Re: A question for the list...

From: Ray Stirbei (me_at_highentropy.org)
Date: 05/21/03

  • Next message: Kurt Seifried: "Re: Scans from proxyprotector.com"
    To: "Dave Sharp" <pcrepairs@rogers.com>, <incidents@securityfocus.com>
    Date: Wed, 21 May 2003 02:04:04 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dave,

    I commend your passion to write such a lengthy post and there is no
    disagreement about the negative impact of worms and DoS atacks. I also agree
    with you that such a strike back would probably be effective in mitigating
    these types of attacks.

    For the sake of reference here are the sources of this discussion. Most of
    these have reader feedback:

    Tim's original posts and presentation from last summer:
    http://www.securityfocus.com/columnists/98
    http://www.securityfocus.com/columnists/134
    http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf

    An academic paper presented to IEEE about the same time as Tim's work - summer
    2002 ( Nimda season ).
    http://www.sosresearch.org/publications/ISTAS02hackback.PDF

    Here's the argument in 2001
    http://www.newsfactor.com/perl/story/14874.html:

    And 2000
    http://www.nwfusion.com/research/2000/0529feat2.html

    You can find references in the IEEE paper when this topic was discussed in
    1999, 1998, etc.

    The IEEE paper deals with the majors issues in a systematic way. In the
    context of your message, a big problem we face is not knowing the identity of
    the attacker. A few years ago IDS vendors introduced the capability to
    dynamically update firewall ACLS to drop all traffic from hosts who 'seemed'
    to attack the network. This concept is called shunning and its a sensible
    idea. The problems started when attackers would launch an common attack (whom
    the IDS sensor is sure to pick up), but masqueraded the traffic to make it
    look like it is from the IDS sensor itself. Surely enough, the IDS responds
    by adding firewall rules which in effect shut down the IDS sensor. The irony
    is almost Shakespearean.

    A lot of things that makes sense (in the area of self-defense) in the physical
    world, don't hold water on the Intenet. Cars, for example, are powerful tools
    but can also wreak great havoc in irresponsible hands. So we have tight
    federal regulations mandating safety featuresand construction, traffic laws
    at all gov't levels and licensing for all operators. We don't have this on
    the Internet! Moreover, even if US passes laws legalizing a counterstrike,
    there are many other countries in the world (190 to be exact) an attacker can
    choose to attack from. Even script kiddies these days bounce around the
    world prior to an attack.

    Security is a difficult endeavour and I suspect the long term approach to this
    problem are better secured systems that (passively) react and neutralize the
    threat. Your message brings many great points. In reponse to the Fizzer
    approach, I restate that counter attacking is effective. However, this is a
    complex topic with all types of consequences and just becuase its effective
    doesn't mean it is the right thing to do.

