Security company Symbiot is about to launch a product that can hit back at hackers and DDoS attacks by lashing out with its own arsenal of tricks, but experts say it may just be a bit too trigger-happy.
Symbiot, a Texas-based security firm, is preparing to launch a corporate defence system at the end of March that can fight back against distributed denial-of-service (DDoS) and hacker attacks by launching a counter-strike. In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare", which they say should be part of corporate security policy to help companies determine their exact response to an incoming attack.
"Until today, security solutions have been totally passive in nature. Merely erecting defensive walls around the perimeter of an enterprise network is not an adequate deterrent," said Erwin, who argues that to have a complete defence in place, offensive tactics must be employed. The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike".
News source: ZDNet UK
Symbiot, a Texas-based security firm, is preparing to launch a corporate defence system at the end of March that can fight back against distributed denial-of-service (DDoS) and hacker attacks by launching a counter-strike. In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare", which they say should be part of corporate security policy to help companies determine their exact response to an incoming attack.
"Until today, security solutions have been totally passive in nature. Merely erecting defensive walls around the perimeter of an enterprise network is not an adequate deterrent," said Erwin, who argues that to have a complete defence in place, offensive tactics must be employed. The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike".
News source: ZDNet UK
- Fixed rehashing on change of Daylight Saving Time (DST) [MightyKnife]. To disable this patch, add "AdjustNTFSDaylightFileTime=0" in "[eMule]" section in preferences.ini file.
- Fixed bug with colors and known-type in searchlist control after files were canceled and/or added/removed from share.
- Fixed bug with sorting by category in download listview.
- USS will temporarly be limited to a minimum of 10K until we correct a couple issues at lower speeds.
- Fixed bug in UDP socket with ReaskFilePing which was not answered for files in most cases
- Fixed bug in IP filter; adjacent ranges with different levels were merged.
- IRC now handles sound events. (/sound [*.wav] [message]) (Sounds are stored in "../eMule/Sounds/IRC" dir)
- Fix KadID bug which created some clusters and reported bad user counts..
- Packets for the UDP socket send queue now have a lifetime now to keep from creating a backlog of packets.
- fixed a bug, that resumed 2 (instead of 1) files for the function "start next paused file, when a files completes"
- correction in the statistics for source-type passive - and several minor GUI fixes
- fixed invoking the comment page
- fixed Chicane webinterface template, to be able to start downloads from searchresults
- Fixed a IRC crash bug thanks to reports from several irc ops..
- Fixed the IRC Accept links from friends only option.
- IRC default name gets a pseudo random nick on connect to avoid nick collisions.
- Extra IRC filter options.
- Fixed flaw in exception handling which did not immediatly disconnect a client which sends invalid file data packets.
- Fixed bug in UDP socket with processing of a received file status.
- Fixed several flaws in Kad window with connect and bootstrap function/buttons.
- Put back ping info for USS and small adjustment to USS - zz
- Removed some debug info in the upload bars
Stupid, yes. Amusing? Hardly. This idea, if given form, will cause a world-wide net firestorm like none has seen before. They are apparently totally immune to the fact that most crackers would never launch an attack from a computer they own.
Imagine the following scenario: a virus infects 1.000.000 computers worldwide. The virus starts a DDoS attack against some site running this software. The software detects a load of DoS attacks, and starts sending commands to its own zombies to defend itself. The result would be a million innocent victims, and one very happy cracker who would not have been affected at all (because his own computer would not be involved in the attack). The potential slowdown of the Internet would be huge.
Yes, I can see that being good business strategy. When are they gonna learn... defense is enough, we don't want to stoop to doing what the crackers are doing. It's bad enough out there as it is without adding more contentless packets that slow the net down.
</rant>
Also, suppose I want to attack person X, but don't want to dirty my hands...I attack Company Y with this software in place but make it look like person X is responsible. The corporate response hits person X and does my dirty deed for them.
This sort of thing is as unworkable as "good" worms that seek-out infected hosts and clean them.
Then i figured it out.
GET
NOTE TO SELF:
Do deeds for Satan
Just what we need, more spam bits flying across the internet.
DDoS attacks won't be solved until global routers get better at identifying them when they are happening. And that is hard considering they are coming from everywhere. Basically the attack has to be stopped by the hardware closest to the sources, and it should only block out the spam attack signals while the unknowing victum can carry out their internet browsing.
Maybe even send a note to the user, "Hey, you look infected to me...." with instructions on how to remove the zombie program.
Now making something like that happen. Thats the million dollar question.
How can these guys even hope to get away with this?
I totally agree with nic... ISP's and global backbone providers need to up the intelligence of their routers to catch DDoS attacks in their infancy!
my first thought also!
Figures.
Zombie machines at company A (running this software) start attacking company B (also running this software).
Company B detects the attack, and retaliates. Company A detects the retaliatory attack, and retaliates. Company B detects the retaliatory attack and retaliates........
Add some source spoofing into the equations and Companies C, D, E (etc) get involved.
Could be fun....
"Oh, I didn't know that would happen when I opened that Kournikova attachment" or "I never run Windows Update / antivirus / firewall software" cannot be a valid defence for your own stupidity.
However...
An attack that was originated by a hole in OS or other that hasn't been addressed by the vendor is a different matter. Then again, floods of calls to the support desk will get the hole sorted quicker than relying on eEye or others to actively find it...
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.