Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Retaliation the Answer To Cyber Attacks?

Soulskill posted more than 3 years ago | from the with-your-switch-or-on-it dept.

Networking 142

coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."

cancel ×

142 comments

Sorry! There are no comments related to the filter you selected.

First! (-1, Flamebait)

travischristal (1645641) | more than 3 years ago | (#34968032)

First

Re:First! (2)

transwarp (900569) | more than 3 years ago | (#34968046)

No, retaliation comes *after* the attack. The attack comes first.

Re:First! (1)

Anonymous Coward | more than 3 years ago | (#34968132)

No, retaliation comes *after* the attack. The attack comes first.

Which is exactly the problem; by the time you retaliate you've already taken damage. Do unto others BEFORE they do it to you.

Seven Habits of Highly Effective Pirates (1)

KiloByte (825081) | more than 3 years ago | (#34968394)

Rule #13: Do unto others.

Re:Seven Habits of Highly Effective Pirates (1)

Mitchell314 (1576581) | more than 3 years ago | (#34969172)

I accidentally others all the time.

Re:First! (0)

Anonymous Coward | more than 3 years ago | (#34968548)

The problem is, if you throw the first punch, you've got no right to cry if you get hit back.

Re:First! (1)

dgatwood (11270) | more than 3 years ago | (#34968988)

From a purely Machiavellian perspective, if you throw the first punch and they're still able to hit back, then you deserve to get hit.

Re:First! (1)

sinan (10073) | more than 3 years ago | (#34968314)

Unless it is "Anticipatory Retaliation"...

Re:First! (0)

Anonymous Coward | more than 3 years ago | (#34968760)

I believe the political term is "preemptive strike".

Re:First! (1)

causality (777677) | more than 3 years ago | (#34968886)

I believe the political term is "preemptive strike".

Just like "shock and awe" is the new political term for "blitzkrieg".

Bad idea (5, Funny)

SHP (8391) | more than 3 years ago | (#34968060)

Makes about as much sense as conducting panty raids on shoplifters.

Re:Bad idea (0)

Anonymous Coward | more than 3 years ago | (#34968194)

That sounds like an excellent idea.

Re:Bad idea (0)

Anonymous Coward | more than 3 years ago | (#34968618)

I don't think you would be interested in the panties you get from most shoplifters.

Re:Bad idea (0)

Anonymous Coward | more than 3 years ago | (#34969686)

self defense?? If your are capable are you gonna let someone kill you or rob you?

New idea. (2, Insightful)

SuricouRaven (1897204) | more than 3 years ago | (#34968062)

1. Attack your target. 2. Wait for counterattack. 3. Deny 1, or claim it was an attack launched by compromised computers without your knowledge. 4. Sue your target for the costs of their counterattack.

Re:New idea. (3, Funny)

Geraden (15689) | more than 3 years ago | (#34968192)

You forgot a step...

5. Profit!

Re:New idea. (2, Insightful)

jamesh (87723) | more than 3 years ago | (#34968398)

Depending on the nature of the attack, it might be easy to spoof. If A wants to attack C then all they need to do is attack B pretending the attack is coming from C, then sit back and enjoy the show :)

Re:New idea. (2)

tkprit (8581) | more than 3 years ago | (#34968562)

Exactly my thought; I don't want rogue corporate types or the government trying to figure out who's do the attacking and retaliating. They need to beef up their own security and use the current legal system to subvert "cyber attacks".

Plus, given how the US govt and probably US corporations wants to treat wikileaks as a terrorist org, I can imagine big corp/govt "retaliation" being a literal Trojan Horse [SWAT team!] instead of code.

Re:New idea. (4, Insightful)

SuricouRaven (1897204) | more than 3 years ago | (#34968690)

The problem with conventional response is that of geography. When your opponent is some script kiddie or amateur hacker, it's all very well - you go to court, get a warrant, trace his IP through the ISP logs, and file charges. But if the attacker is an organised criminal group, the attack will be coming from a computer in Outer Elbonia, where the local police couldn't care less about your paperwork, and the ISP doesn't care that the connection is registered under a false name. There are even ISPs that specialise in hosting scams and malware - usually in Russia or somewhere similar. It can take weeks to go through legal channels, and during those weeks the attacks (Or malware host) keep on running.

The impossibility of regulating the internet is what allows us the freedoms we at Slashdot love so much, but the price of this is that it's largely unpoliceable.

The world would be a better place... (5, Insightful)

TerranFury (726743) | more than 3 years ago | (#34968064)

...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

Re:The world would be a better place... (1)

MichaelSmith (789609) | more than 3 years ago | (#34968108)

Yeah a counter attack only makes sense if you can stop future attacks. A legal attack may put the guy in jail. But DOSing his home PC isn't going to accomplish anything for you so its a waste of effort.

