ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Can you hack back?

Network World Fusion

June 1, 2000
Web posted at: 10:30 a.m. EDT (1430 GMT)

In this story:

Gray areas

Know thy target

Vendor approved?


(IDG) -- In December, when protesters were rampaging through Seattle in an attempt to disrupt the World Trade Organization summit meeting, other activists were launching a denial of service (DOS) attack on the WTO Web site.


But the WTO's Web-hosting service spotted the attack and repelled it, bouncing the flood of page download requests back to the origin server, which was run by a group calling itself electrohippies.

The e-hippies coalition, based in the U.K., never publicly acknowledged that the attack had been turned back on its own server. But the next day, a notice appeared on the e-hippies site apologizing that "people have had problems getting through" to its site.

To retaliate or not to retaliate? In cyberspace, there is no simple answer.

Conxion, the San Jose hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server.

"So we told our filtering software to redirect any packets coming from these machines back at the e-hippies Web server," says Brian Koref, senior security analyst at Conxion.

Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident. However, the reaction among IT professionals to the counterstrike was decidedly mixed.

Most IT professionals interviewed for this story said they would not strike back in cyberspace, for fear of hitting an innocent bystander. But they're not averse to taking some action when they're sure of the perpetrator's identity.

If vendor tools are any indication, fighting back may indeed be gathering acceptance in the IT community. Intrusion detection tools, for example, can be configured to reverse attacks. New reactive tools are also popping up in the marketplace, and freeware attack-reversing tools abound on the Web.

Gray areas

  Tripwire for DoS attacks
  How hackers cover their tracks
  Inside a hacker's toolchest
  Windows an easy hacker target
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Opponents of retaliation say reversing an attack is akin to taking the law into their own hands. They worry that they may inadvertently bounce the attack back to an innocent target and bring the law down on themselves.

"Fighting back is a bad idea. I wouldn't do it," says Al Potter, manager of network security labs at ICSA Labs in Carlisle, Pa. "If it's illegal for them to attack you, then it's also illegal to attack them. And then we have this whole problem of crossing state and national boundaries. I don't even want to go there."

Lt. Commander Chris Malinowski, who heads the New York City Police Department's computer crime unit, agrees: "Just because you're a victim, doing it back to the bad guy doesn't make it any less of a crime."

Both Potter and Malinowski say Conxion's actions fall in a gray area. Malinowski says what Conxion did could qualify as denying mail and returning it to the sender, something that in the eyes of the law would be legal.

"If they're functioning solely within their own system to take preventative action during an attack, there should not be a problem," Malinowski says. "Rejecting mail is a normal system administration function. Now if they were inserting their own mail and sending that back to the e-hippie site, you may have a problem."

Know thy target

Conxion had a clear IP address trail to the e-hippies server, so it was simple to bounce the mail back to that address.

But consider that most crackers launch their attacks through hijacked IP addresses. The February distributed DOS attacks that crippled, eBay and others were launched from innocent "zombie" machines that had been hacked and were then commanded to do the bidding of the attacker. Had the victims retaliated by volleying the packets back to the source IP address, they would have shut down servers at legitimate businesses that had no knowledge of their part in the attacks.

"It would be blind luck to be placed into a situation where somebody is actually attacking your site from their own machine. The more typical case is the cracker has compromised one or several ISPs, telneting from one to the next, creating a nearly untraceable trail through the Internet," says Greggory Peck, a security analyst at a Fortune 500 company and editor of the "" newsletter.

Lance Dubsky, a security manager for a government agency he doesn't want named, knows of a case in which a system administrator at a private company hacked back.

Unfortunately, the IP address was fake and the administrator slammed an innocent target, which, in turn, traced the DOS attack back to the system administrator and alerted his superiors. The system administrator lost his job.

Vendor approved?

Object lessons like that, however, are not stopping vendors from bringing a number of new reactive technologies to market. For example, Recourse Technologies in Palo Alto, Calif., and GTE Federal Network Systems in Arlington, Va., peddle cracker-trapping technologies called honey pots.

These are network boxes that act like fly traps, luring crackers so network monitors can observe the attacker's actions and gather the attacker's identifying information.

"There's a fine line between privacy and taking aggressive countermeasures," says Frank Huerta, Recourse's president and CEO. "Our Mantrap tool is more like using video surveillance in stores."

Watching for suspicious activity and gathering evidence against attackers is one thing. But other vendors -- particularly intrusion detection vendors -- offer the capability to configure their tools to take more action than just killing incoming connections. They also could be configured to trace the IP address and return a DOS attack, says Peck and others.

Peck says salespeople from security vendors have told him they wouldn't recommend launching a retaliatory strike, but they also boasted that their product was capable of being programmed to launch one.

Bindview also sells a reactive tool called the Zombie Zapper, which was released in March as a response to the distributed DOS threats. Instead of returning the DOS attack at the offending IP address, it impersonates the "master" of the slave machines and sends an order to those slaves to stop sending DOS packets. According to Blake, Zombie Zapper was downloaded more than 7,000 times in the two weeks following its posting.

With a number of freeware vigilante tools being posted on the Web, how far will commercial vendors go? And will network management professionals use these reactive tools?

ICSA's Potter, who says that most of these legitimate vendor products offer some of this reactive capability as "eye candy," thinks this trend won't go much further. Vendors, he says, will ultimately offer what buyers want, and buyers would prefer to see better passive protection in existing tools than new reactive capabilities.

But corporate network and security managers are becoming increasingly frustrated with Internet crime -- cybercops can't keep up with it. Cracking comes at a hefty cost to corporate America, with financial losses due to computer crime costing 273 organizations nearly $266 million last year, according to a March report by the Computer Security Institute in San Francisco and the FBI.

"My experience, I'm sad to say, is that unless you are a very large organization -- a multibillion-dollar company that is publicly traded and frequently in the media -- whatever help is forthcoming from agencies like the FBI will certainly take a long time," Peck says. "But you, acting as your own security analyst, can accomplish a great deal more than can, say, the FBI."

So what's the solution? Start by building up your offensive posture. That means tightening and then testing the security in your network infrastructure, starting with your operating systems and working out to your perimeter firewalls and routers.

Brace your networks for more distributed attacks, nastier viruses and more chaos until these issues sort themselves out.

"[Cybercrime is] going to get worse before it gets better," Potter says.

Phillipines: School for Hackers
May 22, 2000
Windows' popularity makes it easy target to hackers
May 16, 2000
Security experts say hackers have the edge
May 11, 2000
Should cyber ethics be taught at school?
May 9, 2000
Experts say more legislation will not deter computer hackers
May 5, 2000
Technology - Can you counter-attack hackers?
April 7, 2000

Can you counter-attack hackers?
(Network World Fusion)
Tripwire for DoS attacks
A case of cyberstalking
(Network World Fusion)
Resourceful hackers have the edge
(Network World Fusion)
How hackers cover their tracks
Windows an easy hacker target
Inside a hacker's toolchest
The enemy within
(Network World Fusion)

BlackIce Defender
Tambu UDP Scrambler

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.