Difference between revisions of "Xygh Offense vs Defense"
(→III. Scenarios) |
(→IV. Technical aspects of scenarios) |
||
| Line 64: | Line 64: | ||
==IV. Technical aspects of scenarios == | ==IV. Technical aspects of scenarios == | ||
| + | |||
| + | '''Worm Vs Worm:''' | ||
| + | |||
| + | '''Email Spam or Virus Strike back:''' | ||
| + | |||
| + | '''Strike back at Botnet:''' | ||
| + | |||
| + | '''Neutralize Botnet:''' | ||
| + | |||
| + | '''Mislead Hacker's Investigations''' | ||
| + | |||
| + | '''Tracking File Transfers''' | ||
| + | |||
| + | '''Fake Vulnerabilities''' | ||
| + | |||
| + | '''Distributed Denial of Service''' | ||
| + | |||
==V. Feasibility == | ==V. Feasibility == | ||
==VI. Legal issues == | ==VI. Legal issues == | ||
==VII. Summarize futures == | ==VII. Summarize futures == | ||
==VIII. Conclusion== | ==VIII. Conclusion== | ||
Revision as of 06:28, 6 December 2005
Going on the offensive in response to a cyber-attack
Contents
I. Introduction
II. History
The history of successful counterattacks in the world of cybersecurity is a short one. There are an increasing number of papers and publications which make proposals, but concerns over legal issues as well as technical challenges have kept the list of successes small.
In Sept. 1998, the Pentagon is reported to have counterattacked some activists who were doing a Denial of Service attack of the Department of Defense's websites, responding to their requests with an applet which ran on the attackers' machines and forced them to reboot. [1]
In 1999, a California ISP Conxion wrote a script which caused DoS packets sent to the World Trade Organization's website to be sent back to the attackers. [2] Of course, such an attack would not have worked if the attackers had used what's known as "IP address spoofing", which would have made the packets appear that they came from a different computer from where they did.
In 2001, several defenses were created in response to the Code Red II worm. One, called CRclean, if it received a probe from the worm, would make use of a back door which the worm placed on the infected machine to load a neutralizing agent and halt the spread of the worm. But it would also install itself on that machine. Another, called CodeGreen, would actually scan the internet for computers with the IIS vulnerability that allowed CodeRed, then download the patch and place it on the machine, and clean up the back doors. [3] It is clear that there are serious legal and ethical issues with both of these worms, even the former, which is still a worm even though it only reacts to attacks.
In late 2004, Lycos Europe got fed up with spammers and launched a popular campaign called "Make Love Not Spam" which attracted over 100,000 users. Users could install a screen saver on their desktop which would send requests to websites which were known to advertise via spam. This effort was sucessful in causing some of the sites to change locations. ( http://www.makelovenotspam.com ) Lycos reportedly got around the illegality of DDoS attacks by claiming to only take 95% of the target sites' bandwidth, though, David Dittrich finds this reasoning dubious at best. [4]
Some companies like Symantec (TurnTide AntiSpammer) and Symbiot security are developing counter attack tools and devices, but there lot of skepticism about deployment of devices because of liability concerns.
We found no evidence in our research of any organizations who had even remotely well-developed policies of active retaliation. Even the ISP Conxion claimed to have decided on the use of active counter-tactics on a "case-by-case basis."
[1]Niall McKay, "Pentagon Deflects Web Assault," Wired News (September 10, 1998)
[2]Pia Landergren, "Hacker Vigilantes Strike Back," cnn.com (June 20, 2001).
[3]Majik, "Code Green. Are you Serious?!", http://www.xatrix.org/article.php?s=684 (September 6, 2001)
[4] David Dittrich "How bad an idea was 'Make Love Not Spam?' Let me count the ways."
III. Scenarios
Worm Vs Worm:
An anti-worm is used as counter attack to a strike back against worm-attacking-host either by bringing it down or neutralizing it.
Email Spam or Virus Strike back:
When one receives spam email, she retaliates by either bounced e-mails or a bounced email along with email to Email Server’s administrator for remedial action.
Strike back at Botnet:
A compromised host is monitored for “Home Callback” thus identifying the strike back target. Strike back is done by
1. Taking down the Home machine.
2. Taking control over the command channel and then using it to neutralize other compromised hosts and strike back at the centralized attacker.
Neutralize Botnet:
A compromised host is patched or given a low-impact neutralizing agent via an exploit or backdoor. This can be delivered via an Active Worm (see above) or something more passive.
Mislead Hacker's Investigations
A hacker is scoping out a website to deduce its structure and vulnerability. There are various techniques to mislead the hacker or break or mislead the hacker's automated tools.
Tracking File Transfers
To protect a file, one can surreptitiously enclose a beacon which, upon a copy or install, will announce its presence to the owner of the file. This can help with Digital-Rights Managed files or private files which have been leaked.
Fake Vulnerabilities
A honeypot (say, with bees,) can provide the attacker with a malicious command shell that, unless the hacker is extra careful, will compromise the hacker's machine.
Distributed Denial of Service
A user community can be enlisted to strike at a known malicious website, for example, while running screensavers.
IV. Technical aspects of scenarios
Worm Vs Worm:
Email Spam or Virus Strike back:
Strike back at Botnet:
Neutralize Botnet:
Mislead Hacker's Investigations
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