Re:The world would be a better place... (3, Insightful)

Antique Geekmeister (740220) | more than 3 years ago | (#34968288)

Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

Re:The world would be a better place... (4, Insightful)

causality (777677) | more than 3 years ago | (#34968974)

Only if they weren't "attacks". They often include theft, including theft of money and private information. They're often expensive to repair, They often break or impedes other computer services, and the most common forms of them are for illegal activity (such as spam running DDOS attachs). Or have you failed to look at what botnets are and how they are run?

Because such attacks far outnumer mere "exploitation attempts", and because even a mere "exploitation attempt" involves theft of computer resources or private data, yes, it's reasonable to call them "attacks".

If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

If all of the above are attacks then what do you call it when one person physically assaults another person? We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning. Sure, we can reject that and blur all distinctions so we can sensationalize and play up the hyperbole of comparing everything to violent assault, and justify it by saying "it's a LIVING language", but have you thought this through? Is using the correct word such an unreasonable burden, is supporting this kind of sensationalism so desirable, that it's worth introducing artificial ambiguity? I for one don't believe so.

Re:The world would be a better place... (3, Informative)

Fnord666 (889225) | more than 3 years ago | (#34969636)

If all of the above are attacks then what do you call it when one person physically assaults another person?

Battery [wikimedia.org] .

Not Accurate Analogies (0)

Anonymous Coward | more than 3 years ago | (#34969724)

If you leave your car out, then someone else uses it to drive into a power pole to take down the power in a local neigborhood, can the local company who was the subject of this denial of (power) service send out a hit squad to blow your car up?

There aren't good real world analogies, except perhaps: the police coming and arresting the property owner who's signed a management contract with a management company who leased it to a meth lab, who they can't catch selling drugs, so they target the property owner.

News flash: (and Black Hat is the last place you need to remind people of this by the way) attribution is incredibly difficult, someone skilled and well funded doesn't use a system that can be tracked to them. They operate in an out of band Command and Control method that they interact with through some sort of darknet-like (or public onion routed) system (i2p, tor etc) from a public wireless using a stolen/cash bough laptop.

Re:The world would be a better place... (1)

suomynonAyletamitlU (1618513) | more than 3 years ago | (#34969786)

If you leave your car unattended and some asshat criminal steals it, would you say he attacked you, or would you say he has stolen from you?

If you leave your ATM card in the ATM and some asshat criminal drains all the money from your account, would you say he attacked you or would you say he committed fraud and/or larceny?

If you leave a candy bar at your desk and an asshat coworker swipes it and eats it without asking you if he may have it, would you say he attacked you or would you say he swiped your candy bar?

If you leave your car unlocked and someone takes the opportunity to change the locks on your car so they can steal it again any day they like (while still letting you drive it--somehow), that's an attack. Doubly so if they use your car to perform illegal activities, then return it before you notice.

Same if you leave your ATM card somewhere, and they not only siphon cash, but do social engineering attacks to get the bank to disclose details that will, for instance, let them obtain a credit card in your name. Or hell, I dunno what else--swipe the stripe, or take down the information, then give the card back to you so that you won't suspect them? I'm sure there are other ways to exploit something like that.

And if he took your chocolate bar and left a bunch of molten chocolate stains around the office and blamed it on you? I think you'd consider that an attack. (Okay, well, I can't think of any better attacks you can do with a chocolate bar.)

It's one thing if you made a mistake and someone profited from it. Criminal exploitation often involves ruthlessness--because let's face it, if you get caught, you're going to be in trouble anyway; why not go for the gold?

Re:The world would be a better place... (1)

Chuck Chunder (21021) | more than 3 years ago | (#34970034)

We used to have a neat solution for the problem of making this distinction, in the form of specific words like "attack" that have a specific meaning.

When was this mythical time?

Re:The world would be a better place... (-1)

Anonymous Coward | more than 3 years ago | (#34970726)

If I dropped a bomb on your house, while you were in it, would you say you were attacked? But if that's an attack, what would you call it when a throw a punch at you for being a pompous fuckwit who can't understand that a single word can have more than one specific meaning?

Re:The world would be a better place... (3, Insightful)

_Sprocket_ (42527) | more than 3 years ago | (#34968452)

...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.

I disagree. The use of the word "attack" is perfectly suited. Espionage involves attacks. Politics involves attacks. You can attack a problem, attack a mountain (climbing in mind but that could imply more than one form of 'attack'), attack a movie you found worthy of strong criticism, or attack an idea. An attack is nothing more than an aggressive action who's implication is highly dependent on the situation and context of the use of the word.

The base problem is looking at this as warfare. In the context of war, an attack has very specific connotations. That form of attack and the concept of war lead us in to the wrong mind-set for the reality of the situation. This is where trickery, spying, and sabotage comes in. This is simply a new set of tools for espionage. And while this does open a new way of looking at things beyond the old Cold War era, namely actors that may not be directly associated with a State, a lot of the traditional concepts and general nature of the behavior apply well to the exploitation of this new environment and tool sets.

Re:The world would be a better place... (1)

westlake (615356) | more than 3 years ago | (#34968658)

...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage

When you have a thirst for blood, you are in no mood to argue the fine points of language. Call it trickery, spying, who the helll cares?