    ray

    On Sunday 18 May 2003 02:56 pm, Dave Sharp wrote:
    > Hi, I'm new to this, so please excuse the posturing and or ignorance. :-)
    >
    > >>>>>The discussion,
    >
    > ...........................................................................
    >. ....................
    > Here is a link for a report on News.com and it contains some opinions by
    > legal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lh<<<<<<
    >
    >
    > A bunch of ideas for discussion pop-up to me... some of these may not be
    > totally on-topic for this forum, if you can tie something back into
    > incident response, I'll likely allow it through.
    >
    > >>>>>>>>>>What are the implications down the road?
    >
    > Notwithstanding any legal implications I can see nothing but good arising
    > from a responsible associate taking action
    > against an active malevolent program. In proactively responding to a threat
    > to their own networks, they are doing the
    > whole community justice. Whether the malware propagates due to ignorance,
    > laziness or budget, I think the end justifies the means.
    >
    > I know what it is like to be on the other end of stick. When Nimda was
    > released, my ISP (sympatico) was heavily infected. At the time, the only
    > thing I knew was the internet had slowed to a crawl and my firewall was
    > racking log entries non stop. My newly installed NOD32 antivirus kept the
    > worm at bay while my Norton machines were infected and I had no idea what
    > was wrong. In the end, I had to take my computers and one server off the
    > WAN due to the constant attacks from my ISP.
    > After a little research, I did a port scan of my subnet to find that over
    > 100 machines were actively infected on my DSL subnet and wrote to
    > Sympatico. Never did receive a reply. Wonder why?
    >
    > >>>>>>>>>-Are there concerns that organizations have with this trend?
    > >>>>>>>>> Legal?
    >
    > Precedure?
    >
    > Given some of the legal tripe that has come down from the courts concerning
    > networks and the internet in the last year,
    > I think a precedence could be established in court if one responded to a
    > crisis situation on a neighboring network and shutdown malware. No sense
    > elaborating since it would be nothing more than legal speculation. Given
    > the legal state
    > of affairs in the US, and their penchant for siding with criminals who is
    > to say. (no different here in Canada either)
    >
    > Just to reinforce my first statement.
    > http://www.freedom-to-tinker.com/archives/000336.html
    >
    > To put the shoe on the other foot, why shouldn't the infectious networks be
    > held responsible for
    > propagating the malware code if preventive measures such as patching the
    > server exist in the first
    > place? Is it not their responsibility to ensure that their servers DO NOT
    > contribute to further infection
    > if the means exist and are widely known? Could this set a precedent to sue
    > an enterprise network for
    > virulent proliferation to extract the costs of infection cleanup?
    >
    > >>>>>>>>>>>>-Is this any different than a similar activity that installs
    >
    > malicious code on the target host?
    >
    > I would say yes. There is currently no mechanism for a network that has
    > been infected from malware to recover costs
    > associated from an infection. One could block or otherwise prevent the
    > spread to their networks through passive means
    > but what about the loss of bandwidth while the malware constantly hammers
    > their networks? A properly planned and executed
    > tactical response against a rogue network responsible for spreading
    > infection would benefit the internet as a whole.
    > I cannot see this as being erroneous. If a rogue network is responsible for
    > spreading infection and can be taken offline or rendered safe, where is the
    > downside? If it is a matter of moralistic semantics, I believe it to be a
    > moot point.
    >
    > One could argue the merits of an individual taking action against such a
    > network, but what if it were an organization?
    > Seems to me that there is a need to actively pursue some sort of organized
    > response against widespread infections in
    > networked communications. It would have to be more effective and responsive
    > than a UN type organization. Someone would
    > have to be responsible and make quick final decisions. It is a problem that
    > knows no borders or political boundaries and
    > therefore should not be a consideration. If they infect, they come down,
    > that simple. Right? If they don't they should
    > be held responsible for cross network infections as a result of inaction.
    > Host networks that are offshore could be
    > blocked altogether. Nonetheless I actively block complete known malicious
    > networks and subnets from my server as a matter of practice.
    >
    > >>>>>>>>>>>-The approach that Tim advocated was significantly less
    > >>>>>>>>>>> intrusive
    >
    > than the approach taken with the Fizzer virus, Tim's approach made no
    > significant changes on the targeted host, simply blocked the ability of
    > Nimda to replicate (if I remember correctly), and notify the owner that
    > they have been compromised and where to go to find help in removing the
    > infection. The approach taken to actually modify the system to remove
    > Fizzer seems to go significantly past that. Why was the reaction to Tim's
    > advocacy of discussion so hostile, and to date, I have seen no negative
    > criticism of the Fizzer removal.
    >
    > I can see no relevant argument against such a response. Again, where is the
    > downside to this? Most times, when a network
    > is responsibly managed, these infections do not take place. I stress MOST
    > times. If a network admin were hostile to taking
    > preventative measures, one would have to ask why and deserve and answer. In
