As usual, Tim's article takes the most extreme solution to every potential problem. The real solution is a controlled loss prevention mechanism. If a user runs an infected box, they are criminally negligent -- it is about time that administrators take responsibility for basic maintainance.

If my car's breaks are out of date, and I crash into another vehicle and cause that driver serious injury, I can be civilly sued for their medical bills and other damages. This does not give the right to the victim to suspend my license, confiscate my car, etc., but it does grant said right to the state.

If my computer is ill-maintained, and as a result I am hacked, I am negligent in the same regard. Given the technology for patch delivery and other workarounds, any admin who does not secure their production servers such that they cannot be attacked is doing an incredibly bad job.

I don't want to hear the excuses of people who are in situations with large numbers of systems -- use Windows' GPO, Unix has SSH, and basic firewalling. Everything crosses a proxy before it goes out, and before it comes in. Firewall things appropriately, and you'll even protect your LAN's machines from attacking each other. It has been done effectively, so I know it is a plausible solution.

I realize that the internet's lack of respect for geographical boundaries makes it difficult to try civil cases, but it makes it equally difficult to determine the justification for a counter-intrusion, and therefore makes this hasty plan of action that much more dangerous.

Timothy is right about one thing -- worm intrusions from computers hacked by the latest of Slammer, Blaster, Code Red, Slapper, Nimda, ... are a big problem.

However, hack-back methodologies fail. For one, how do you counter a worm like Welchia that patches its victims? You cannot exploit the original MSRPC buffer overflow, so you must deliberately disrupt the system with a related vulnerability.

For two, how do you establish a standard of proof of infection? If the machine is infected, it is already compromised and probably vulnerable to further intrusion, and any logs, etc., may have been altered, so the standard of evidence will drop to zero. The result is a vigilante type system, and the WWW turns into the World's Wild West.

For three, how do you counter worms based on zero-day exploits like MS03-007 was? Do you allow hack-backs in a case where no member of the community had knowledge of the flaw?

For four, how do you counter worms like Nimda that leave no directly exploitable flaws? For instance, when I saw compromised Windows 98 machines running IE 5.0 begin to attack my IIS 5.1 box relentlessly, there was really little for me to do. Why? Because those systems weren't running a server that I could return fire to, like the IIS 5.0 servers hit by Code Red. So, I could nuke them with a major packet flood, and drive them from the internet, but the minute they reboot they are attacking me again.

This all leads to one question -- what level of disruption is acceptable? Do we allow you to deliberately damage or crash a system that is under attack (like I would have had to do to the aforementioned systems), or do we limit you to removing the worm? The best solution is this: ISPs need to have a semi-automated system that monitors for signatures of worm scanning, and disconnects infected systems. Sort of like IDS, but for LAN-to-WAN traffic rather than visa versa. Accountability needs to be delivered by appropriate authority. These systems need to be disconnected, and then their owners penalized severely.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/203/24154#24154