Re:The world would be a better place... (2)

Lorien_the_first_one (1178397) | more than 3 years ago | (#34969230)

That's an interesting point and raises the issue of how we're framing the incident of an "attack". By calling it an attack, we're attempting to justify retaliation. As to the best response, I'd say diverting the attack and logging the method of attack makes more sense. As data is collected about attacks, their sources, methods and frequency become the basis for standard operating procedure rather than the news.

By reducing their effect with black hole strategies rather than retaliation, we reduce the chance of escalation between the parties and hopefully, injury to unsuspecting third parties. It's worth noting that blackhole-ing attackers means that they have no way of knowing they've been spotted. Thus, they will continue their attacks without knowing for sure if they've been spotted, allowing the targets of attacks to properly identify the sources of attacks and even allowing a better chance of prosecuting attackers.

I guess you could say that I prefer to err on the side of peace, if possible.

Re:The world would be a better place... (1)

vrythmax (1555425) | more than 3 years ago | (#34969784)

No different than driving up to your building when no one is there and crashing a wreaking ball into it. Its not an attack, just...sabotage. No one's hurt. I just shut down your business, cost you thousands of dollars in repair and possibly millions of dollars in lost sales. But hey, let's not get too excited over this.

What are you trying to achieve? (4, Insightful)

buchner.johannes (1139593) | more than 3 years ago | (#34968068)

Is the attack scenario one bad guy?
Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

Is the attack scenario that you are an big company and people attack you because you are known?
Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.

Re:What are you trying to achieve? (2)

Motard (1553251) | more than 3 years ago | (#34968178)

Is the attack scenario one bad guy?
Then you should contact law enforcement. Also you should make sure your security set up is appropriate.

Would you perform these steps in a physical attack? i.e. an imminent physical ass whooping?

Is the attack scenario that you are an big company and people attack you because you are known?

Are you a celebrity facing a crazy person?

Then you should make sure your security set up is appropriate.

Right. Buy a gun.

Attacking people is pointless because new ones will turn up all the time.

Not after they heard about the first one.

But seriously, isn't the right of self-defense a pretty basic one? Sure, if you have no confidence of success, don't persue this option. But if you do, take 'em out.

Re:What are you trying to achieve? (4, Insightful)

Pharmboy (216950) | more than 3 years ago | (#34968450)

I think the problem is that with a cyber attack, you don't know if the computer attacking you is the actual person, a proxy, and pwned box or what. In a physical attack, yeah, I say pick up a 2x4 and pop them in the head. In a cyber attack, it is pretty easy to attack the wrong target, maybe bogging up some routers along the way causing inconvenience to innocent bystanders as well. I personally would like to see mass spammers and other cyber criminals get a firing squad on public television, as a deterrent, but not sure going vigilante is the right answer.

Re:What are you trying to achieve? (1)

Caraig (186934) | more than 3 years ago | (#34968698)

this does bring up an interesting question in the whole debate about corporate personhood. Obviously corporations have a right to some sort of self-defense: protection from libel and slander, and protection from sabotage. And of course protecting their employees. (Despite anti-corporatist bias, most corporations really could do without someone waltzing into the secretarial pool and shooting up the place.) But what are the boundaries that corporations should have in exercising self-defense?

Re:What are you trying to achieve? (1)

Lorien_the_first_one (1178397) | more than 3 years ago | (#34969258)

"Tantric VAX"? As in the really old computer?

Re:What are you trying to achieve? (0)

Anonymous Coward | more than 3 years ago | (#34970082)

But seriously, isn't the right of self-defense a pretty basic one?

There is a quite large difference between retaliation and self-defence. Retaliation tends to lead to escalation. If you have to possibility remain calm enough to stop at self-defence it usually the best option.

Re:What are you trying to achieve? (2)

Dachannien (617929) | more than 3 years ago | (#34968228)

Really, the only scenario meriting retaliation for its own sake is the one in which both you and your opponent are script kiddies, because the Internet is really just one big e-peen contest.

Re:What are you trying to achieve? (3, Insightful)

Kjella (173770) | more than 3 years ago | (#34968306)

The question is more are you actually going to retaliate against the attacker or is it like "Let's send some rockets back into that city, because that's where they came from." Anyone launching an attack directly from their own computer is a total amateur, chances are great it'll be some unsuspecting third party's machines and networks that'll be your battle ground. And I very much doubt they care who started it, they're likely to go after everyone that's been hacking their systems when they first find out. If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.

Re:What are you trying to achieve? (2)

repapetilto (1219852) | more than 3 years ago | (#34968742)

Your analogy is you go on vacation and, in your absence, a gangwar erupted in your apartment? Then you come back and see the damage. Respond with "Alright motherfuckers, I dont give a shit who started it." Then presumably go on to kick some ass. Sounds pretty awesome.

