Xygh Offense vs Defense
Going on the offensive in response to a cyber-attack
Contents
I. Introduction
II. History
The history of successful counterattacks in the world of cybersecurity is a short one. There are an increasing number of papers and publications which make proposals, but concerns over legal issues as well as technical challenges have kept the list of successes small.
In Sept. 1998, the Pentagon is reported to have counterattacked some activists who were doing a Denial of Service attack of the Department of Defense's websites, responding to their requests with an applet which ran on the attackers' machines and forced them to reboot. [1]
In 1999, a California ISP Conxion wrote a script which caused DoS packets sent to the World Trade Organization's website to be sent back to the attackers. [2] Of course, such an attack would not have worked if the attackers had used what's known as "IP address spoofing", which would have made the packets appear that they came from a different computer from where they did.
In 2001, several defenses were created in response to the Code Red II worm. One, called CRclean, if it received a probe from the worm, would make use of a back door which the worm placed on the infected machine to load a neutralizing agent and halt the spread of the worm. But it would also install itself on that machine. Another, called CodeGreen, would actually scan the internet for computers with the IIS vulnerability that allowed CodeRed, then download the patch and place it on the machine, and clean up the back doors. [3] It is clear that there are serious legal and ethical issues with both of these worms, even the former, which is still a worm even though it only reacts to attacks.
In late 2004, Lycos Europe got fed up with spammers and launched a popular campaign called "Make Love Not Spam" which attracted over 100,000 users. Users could install a screen saver on their desktop which would send requests to websites which were known to advertise via spam. This effort was sucessful in causing some of the sites to change locations. ( http://www.makelovenotspam.com ) Lycos reportedly got around the illegality of DDoS attacks by claiming to only take 95% of the target sites' bandwidth, though, David Dittrich finds this reasoning dubious at best. [4]
Some companies like Symantec (TurnTide AntiSpammer) and Symbiot security are developing counter attack tools and devices, but there lot of skepticism about deployment of devices because of liability concerns.
We found no evidence in our research of any organizations who had even remotely well-developed policies of active retaliation. Even the ISP Conxion claimed to have decided on the use of active counter-tactics on a "case-by-case basis."
[1]Niall McKay, "Pentagon Deflects Web Assault," Wired News (September 10, 1998)
[2]Pia Landergren, "Hacker Vigilantes Strike Back," cnn.com (June 20, 2001).
[3]Majik, "Code Green. Are you Serious?!", http://www.xatrix.org/article.php?s=684 (September 6, 2001)
[4] David Dittrich "How bad an idea was 'Make Love Not Spam?' Let me count the ways."
III. Scenarios
Worm Vs Worm:
An anti-worm is used as counter attack to a strike back against worm-attacking-host either by bringing it down or neutralizing it.
Email Spam or Virus Strike back:
When one receives spam email, she retaliates by either bounced e-mails or a bounced email along with email to Email Server’s administrator for remedial action.
Strike back at Botnet:
A compromised host is monitored for “Home Callback” thus identifying the strike back target. Strike back is done by
1. Taking down the Home machine.
2. Taking control over the command channel and then using it to neutralize other compromised hosts and strike back at the centralized attacker.
Neutralize Botnet:
A compromised host is patched or given a low-impact neutralizing agent via an exploit or backdoor. This can be delivered via an Active Worm (see above) or something more passive.
Mislead Hacker's Investigations
A hacker is scoping out a website to deduce its structure and vulnerability. There are various techniques to mislead the hacker or break or mislead the hacker's automated tools.
Tracking File Transfers
To protect a file, one can surreptitiously enclose a beacon which, upon a copy or install, will announce its presence to the owner of the file. This can help with Digital-Rights Managed files or private files which have been leaked.
Fake Vulnerabilities
A honeypot (say, with bees,) can provide the attacker with a malicious command shell that, unless the hacker is extra careful, will compromise the hacker's machine.
Distributed Denial of Service
A user community can be enlisted to strike at a known malicious website, for example, while running screensavers.
IV. Technical aspects of scenarios
Worm Vs Worm
Email Spam or Virus Strike back
Strike back at Botnet
Categorize and Neutralize Botnet
A botnet can be detected and compromised. The botnet, whether being used for a DDoS attack or to propagate a worm, must send a signal. Often, it sends a signal which is crafted to deduce whether a server is vulnerable. A server can be specially designed to mimic a vulnerable target by sending a response which matches that behavior. The botnet is being goaded into sending more information which will help categorize it; perhaps it is associated with a known worm.
Once the server has enough information, it can send a neutralizing agent to the corrupt machine. The idea here is to make the minimal change possible such that the user's computer is unaffected. The server exploits the same vulnerability that the botnet used, and deploys one of a number of neutralizers. For example, it could patch the vulnerability and remove the botnet. Less invasive changes include blocking the port over which the bot operates, or using a mutex and rebooting the machine to lock the botnet from being able to execute. [1] Also, one would have to remove any backdoors left by the worm.
Mislead Hacker's Investigations
One opportunity that could be easily overlooked is that hackers who are targeting a certain target rely heavily on their initial investigations of that target. They do reconnaissance and footprinting to get a map of the IP addresses at a site and to try to understand the functions and vulnerabilities of the servers at those addresses. They map DNS names to IP addresses and vice versa to get the information they need. [2]
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
[1] Timothy M. Mullen, "Defending Your Right to Defend." [2] H. Meer, R. Temmingh, and C. van der Walt, "When the Tables Turn:Passive Strike-Back."
V. Feasibility
Worm Vs Worm
Email Spam or Virus Strike back
Strike back at Botnet
Categorize and Neutralize Botnet
This attack depends on being able to categorize the Botnet on the offending machine. Certainly a server could stop the spread of a known worm in this way. It could also try a series of attempts against a bot whose behavior is less well-known.
Note that a botnet can defend against this by sending spoofed IP packets. This attack thus works well when ISPs are using egress filtering, wherein they drop packets from within that have invalid IP addresses. Currently many ISPs do not do egress filtering.
An ISP would be a good candidate to provide this type of service. It is in an ISP's best interest to restrict malicious activity from within. It could neutralize botnets among its own clients, and potentially even inform the client that his machine was corrupted and subsequently neutralized, and provide steps to fix the vulnerability. However, setting up such a server is difficult and expensive and requires frequent update. For this type of technique to gain widespread feasibility, software would need to be sold to many ISPs.
Mislead Hacker's Investigations
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
VI. Legal issues
Worm Vs Worm:
Email Spam or Virus Strike back:
Strike back at Botnet:
Neutralize Botnet:
Mislead Hacker's Investigations
Tracking File Transfers
Fake Vulnerabilities
Distributed Denial of Service
