act like fly traps, luring crackers so
network monitors can observe the attacker's actions and gather the
attacker's identifying information.

"There's a fine line between privacy and taking aggressive
countermeasures," says Frank Huerta, Recourse's president and CEO.
"Our Mantrap tool is more like using video surveillance in stores."

Watching for suspicious activity and gathering evidence against
attackers is one thing. But other vendors -- particularly intrusion
detection vendors -- offer the capability to configure their tools to
take more action than just killing incoming connections. They also
could be configured to trace the IP address and return a DOS attack,
says Peck and others.

Peck says salespeople from security vendors have told him they
wouldn't recommend launching a retaliatory strike, but they also
boasted that their product was capable of being programmed to launch
one.

Vendor-assisted or not, you still run into the problem of hitting an
innocent target.

"If the intrusion-detection system is programmed for an automated
response, you could deny service to an innocent party by sending the
attack back to a forged IP address," says Scott Blake, security
program manager at Bindview, an Internet security vendor in Houston.

Bindview also sells a reactive tool called the Zombie Zapper, which
was released in March as a response to the distributed DOS threats.
Instead of returning the DOS attack at the offending IP address, it
impersonates the "master" of the slave machines and sends an order to
those slaves to stop sending DOS packets. According to Blake, Zombie
Zapper was downloaded more than 7,000 times in the two weeks following
its posting.

With a number of freeware vigilante tools being posted on the Web, how
far will commercial vendors go? And will network management
professionals use these reactive tools?

ICSA's Potter, who says that most of these legitimate vendor products
offer some of this reactive capability as "eye candy," thinks this
trend won't go much further. Vendors, he says, will ultimately offer
what buyers want, and buyers would prefer to see better passive
protection in existing tools than new reactive capabilities.

But corporate network and security managers are becoming increasingly
frustrated with Internet crime -- cybercops can't keep up with it.
Cracking comes at a hefty cost to corporate America, with financial
losses due to computer crime costing 273 organizations nearly $266
million last year, according to a March report by the Computer
Security Institute in San Francisco and the FBI.

"My experience, I'm sad to say, is that unless you are a very large
organization -- a multibillion-dollar company that is publicly traded
and frequently in the media -- whatever help is forthcoming from
agencies like the FBI will certainly take a long time," Peck says.
"But you, acting as your own security analyst, can accomplish a great
deal more than can, say, the FBI."

Capt. John Jarrett, computer crime investigator with the Show Low
Police Department in northeastern Arizona, would like to see more
organizations get involved in actively protecting their assets. "I'd
actually hope people get tired of things and take a stand," he says.

At the very least, Jarrett would like to see corporations do more of
their own tracking of e-criminals so they can present evidence to the
district attorney's office. But he, like Malinowski and other law
enforcement officers, stops short of advocating retaliation.

So what's the solution? Start by building up your offensive posture.
That means tightening and then testing the security in your network
infrastructure, starting with your operating systems and working out
to your perimeter firewalls and routers.

Brace your networks for more distributed attacks, nastier viruses and
more chaos until these issues sort themselves out.

"[Cybercrime is] going to get worse before it gets better," Potter
says.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".