Re:What are you trying to achieve? (0)

Anonymous Coward | more than 3 years ago | (#34969002)

If I go on vacation and find two gangs have trashed my apartment I'm not really going to care who started it.

Neither will Judge Dredd.

"I am the law! The law does not make mistakes!" -- Judge Dredd

Need an IP address seeking missile (0)

Anonymous Coward | more than 3 years ago | (#34968130)

Maybe that's next after Stuxnet. Program target IP, launch, fire, forget.

Re:Need an IP address seeking missile (1)

jamesh (87723) | more than 3 years ago | (#34968470)

Maybe that's next after Stuxnet. Program target IP, launch, fire, forget.

You are more likely to die as a result of a gun if you carry one yourself [newscientist.com] . I can't find the study, but you are also more likely to end up being shot by your own gun than you are to ever shoot a bad guy with it (which makes sense - we hear of accidental self shootings all the time and most people who own a gun never actually use it in self defence).

If those statistics even roughly translated to IP address seeking missiles then we are going to have a problem.

BTW, I think there is a problem with my server. Can you please do a portscan for me? My IP address is 127.0.0.1

Re:Need an IP address seeking missile (0)

Anonymous Coward | more than 3 years ago | (#34970416)

Until someone hacks the missiles and enters 255.255.255.255 as target address...

Infinite loop (2, Insightful)

Haedrian (1676506) | more than 3 years ago | (#34968154)

If (Cyberattack){

Cyberattack;

}

Nobody see the problem?

Re:Infinite loop (4, Funny)

JonySuede (1908576) | more than 3 years ago | (#34968170)

Nobody see the problem?

If (Cyberattack){

Cyberattack();

}

there was a parenthesis pair missing.

Re:Infinite loop (0)

moteyalpha (1228680) | more than 3 years ago | (#34968382)

It is worse than that. One of 500,000,000 threads on the Intertubes.
void CyberAttackInit(char *Target){
bool Attacked;
if (httpTraffic>1000){Attacked=TRUE;}
if (Attacked==TRUE){attackAllAttackers();}
}
I would guess that it would go from one attack or mistake to a deadlock in nanoseconds. It wouldn't end until somebody burned up or hit a bandwidth limit. One person could set off the entire internet in a single prompt critical. We should really create more situations like this that can be memorialized like the Morris worm.
damn, it won't compile with -Wall -Werror

Re:Infinite loop (1)

mijelh (1111411) | more than 3 years ago | (#34968858)

You went too far mate

Re:Infinite loop (1)

moteyalpha (1228680) | more than 3 years ago | (#34968996)

You went too far mate

Did I get act and think reversed again?

Re:Infinite loop (1)

dgatwood (11270) | more than 3 years ago | (#34969006)

Sweet. So if the Cyberattack function exists, it must be called. An weapon unused is a useless weapon and all that.... On the other hand, such an argument tends to be an argument of the lazy (binding).

Everyone probably already knows this here but (1)

CrazyJim1 (809850) | more than 3 years ago | (#34968156)

The problem is that anyone can do a cyber attack, steal a ton of money by scamming it. It isn't tough, it just requires a lack of morals.

If they're caught, some countries will not only refrain from punishing you, but they'll even congratulate for siphoning money from foreign countries.

I don't think there is a solution unless we had a world government... In which case we have a lot bigger problems facing us.

Not sure about retaliation... (4, Interesting)

slackz (1980906) | more than 3 years ago | (#34968174)

But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts [sourceforge.net] that parses log files, adjusts /etc/hosts.deny, and logs all activity. This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.

Re:Not sure about retaliation... (2)

HungryHobo (1314109) | more than 3 years ago | (#34968316)

I hope you included something which turned that off if it added more than a certain number of hosts in a short time.
otherwise it makes for an easy DOS, spoof packets and watch as your server blocks the whole net.

something which imposes a temporary block and can only block a limited number of IP's at a time would be good for preventing casual and script kiddie attacks though.

Re:Not sure about retaliation... (1)

StarDrifter (144026) | more than 3 years ago | (#34968992)

DenyHosts includes a PURGE_DENY option which allows you to specify how long blocks are kept for.

Spoofing shouldn't be an issue here. We're not talking about logging SYN packets but failed login attempts. An attacker can't perform those without being able to get packets back from the server and they can't do that if they are spoofing their address. Unless perhaps they are plugged into the same hub as the server but if that's the case you've likely got bigger problems to worry about.

Re:Not sure about retaliation... (0)

Anonymous Coward | more than 3 years ago | (#34970342)

I did this 12 years ago with TCPWrappers. Notified many a DNS server administrator that their servers were owned.

my solution to this problem (2)

linuxwebadmin (694411) | more than 3 years ago | (#34968270)

1) Collect as much info as you can about the source of the attack.
2) Send an email to the abuse address on record.
3) Harden system some more.
4) Wait for some sort of response.
5) Publish the source IP, whatever response is received in the email response, and AS info (i.e. netblock) along with the details of the attack.
6) Block all future traffic from the AS.

Re:my solution to this problem (1)

KarlMalden (1980414) | more than 3 years ago | (#34968942)

Hear, hear! but...


6) Too crude, how will AS people know why they have been blocked if they are blocked? Blocking whole AS might kill somebody or sombodies!
Maybe:
5.3) Block only offending addresses only from attack target with expiration time.
5.4) Contact AS operators by other means if they don't respond to email.
5.5) Require AS operators to have SIP phones, live chat and a contact person/s, or some why to know your email hasn't gone into a black hole.
5.6) If addresses proceed to attack other targets, redirect offending addresses to a "you have been blocked server" with remedies as "attacker" might be a hijacked PC. Not sure this option exists in bog standard routers but it exists in firewalls and some wi-fi hotspots. This would be routing on source address. Some sort of internet jail. Even when you arrest somebody they get food and basic necessities. You don't put them in solitary confiment without anything.

6) Off limits, nuclear option - in an interdependent world: how do you know you are not cutting off the branch you are sitting on, or an innocent is sitting on?

Retailiate, why? What is the point? What does it achieve?
That is a bit Old Testament: eye for an eye...

Only if it works (1)

countertrolling (1585477) | more than 3 years ago | (#34968304)

No really. If it's after the fact, no... Cease fire when they do.

Retaliation as a Policy (0)

Anonymous Coward | more than 3 years ago | (#34968362)

In all cases of violent conflict, often the best deterent is the promise of retalition.

If you know your target will retaliate, even if it isn't in their best interest, you will think twice about attacking.

Think about those games of Risk you use to play as a kid. There was always that one guy who once you attacked, he would not stop retaliating, even if he was endangering his ultimate goal - win the game. In the process, your chances of victory plummeted in the face of the onslaught.

In subsequent games, no one would attack that guy.

Re:Retaliation as a Policy (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34968508)

While the game theory behind spite(hurting others even at a cost to oneself, the under-appreciated counterpart to altruism, helping others even at a cost to oneself) is interesting, and suggests that it can actually be vital in maintaining some mutually beneficial equilibria, all that breaks down if the assumption that retailiation can be accurately allocated is violated. It also breaks down if the assumption that all agents are indivisible is violated.

Risk is a game of essentially perfect information(aside from the interpersonal alliance metadata). Everything on the board was in the open. Ye Olde Intertubes are often not so obliging. If I am hitting you through a botnet of compromised home users that I am renting from some botnet herder, do I fear your retaliation? Only if I think you are good enough to allocate it to me, despite multiple levels of indirection, and essentially innocent targets standing in your way.

Even if I am attacking directly, say from a colo owned by a shady shell corporation, the second assumption is violated. The shell corporation is an expendable appendage, nuke it into the ground for all I care, I've already extracted the value and moved on.

Re:Retaliation as a Policy (1)

John Hasler (414242) | more than 3 years ago | (#34969122)

If I am hitting you through a botnet of compromised home users that I am renting from some botnet herder, do I fear your retaliation? Only if I think you are good enough to allocate it to me, despite multiple levels of indirection, and essentially innocent targets standing in your way.

Crippling the bots might achieve my immediate goal: bringing an end to your attack. If you are firing stolen missiles at me am I wrong to shoot them down?

Re:Retaliation as a Policy (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34969316)

If I am firing hijacked passenger airliners at you, are the criminal homicide charges and the civil wrongful death suits that you would accrue by shooting them down worth it?

That's the problem: there is basically no such thing as a pure weapon on the internet. Most "stolen missiles" are simultaneously poorly secured home or business computers that have never left the ownership(and, in general, since the botnet guys don't want their hosts getting wiped) are still being actively used by their owners for whatever their intended purpose is.

Crippling them would, indeed, end the attack; but it would constitute committing dozens or hundreds of what(at least in the US) would be federal felonies and invitations to expensive civil suit. And, to be quite blunt about it, you would deserve to have your ass handed to you for doing so.

Is Retaliation the Answer To Cyber Attacks? (0)

Anonymous Coward | more than 3 years ago | (#34968368)

If retaliation is your thing, then I suspect it depends on how much self control you have before you retaliate.
That wasn't hard to answer!

Almost a good idea (1)

jamesh (87723) | more than 3 years ago | (#34968380)

If everyone clicked the link in those "work from home" scams 100 times, or replied to every "your webmail account is about expire" email with bogus details then it would drown the enemy in useless information.

If you then take it a step further and have an automated system that clicks links a million times automatically and replies to the emails with bogus information a million times then it would be even better.

Until someone gets the idea to send out a "I made a billion $$$ working from home. Click http://www.kernel.org/pub/linux/kernel/v2.6/testing/linux-2.6.38-rc2.tar.bz2 [kernel.org] for details!" and you're suddenly part of the problem.

Functionally Insane (5, Insightful)

Courageous (228506) | more than 3 years ago | (#34968404)

The concept of revenge cyber attacks is functionally insane.

