Re: A question for the list...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

I commend your passion to write such a lengthy post and there is no disagreement about the negative impact of worms and DoS atacks. I also agree with you that such a strike back would probably be effective in mitigating these types of attacks.

For the sake of reference here are the sources of this discussion. Most of these have reader feedback:

Tim's original posts and presentation from last summer:

http://www.securityfocus.com/columnists/98http://www.securityfocus.com/columnists/134http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf

An academic paper presented to IEEE about the same time as Tim's work - summer 2002 ( Nimda season ).
http://www.sosresearch.org/publications/ISTAS02hackback.PDF

Here's the argument in 2001
http://www.newsfactor.com/perl/story/14874.html:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

And 2000
http://www.nwfusion.com/research/2000/0529feat2.html

You can find references in the IEEE paper when this topic was discussed in 1999, 1998, etc.

The IEEE paper deals with the majors issues in a systematic way. In the context of your message, a big problem we face is not knowing the identity of the attacker. A few years ago IDS vendors introduced the capability to dynamically update firewall ACLS to drop all traffic from hosts who 'seemed' to attack the network. This concept is called shunning and its a sensible idea. The problems started when attackers would launch an common attack (whom the IDS sensor is sure to pick up), but masqueraded the traffic to make it look like it is from the IDS sensor itself. Surely enough, the IDS responds by adding firewall rules which in effect shut down the IDS sensor. The irony is almost Shakespearean.

A lot of things that makes sense (in the area of self-defense) in the physical world, don't hold water on the Intenet. Cars, for example, are powerful tools but can also wreak great havoc in irresponsible hands. So we have tight federal regulations mandating safety featuresand construction, traffic laws at all gov't levels and licensing for all operators. We don't have this on the Internet! Moreover, even if US passes laws legalizing a counterstrike, there are many other countries in the world (190 to be exact) an attacker can choose to attack from. Even script kiddies these days bounce around the world prior to an attack.

Security is a difficult endeavour and I suspect the long term approach to this problem are better secured systems that (passively) react and neutralize the threat. Your message brings many great points. In reponse to the Fizzer approach, I restate that counter attacking is effective. However, this is a complex topic with all types of consequences and just becuase its effective doesn't mean it is the right thing to do.

ray

On Sunday 18 May 2003 02:56 pm, Dave Sharp wrote:
> Hi, I'm new to this, so please excuse the posturing and or ignorance. :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+yxbbzejBliQ3SdsRAgAEAJ0eeoFtLTJ2UxEmsWSCBMe77wgAdQCgkwad 3V38otXHSxT3TF9/V5UwpAs=
=I4hp
-----END PGP SIGNATURE-----

• Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents