Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Hack back

Virtual vigilante or packet pacifist? Network executives have mixed feelings about whether to retaliate against an attack.

Related linksToday's breaking news
Send to a friendFeedback

In December, when protesters were rampaging through Seattle in an attempt to disrupt the World Trade Organization summit meeting, other activists were launching a denial of service (DOS) attack on the WTO Web site.

But the WTO's Web-hosting service spotted the attack and repelled it, bouncing the flood of page download requests back to the origin server, which was run by a group calling itself electrohippies.

A case of cyberstalking
New reactive tools
Cyberstalking resources

The e-hippies coalition, based in the U.K., never publicly acknowledged that the attack had been turned back on its own server. But the next day, a notice appeared on the e-hippies site apologizing that "people have had problems getting through" to its site.

To retaliate or not to retaliate? In cyberspace, there is no simple answer.

Conxion, the San Jose hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server.

"So we told our filtering software to redirect any packets coming from these machines back at the e-hippies Web server," says Brian Koref, senior security analyst at Conxion.

Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident. However, the reaction among IT professionals to the counterstrike was decidedly mixed.

Most IT professionals interviewed for this story said they would not strike back in cyberspace, for fear of hitting an innocent bystander. But they're not averse to taking some action when they're sure of the perpetrator's identity.

If vendor tools are any indication, fighting back may indeed be gathering acceptance in the IT community. Intrusion detection tools, for example, can be configured to reverse attacks. New reactive tools are also popping up in the marketplace, and freeware attack-reversing tools abound on the Web.

Gray areas

Opponents of retaliation say reversing an attack is akin to taking the law into their own hands. They worry that they may inadvertently bounce the attack back to an innocent target and bring the law down on themselves.

"Fighting back is a bad idea. I wouldn't do it," says Al Potter, manager of network security labs at ICSA Labs in Carlisle, Pa. "If it's illegal for them to attack you, then it's also illegal to attack them. And then we have this whole problem of crossing state and national boundaries. I don't even want to go there."

Lt. Commander Chris Malinowski, who heads the New York City Police Department's computer crime unit, agrees: "Just because you're a victim, doing it back to the bad guy doesn't make it any less of a crime."

Both Potter and Malinowski say Conxion's actions fall in a gray area. Malinowski says what Conxion did could qualify as denying mail and returning it to the sender, something that in the eyes of the law would be legal.

"If they're functioning solely within their own system to take preventative action during an attack, there should not be a problem," Malinowski says. "Rejecting mail is a normal system administration function. Now if they were inserting their own mail and sending that back to the e-hippie site, you may have a problem."

Know thy target

Conxion had a clear IP address trail to the e-hippies server, so it was simple to bounce the mail back to that address.

But consider that most crackers launch their attacks through hijacked IP addresses. The February distributed DOS attacks that crippled, eBay and others were launched from innocent "zombie" machines that had been hacked and were then commanded to do the bidding of the attacker. Had the victims retaliated by volleying the packets back to the source IP address, they would have shut down servers at legitimate businesses that had no knowledge of their part in the attacks.

"It would be blind luck to be placed into a situation where somebody is actually attacking your site from their own machine. The more typical case is the cracker has compromised one or several ISPs, telneting from one to the next, creating a nearly untraceable trail through the Internet," says Greggory Peck, a security analyst at a Fortune 500 company and editor of the "" newsletter.

Lance Dubsky, a security manager for a government agency he doesn't want named, knows of a case in which a system administrator at a private company hacked back.

Unfortunately, the IP address was fake and the administrator slammed an innocent target, which, in turn, traced the DOS attack back to the system administrator and alerted his superiors. The system administrator lost his job.

Vendor approved?

Object lessons like that, however, are not stopping vendors from bringing a number of new reactive technologies to market. For example, Recourse Technologies in Palo Alto, Calif., and GTE Federal Network Systems in Arlington, Va., peddle cracker-trapping technologies called honey pots.

These are network boxes that act like fly traps, luring crackers so network monitors can observe the attacker's actions and gather the attacker's identifying information.

"There's a fine line between privacy and taking aggressive countermeasures," says Frank Huerta, Recourse's president and CEO. "Our Mantrap tool is more like using video surveillance in stores."

Watching for suspicious activity and gathering evidence against attackers is one thing. But other vendors -- particularly intrusion detection vendors -- offer the capability to configure their tools to take more action than just killing incoming connections. They also could be configured to trace the IP address and return a DOS attack, says Peck and others.

Peck says salespeople from security vendors have told him they wouldn't recommend launching a retaliatory strike, but they also boasted that their product was capable of being programmed to launch one.

Vendor-assisted or not, you still run into the problem of hitting an innocent target.

"If the intrusion-detection system is programmed for an automated response, you could deny service to an innocent party by sending the attack back to a forged IP address," says Scott Blake, security program manager at Bindview, an Internet security vendor in Houston.

Bindview also sells a reactive tool called the Zombie Zapper, which was released in March as a response to the distributed DOS threats. Instead of returning the DOS attack at the offending IP address, it impersonates the "master" of the slave machines and sends an order to those slaves to stop sending DOS packets. According to Blake, Zombie Zapper was downloaded more than 7,000 times in the two weeks following its posting.

With a number of freeware vigilante tools being posted on the Web, how far will commercial vendors go? And will network management professionals use these reactive tools?

ICSA's Potter, who says that most of these legitimate vendor products offer some of this reactive capability as "eye candy," thinks this trend won't go much further. Vendors, he says, will ultimately offer what buyers want, and buyers would prefer to see better passive protection in existing tools than new reactive capabilities.

But corporate network and security managers are becoming increasingly frustrated with Internet crime -- cybercops can't keep up with it. Cracking comes at a hefty cost to corporate America, with financial losses due to computer crime costing 273 organizations nearly $266 million last year, according to a March report by the Computer Security Institute in San Francisco and the FBI.

"My experience, I'm sad to say, is that unless you are a very large organization -- a multibillion-dollar company that is publicly traded and frequently in the media -- whatever help is forthcoming from agencies like the FBI will certainly take a long time," Peck says. "But you, acting as your own security analyst, can accomplish a great deal more than can, say, the FBI."

Capt. John Jarrett, com- puter crime investigator with the Show Low Police Department in northeastern Arizona, would like to see more organizations get involved in actively protecting their assets. "I'd actually hope people get tired of things and take a stand," he says.

At the very least, Jarrett would like to see corporations do more of their own tracking of e-criminals so they can present evidence to the district attorney's office. But he, like Malinowski and other law enforcement officers, stops short of advocating retaliation.

So what's the solution? Start by building up your offensive posture. That means tightening and then testing the security in your network infrastructure, starting with your operating systems and working out to your perimeter firewalls and routers.

Brace your networks for more distributed attacks, nastier viruses and more chaos until these issues sort themselves out.

"[Cybercrime is] going to get worse before it gets better," Potter says.

New reactive tools

In addition to Recourse and GTE Federal Network Systems' "honey-pot hacker trapping technology," Network Ice, in San Mateo, Calif., makes a tool called BlackIce Defender for small offices and remote workers. Network Ice just announced an agreement under which Intel will bundle BlackIce for digital subscriber line modem users. BlackIce blocks some attempted attacks and catches the IP address of the attacker. Look for more reactive capabilities in the next version, says Greg Gilliom, CEO.


Tambu UDP Scrambler
-- User Datagram Protocol (UDP) ports are one of the first points of entry hackers look for. This not only acts as a fake UDP port, it can also be used to cripple attackers' machines through a handy program called UDP flooder. All kinds of other hacking/fighting back tools are on this site. It is not recommended for use where this is illegal.

A stash of antihacking freeware can also be found by clicking here.

Related links

Radcliff is a freelance writer living in California. She can be contacted at

A case of cyberstalking
Law enforcement agencies appear powerless to stop electronic harassment.

Resourceful hackers have the edge
By James IDG News Service, 05/10/00.

Security and bug patch alert newsletter archive

Resource list for cyberstalking issues

The DoJ's 1999 report on cyber stalking
initiated by Al Gore

State by state guides on stalking:
National Conference of State Legislatures

$10 million lawsuit filed
against a pair of cyber stalkers in the latest twist involving a faux literary agent accused of harassing author, Joan Hitchcock through online chat rooms.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.