At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:

1. Pressing the district attorney to prosecute the employees and management
2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
4. Suing the corporation

Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.

So, to be blunt: "dream on".

No sane Corporate Counsel will permit any company to do this.

C//

Re:Functionally Insane (1)

Anonymous Coward | more than 3 years ago | (#34968856)

Sigh, bad summary and over-hyped news strikes again.
If you read the article, you will see that the actual Black Hat speakers do not suggest a revenge cyber attack. And the article itself, doesn't actually talk about using real cyber attacks.

They talk about stuff like using "tarpits" to get exploit tools and botnets stuck in loops to slow them down (like CAPTCHAs or locking out login attempts), feeding fake information to cyber attackers (like honeypots).
Of course, the article uses wording that implies an actual cyber attack against the attackers, but if you carefully read through the article, they don't actual suggest using actual revenge cyber attacks.
And then the last part of the article is just a lot of fear mongering fluff about how "data thieves" operate.

This whole article is a whole lot of silliness. Who reads this stuff?

Re:Functionally Insane (0)

Anonymous Coward | more than 3 years ago | (#34969764)

Amen bro, it is with little wonder that Henry Kissinger called military men "dumb, stupid animals to be used as pawns for foreign policy". While the commentator obviously has hacking skills, it appears that tactical thinking is beyond him. Any thinking hacker would never initiate an attack from his/her own machine/network, and definitely not leave an electronic footprint that could be traced back to a source. Using a network that one cares little about for attack/retaliation. Any one who would suggest this, should be told they must have sh*t 4 brains.

AC

This sounds like an unbelievably terrible plan.... (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34968440)

In the US, and in the sorts of theoretically-rule-of-law-y jurisdictions that corporations generally have substantial operations and assets in, most flavors of "cyberattack" are de jure Pretty. Seriously. Not. Legal.

This does approximately jack shit against gangs operating offshore in who-knows-where controlling botnets of enslaved Joe User XP home boxes; but it is the state of the law. Now, let's think about this for a second: Any "cyber-counterattack", unless unbelievably flawless, is probably going to have some amount of collateral damage: ISPs getting parts of their networks DDOSed, innocent-if-clueless home users getting their botnetted boxes taken down, etc. Even the direct damage will be illegal(though criminal gangs probably won't press charges); but the collateral damage will, in not a few cases, fall directly on people and businesses, in western jurisdictions, who had nothing to do with the original attack(other than, perhaps, not updating their AV often enough).

Now, when it comes to light that Foocorp LLC, a division of Deeppockets Industries, and their officers and employees have been guilty of numerous violations of federal cybercrime violations, most felonies, and a variety of civilly actionable property damage, where do you think the lawyers are going to go looking for blood? Yuri Shadymov and John Does 1-N, the mysterious perpetrators of the attack on Foocorp, or the conveniently-located-right-at-home Deeppockets Industries?

There would be a nonzero risk(and they would deserve every bit of it) that Deeppockets industries could find itself up to its eyeballs in civil suits, and the Foocorp IT team and every exec who knew of and authorized their actions could be looking at serious fines and some quality time in FPMITA...

Re:This sounds like an unbelievably terrible plan. (1)

blueg3 (192743) | more than 3 years ago | (#34968798)

Worse, it's pretty easy to pin an obvious or even not-so-obvious cyberattack on someone else. If vigilante "cyber justice" is acceptable, then an efficient way of performing your cyber attack is simply to attack a third-party target and make it look like your real target did it.

There's a reason vigilante justice isn't acceptable.

Re:This sounds like an unbelievably terrible plan. (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34969402)

The other issue, with electronic attacks specifically, is that effective "self defense" would require absurdly broad authorization.

In physical terms, you have states like Texas, where shooting trespassers is largely legal, and states like Massachusetts where you pretty much have to have run out of other options before you can use lethal force in self defense. When it comes to electronic attacks, everybody already enjoys greater-than-Texas level of self-defense capability. I can tell my routers and switches to drop whatever packets I want them to. I can terminate whatever processes I care to on my hardware. I can delete whatever files, etc. My network, my rules.

Given that everyone, in basically every jurisdiction anywhere, can already do that any call for expanded powers of self defense is a call to be allowed to just start shooting up the neighborhood with wild abandon. Not going to end well.

Re:This sounds like an unbelievably terrible plan. (1)

John Hasler (414242) | more than 3 years ago | (#34970306)

In physical terms, you have states like Texas, where shooting trespassers is largely legal

Wrong.

Re:This sounds like an unbelievably terrible plan. (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34970418)

Hyperbolic, possibly; but the law [state.tx.us] is fairly broad and the bar fairly low.

Re:This sounds like an unbelievably terrible plan. (1)

blueg3 (192743) | more than 3 years ago | (#34970522)

I don't know about Texas, but in Florida, your legal right to shoot (or otherwise use lethal force) against anyone on your property is fairly broad.

