By Greggory Peck
Network Security Analyst
Editor Happy Hacker Windows Digest
Many people feel that if they are under cyber attack, they
should fight back. Regardless of who you are, and how good an
"Uberhacker" you may be, you can't be sure who is sitting
behind a particular terminal or who is using a given users account
on a given ISP. It is rare that somebody who has circumvented
your firewall and is attacking your network is doing this from
their own machine. Usually the cracker has compromised one or
several Internet Service Providers telneting from one to the
next. This creates a nearly untraceable trail through the Internet
before launching his attack.
Some say, "It's not as if the cracker is going to go
to the FBI and complain. After all, he was attacking my network."
This is probably true. However, the owner of the server that
you counter-attacked may well contact the authorities.
Fighting back also can be bad for your career. As a Network
Security Analyst for a Fortune 500 company, if I were to strike
back against an attacker, my employer would certainly consider
me a security liability, not an asset, and promptly fire me.
And then there may be questioning from the men in black as to
why I destroyed a server at "Generic ISP."
Ok, so you get lucky. The cracker is attacking your network
from home from his new *nix box. You trace back to the attacker
and penetrate his machine. You execute clever counter attacks,
gaining root and erasing his OS. That stops the attack in progress.
So you're sitting back with a grin knowing you just shut down
the attack... or did you? Oftentimes crackers run in groups.
This is especially true when dealing with high school or college
students. Now instead of one attacker, a dozen crackers are all
dead centered on doing your network harm. They won't rest until
they have won one back for their victimized buddy.
Now you find yourself in a "Cracker War." Are you
prepared to take on a dozen wily crackers who have nothing better
to do with their time than figure out ways to penetrate your
personal or company's network?
I would have a very difficult time ever testifying against
somebody who did successfully strike back against an attacker
and was being charged in a court of law. I would not have encouraged
their course of action, but certainly would not condemn them
Let's say you don't counter attack. Yet a group of crackers
are relentlessly attacking your network, day after day, week
after week, month after month, year after year. Sites such as
Antionline.com and Happy Hacker must cope with this kind of concentrated,
nonstop assault. What are we to do???
Although the FBI and US Secret Service are funded to fight
computer crime, they simply won't help most victims of even massive,
long lasting attacks. Even if they could add 600 highly trained
security specialists, this is not going to solve the problem.
I am sad to say is that unless you are a very large organization
(read: Multi-Billion Dollar Company) that is publicly traded
and frequently in the media, whatever help is forthcoming from
the FBI will certainly take a substantial amount of time to come
to be. Once a federal agency becomes involved, they are limited
by a number of statues and laws that prohibit exactly what they
can and can not do in pursuit of your intruder or attacker.
You, acting on behalf of your company as the Security Analyst,
can accomplish a great deal more than the FBI. Although ultimately
the FBI is essential if you want to prosecute criminals, your
"due diligence" in documenting everything, preserving
all evidence, and management of the crisis is going to be more
important than playing Rambo. As always, your best offense against
a would-be attacker is a solid defensive posture.
Configuring your routers with Access Control Lists, the professional
installation of an Intrusion Detection System, deployment of
host/network based threat assessment and auditing tools, and
a solid proxy based firewall will certainly be of great assistance.
Couple the security technologies available for companies today
with an efficient security awareness employee training program,
strong password management and guidelines, and enforce a competent
security policy. Then the odds of your attacker being successful
are drastically decreased. Unless you irritate computer criminals
by making fun of them (as Happy Hacker and Antionline do), chances
are that your attackers will soon move on to an easier target.
It is true that their are a number of products that can run
a user definable sequence of commands in response to a particular
attack signatur. These include Sidewinder, Axent's Net Prowler,
and ISS Real Secure. I imagine that ability was put into place
to dump log files to a more secure location or perhaps even FTP
the session information to another separate storage area so that
it can be recovered in the event your network is left in shambles
and data integrity is questionable. You can also configure all
of the above devices to simply drop route on the attacker or
to dynamically reconfigure your firewall with new rule sets specifically
denying access to all resources from the source IP address. I
don't believe that these programs were designed to "fight-back."
However, I have had on occasion had sales representatives market
that feature to me as a "counter-strike" feature.
Striking back because your network was attacked is still illegal.
People may try to relate it to more physical types of actions
such as defending yourself and shooting your intruder. That comparison
isn't realistic. I'm not sure how comparing a network intrusion
to a murder or immediate threat of life and limb is very applicable.
Ok, well, wonderful. All these security products are wonderful
for companies with large budgets who can afford such tools. What
am I to do if the attack is against my personal website I host
on my home network??? See Carolyn Meinel's article How to fight back legally when
computer criminals strike.
Of course, it's natural to take such an attack on your home
network personally. But before you go off half cocked fighting
back perhaps you should read an article by Adam L. Penenberg
for Forbes Magazine entitled "A Private Little Cyberwar"
which can be found at http://www.forbes.com/forbes/00/0221/6504068a.htm
. It's much easier to swallow your pride and just shut off your
PC or spend the appropriate time researching security and patching
the known vulnerabilities in your system than it is to start
a Private Cyberwar.