Digg this story   Add to del.icio.us  
When Striking Back is The Best Defense
Tim Mullen, 2003-12-15

It shouldn't be a crime to reach out and hack an infected machine that's attacking your network.

Columnist Tim Mullen is on vacation. This article originally appeared July 29th, 2002.

When it comes to matters of security, most policies are hastily enacted as a reaction to some pressing force or foe. This is evident when you look at the rash of laws, procedures and policies put in place since September 11. I guess it is only natural-- our fragile human psyche requires immediate comfort in the face of danger; our fears only resting when we know something is being done, even if that "something" equates to nothing at all.

When I purchased my plane ticket to the Blackhat Briefings (this week in Las Vegas), my receipt included a new "security fee." It was a whopping 15 percent of the ticket price. Fifteen percent! And has this bought us in-flight security? If you consider the confiscation of a fingernail file from Grandma Clampett after a spread-eagle grope-a-thon while 500 pieces of unchecked baggage are dumped in the cargo bay to the dirge of a conveyor belt's hum to be "security," then I got what I paid for.

Or more appropriately, what we paid for.

In the realm of computer security, this trend is the same. We pay to defend ourselves from compromised machines owned by those who choose not to secure them.

If an owner neglects his dog, and that dog attacks me, not only am I legally allowed to convert it into Mutt Foo Yung, but the owner is liable in tort. Yet if an administrator who could not secure a bowling ball without leaving at least three holes decides to put a destined-to-be-owned box on the Internet, justice turns a blind eye when it attacks my network, consuming resources and bandwidth.

This has got to change.

Let's use Nimda as an example. If I tell my system to issue the exact same series of GET requests that Nimda does against a machine, that action could be considered a federal crime. I would be a criminal. A cracker. A felon. The scum of the earth. But if an administrator does not secure his box, and the same series of GET requests hammer against my network for months at a time, he is a victim. An innocent. A leaf in a storm. And they blame Microsoft.

I propose that we have the right to defend our systems from attack. I am not talking about some vigilante strike upon script kiddies at the drop of a packet. I am not talking about a rampant anti-worm. I am talking about neutralizing an attacking machine in singularity when it is clearly and definitively infected with a worm that will continue to attack every box it can find until stopped.

Almost a year from its birth, Nimda continues to propagate. Discussions in newsgroups yield responses like "ignore it" or "if you are secure from Nimda it doesn't matter." These people are obviously not responsible for paying for their bandwidth.

The moment that I begin to incur costs, or the integrity of services that I pay for is reduced by any degree, is the moment that I have the right to do something about it.

It is simply self-defense.

At Blackhat this week I'll be describing what some would call a "hack-back" against an attacking box. I am proposing that it be considered legal. The main threat to the Internet is the prospect of a multi-faceted worm with attack vectors that not only seek out different services, but that do so against multiple operating systems. A measured strike-back technology could mitigate such a worm.

While the full technical details explaining the methodology I propose are outside the scope of this column, suffice to say there are technical means to allow us to stop a Nimda attack, leaving the file structure completely in place for forensics, and closing the vector while leaving all services available. Not only is this defending ones' self with what the law would call "reasonable force," but in this case, it amounts to minimal force which is almost graceful. It is a controlled, precise, and effective neutralization of an attack. This technique can also be applied to the next major worm.

Many will be quick to condemn such a system. Many will crucify the concept. But I think it is time to defend our right to defend, and this is a viable means to do so. Before you criticize, be prepared to offer your own solutions, otherwise you will just be making noise.

SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
When Striking Back is The Best Defense 2003-12-15
Dmitriy (1 replies)
When Striking Back is The Best Defense 2003-12-15
nevada smitth
The Alternate Methodology 2003-12-15
Matthew Murphy
When Striking Back is The Best Defense, use SPIKE Proxy! 2003-12-16
Dave Aitel (1 replies)
Alright, that was cute. [n/t] 2003-12-17
Anonymous (1 replies)
Alright, that was cute. [n/t] 2003-12-21
Dave Aitel
When Striking Back is The Best Defense 2003-12-16
Nick Seidenman, CISSP
Another vote for ISP involvement 2003-12-19


Privacy Statement
Copyright 2010, SecurityFocus