Is Retaliation the Answer To Cyber Attacks? (1)

John Hasler (414242) | more than 3 years ago | (#34968456)

Yes. But let's keep it non-nuclear, ok? Cruise missiles, Predator drones, maybe SeeBees with satchel charges: all fine. Just be sure the response isn't disproportionate.

Re:Is Retaliation the Answer To Cyber Attacks? (1)

gstrickler (920733) | more than 3 years ago | (#34968502)

But I was just going to suggest radiation, not retaliation.

Re:Is Retaliation the Answer To Cyber Attacks? (0)

Anonymous Coward | more than 3 years ago | (#34969528)

Use iptables and drop the connection.

# iptables -A INPUT -s [cidr address] -j DROP

Then they have to time out.

Collateral damage (1)

petes_PoV (912422) | more than 3 years ago | (#34968490)

They would never be certain to get the right target and cannot guarantee that innocent bystanders won't get caught in the crossfire. That may be acceptable in the silly plots of TV dramas, but in real life there are consequences.

Re:Collateral damage (1)

John Hasler (414242) | more than 3 years ago | (#34968534)

> ...in real life there are consequences. Not for the IDF.

Trying to find the six-fingered hacker (1)

thomasdz (178114) | more than 3 years ago | (#34968538)

"Hello, my name is Inigo Montoya. You hacked my computer. Prepare to die."

misleading summary, stupid article (1)

Anonymous Coward | more than 3 years ago | (#34968564)

So, the summary is misleading.
The actual article (starts out) talking about using vulnerabilities in botnets and "attack" tools, and an idea called a "tarpit" that would attempt to tie up resources on botnets and "attack" tools.
Not much of a new idea, as people are already doing things like this: Locking out login attempts, delaying login, or CAPTCHAs are a simple example of "tarpits". Reverse engineering malicious programs is already being done. Honeypots, etc.
"Revenge assault" seems to be strong wording for this. Really just silly.
You'd think they were referring to stuff like the worms that spread around patching security holes and removing other worms. This, which would in itself also be a proven stupid idea, given how the "good" worm ended up tying up as much resources as the "bad" worms they were trying to stop.

The second part is just a whole lot of talk about how "data thieves" might steal data and "DLP". Whole bunch of silly lingo that seems to be not much more than fear mongering.
tl;dr version is basically, social engineering attacks are still a problem.

Eye for an eye (1)

gmuslera (3436) | more than 3 years ago | (#34968572)

its the best way to get everyone blind.

The military (0)

Anonymous Coward | more than 3 years ago | (#34968592)

Retaliation sure worked out well for the military, why wouldn't it work out the same online?

Absolutely. (1)

Minwee (522556) | more than 3 years ago | (#34968666)

Just like if you get up in the morning to find that your window is broken, the BEST response is to pick up a shotgun and go kick in your neighbour's front door.

Remember, your first impulse is always right and you can never, EVER misunderstand any situation.

How do you identify the attacker? (1)

Zorpheus (857617) | more than 3 years ago | (#34968680)

For the attacks I heard about it was often not clear who was behind them. As for many viruses, it was unknown where Stuxnet came from. It is mostly unknown who is controlling the botnets behind DoS attacks. If someone steals data he will either use TOR, or an open hotspot.

Re:How do you identify the attacker? (1)

John Hasler (414242) | more than 3 years ago | (#34968918)

> It is mostly unknown who is controlling the botnets behind DoS attacks.

Yes, but would it be wrong to cripple the bots if that would stop the attack?

de-peer their ISP (0)

Anonymous Coward | more than 3 years ago | (#34968700)

contact their ISP and request a takedown, if they dont respond or the ISP in question has a PO box then contact their upstream provider(s) and get them de-peered or face prosecution

or just turn up at the data center with bats/guns and start smashing

Prisoners Dilemma (2)

crsuperman34 (1599537) | more than 3 years ago | (#34968738)

You mean Tit-For-Tat? http://en.wikipedia.org/Prisoners_Dilemma [wikipedia.org]

Re:Prisoners Dilemma (0)

Anonymous Coward | more than 3 years ago | (#34969438)

I think you forgot a /wiki/ in there...

Re:Prisoners Dilemma (1)

PPH (736903) | more than 3 years ago | (#34970062)

Not really applicable in this case. Prisoners Dilemma applies to two or more players and a symmetrical outcome matrix. Law enforcement vs suspects is rarely symmetrical.

Wrong order of events. (1)

Securityemo (1407943) | more than 3 years ago | (#34968950)

We need to establish corporate extraterritoriality before anyone exept the government can start to mount turreted autocannons in their lobbies/Black ICE in the networks/kink bombs in the implants of all employees and family members below B-grade. Or at least, that's the story that anyone below grade Ultraviolet/AAA gets fed. But boy, will those AAA bastards be up for a surprise when the second stage of Dunkelzahn's Cyberzombie-Jesus-plot finally comes into action at the product lifecycle end of Shadowrun 4ed...

Is Retaliation the Answer To Cyber Attacks? (1)

Errtu76 (776778) | more than 3 years ago | (#34969182)

No.

