First time Posting

A lot of good points have been brought up. I especially enjoyed Mr. Murphy?s response. He had a lot of great points. I think that Tim's solution is a tad overdramatic.

Looking at the Hack Back theory at first it might work well. We have a smallish audience here, since if you are reading this then you are probably in the minority. But as the Hack Back tactic were to gain popularity those same Administrators that (out of ignorance, laziness, sloth, or whatever) who do not maintain their systems would begin to get into it. At that point we would end up with a lot more indiscriminate Hacking Back.

Once we have this environment we take the Wild West approach. We open up hunting season. System A attacks System B, but Spoofs System C. The Admin of System B knows enough to be dangerous, but doesn't catch the spoof, and attacks system C. System C then gets in the mix, and we have a 3 way going. At this point we have a small firefight that could easily get bigger, so maybe System A switches spoofing to system D, and starts attacking System E. System E then retaliates. Of course maybe System E?s Administrator can figure out what?s going on, and contact System A, and get the Admin to patch it, but then B, and C are going at each other, and the initial vector has been resolved. I am sure you could see how this could go on indefinitely as more people begin to use the ?Hack back? method.

Who is the winner here? The person who wrote the worm that compromises system A in the first place. It accomplished their desire, which was notoriety, chaos, data, or whatever. Meanwhile we have flooded the networks with Hacks, and Hack backs, and essentially created an internet "Firefight". A lot of people might disregard this idea stating that THEY would be more careful. My response is that if you are even reading this article you are in a minority in our profession.

I used the word Firefight above, because it gives the right impression, but it?s misleading in some ways. In a real Firefight people die, and so they tend to be cautious when shooting. In this case a lot of Administrators feel somewhat insulated by the internet, and the illusion of anonymity (again if you are reading this you are probably NOT one of those people). That insulation would, in my humble opinion, make the Hack Back much more destructive than the originally compromised system.

If we as Administrators have to rely on "Hacking Back" as our defense then there had better damned well be some kind of accountability when you happen to hack the wrong box. Given the scenario above it would just take some minimal forensics to determine what happened. In a more complicated environment System B, and C might well resort to lawsuits, and who wins then?

I think that Mr. Murphy (and many others here) has it right. The only real solution is the same one I see for Spam. Why should System A be sending out THAT many packets? ISP's should start profiling their services. Categorizing their high bandwidth customers, and when those customers start behaving in a manner not consistent with their normal behavior raises a red flag.

An automated system could do the flag raising, and then call for attention from someone who contacts the customer to inquire about their irregular activity. A lot of people would balk at this claiming invasion of privacy, but Internet access is not in our constitution, and you do not need it to pursue happiness. Access to the Internet is a service that you pay for, but there should be rules. The ISP?s are the ones who would need to enforce those rules. Defining those rules should be up to a public body, and due to international boundaries, and such this has its own obstacles.

All in all I don?t suppose any of us have any real solution as individuals. Just like in the real world it is only through open forum, and consensus building can we truly make an impact into this world. Insisting that our ISP?s provide us with a minimum of rudimentary control over the pipe we are paying for might be a start. The one thing to consider is that until we can get one ISP to raise the bar in this respect, and then we support that ISP by using their services in preference to less secure ISP?s none of the ISP?s will make a move.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/203/24182#24182