    > the mean time, down he comes despite the
    > arguments.
    >
    > >>>>>>>>>>>>>>>>-Is this a catalyst for a group (IETF?) of some kind to
    >
    > debate these issues to find a resolution? I think that most people would
    > agree that the increasing risk that these distributed networks pose to
    > every Internet connected host is grave, and a better method is required to
    > deal with them. Are there other ideas that don't get us into "arms races"
    > with malcode writers.
    >
    > Being new to this (less than a year) and a user of 5 years, I think this is
    > an idea's who's time has come. A group? Yes.
    > A responsible group, with authority to take appropriate and swift action.
    > In fact in the US, could this not be actively
    > reconciled as part of Homeland Security? Networks compromised by malware
    > would indeed be ripe for further intrusions and
    > exploits while being brought to their digital knees. An infected network
    > could be effectively "quarantined" while the
    > group takes action to provide effective cleanup and provide network
    > forensics. Cause and effect have to be established and
    > preventative measures brought up to speed.
    >
    > >>>>>>>>>-If this becomes standard practice, will this force the
    >
    > communication and update channels underground/encrypted (the "arms race"
    > that I mentioned)
    >
    > I wouldn't like to think so, but as long as there are malware purveyors
    > there will always be a war. Taking into account
    > what is at stake, I believe tactical responses are appropriate and
    > necessary. Many networks, ISP's and enterprises have
    > too much to lose not to take a proactive stance in shutting down virulent
    > networks. The problem is than a large majority
    > of casual users do not recognize the threat, and a similarly large amount
    > of network admins do not do their jobs, or
    > respond inappropriately or ineffectively to an network infection.
    >
    > At this point, I would have to ask why it took so long for ISP's to respond
    > appropriately to Nimda and Slammer? Why were
    > servers not patched and protected? Why after infection did they remain
    > actively networked for so long? Why are infected
    > networks not FORCED offline or blocked? Who the hell is in
    > charge??????????????? If no one, then the question that begs to be answered
    > is why this is even an issue? If a contentious educated individual who's
    > network is under attack responds to
    > that attack in a friendly tactical manner, where is the problem? Who is to
    > stop him, and why would they want to? If my
    > server was actively infecting a network and someone stepped up to the
    > plate, stopped it and informed me of what they did,
    > I would feel "schooled", and would be thankful for the education. From what
    > I see from these newsletters, there are many,
    > many, individuals on this list who meet those criteria.
    >
    > >>>>>>>>>>>>-What are some of the strategies that organizations are
    >
    > implementing to control their exposure to these communication channels?
    >
    > Good question. :-)Lots of talk, lots of available software and hardware not
    > to mention educational facilities! The Slammer worm is still the proof in
    > the pudding. One would think that the Nimda worm taught a world wide
    > lesson, but apparently not. How many of the SQL servers online belonged to
    > enterprises with large budgets and IT staff. Why did they not take the
    > appropriate measures to prevent the spread of the slammer worm when so many
    > avenues of prevention clearly exist is my question? To not patch a server
    > in my opinion is inexcusable. If you haven't got the budget or the time,
    > then you shouldn't be networked to others that do.
    >
    > >>>>>>>>>>-If a command can be given in a channel to "shut down" the
    > >>>>>>>>>> network
    >
    > of hosts, what is the view on the legality of doing this? If you had a host
    > on your network that was suddenly shut down by a well meaning (or not so
    > well meaning third party), what would your response be?
    >
    > Like I said above, I'd feel "schooled". Especially if I received an email
    > outlining what they did, how they
    > did it, and why. If I am actively infecting a network or subnet, I should
    > be thankful. Are we not all members of the same loose community? If a
    > particular network admin fails in his duties, why should his lack of action
    > or education serve
    > as a (loosely)" Typhoid Mary" for the rest of the net? Shutting down
    > infectious networks is a responsible reaction.
    >
    > To use a medical analogy with which the computer community loves to flirt
    > with, (Dell Support Interns?)
    >
    > If the virus was a medical problem, and the code writer a doctor, he would
    > be deemed a HERO, and not in the
    > loose terms that it is being used today. I say write and deploy your (SARS)
    > corrective code who ever you are!
    >
    >
    > Sincerely,
    >
    > Dave Sharp
    >
    > apprentice networking and admin
    >
    >
    > ---------------------------------------------------------------------------
    >- *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    > Just like wired networks, wireless LANs require network security policies
    > that are enforced to protect WLANs from known vulnerabilities and threats.
    > Learn to design, implement and enforce WLAN security policies to lockdown
    > enterprise WLANs.
    >
    > To get your FREE white paper visit us at:
    > http://www.securityfocus.com/AirDefense-incidents
    > ---------------------------------------------------------------------------
    >-
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+yxbbzejBliQ3SdsRAgAEAJ0eeoFtLTJ2UxEmsWSCBMe77wgAdQCgkwad
    3V38otXHSxT3TF9/V5UwpAs=
    =I4hp
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------


  • Next message: Kurt Seifried: "Re: Scans from proxyprotector.com"