Better to strike first. Mind, good enough so _they_ can't retalliate.

Whoever 'they' are ...

Vigilante Justice (1)

QuincyDurant (943157) | more than 3 years ago | (#34969256)

Well, victims "should" leave retaliation to law enforcement. But when there is no answer to the question, "What law enforcement?" victims "will" retaliate whether they "should" or not.

Time for Defense (0)

Anonymous Coward | more than 3 years ago | (#34969260)

I have been formulating a system to fight back when attacked by people. Doing this action brings up many things, some philosophical.

a) It is possible that the person attacking is an un-witting participant, ie a zombie. It would not be fair to cause any type of damage to these people.
b) I have also found that the vast majority of exploits contain reverse exploits in which very heavy damage can be inflicted upon an attacker. Stay tuned for that - you heard it here first.
c) I believe that being a US citizen I can consider myself a member of a militia (a cyber militia). I have a right to defend myself using instruments of war. In this case the primary weapon will be a C compiler.
d) Fighting back is not a common strategy at this point in time. The current strategy is to let 3rd party security vendors (ie Symantec, Norton) fight attackers via contract. This isn't working to my satisfaction so I believe a new strategy must be employed to fight people who use computers to adversely affect other people. The sitting duck approach will be abandoned and a fight back harder approach will be employed. Good luck kiddies.

Let the games begin you little fucking toys.

My comment (0)

Anonymous Coward | more than 3 years ago | (#34969472)

I am the owner of www.TurklerinMekani.nl and my site was attacked. That's not fine. I think that the attackers / hackers must get a real high punishment so they don't do it again.

Attack who? (1)

currently_awake (1248758) | more than 3 years ago | (#34969524)

Given the ease of hiding the origin of your attack (tried tracking spam?) you've got the problem of the hackers doing false flag attacks on you in order to trick you into attacking the real target of the hackers. The only way to actually stop attacks is to track them down and arrest them. No other plan will ensure the attacks permanently stop. On the other hand, having the RIAA attack MPAA in a full scale cyberwar would be kindof cool.

depends on if the crackers are foreign or domestic (0)

Anonymous Coward | more than 3 years ago | (#34969788)

if domestic the fbi and other agencies can handle it well, if foreign, well that's what russian snipers are for...

Remember MAD (Mutually Assured Destruction)? (1)

securityskeptic (1981772) | more than 3 years ago | (#34969874)

Why would anyone imagine that the same outcome would not apply in cyberspace? I DDOS you, you DDOS me. We get our friends to DDOS our enemies. You deface me, I deface you. Sounds like a whole lot of wasted bandwidth. I'd rather see folks invest in anti-spoofing at the network edge, implement better auth methods, and review content for vulnerabilities before they publish. Sheesh.

No (1)

it5complicated (1951824) | more than 3 years ago | (#34970698)

Do you really want CORPORATES have that power? Please. These guys don't even have the common sense to break the boom-bust cycles. It's like giving a knife to a child incapable of learning from experience. So Company A attacks Hacker B. Only it turns out that the attack went awry and Hacker B is actually a rival corporate giant. So Rival Corporate giant attacks, which misfires too. Remember, it is difficult to prove motivation or origin or logic in a cyber attack. Isn't it fun, boys?

Hell no. (1)

drolli (522659) | more than 3 years ago | (#34970714)

In a working state, the power to punish by act seen as criminal is exerted by the police and the courts. If "the strong" can "retaliate" against the weak, the we call that anarchy.

If Amazon want they can take offline everybody who is hosting wikileaks and every imageboard which used the word "anonymous" on the planet by dedicating 10% of their computational/network power to "retaliate". If google would like to "retaliate" against somebody, they could take a medium-sized country offline and render it inoperative for months (imagine what amount of disturbance they could cause by searching all gmail for important infrastructure numbers and showing them up in 10% of the search results - an adminitration getting 10times more calls than they can handle will not be able to work any more). Imagine if they show a companies homepage randomly in 1% of the search results - the homepage will be offline for some time. If china wants, they can take any NGO offline by an attack.

We should not aim for an internet, where we retaliate and fight wars without any legal court having said anything, but plainly with the legitimation of the own strength. Once this would be the established order of things, the internet failed.

If somebody behave badly, put them on a list. Don't pair with them, don't accept mail from them, and anybody who systematically ignores that ends on the same list. That system is not perfect, but its the best we have. Try to figure out the people behind and bring them to justice. The security companies should dedicate a substential amount of their products to educating the user (e.g.: pay high-level news speakers or actors to speak a 2 minute warning on the current trends). Official/company websites need to stop to put "ssl-certified" logos on the webpage itself, but should put a picture with how the URL bar should look like and ask the user to compare and remember it. Big companies should not educate the user to install just every program, because they tell to.

What i want to say: the image, the resources, and the power of big companies can be used in constructive ways, and not to establish illegal actions as the course of the day.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>