Launch Countermeasures!

Posted 6 Aug 2001 at 21:42 UTC by Mulad Share This

Nearly a week's worth of data has now been collected on the second-coming of Code Red. Looking at CAIDA's graphs, it becomes obvious that there is a segment of the Internet population that either hasn't seen reports of Code Red, or is composed of people who don't believe that they are vulnerable to this problem. Many people are now launching active countermeasures against attacking hosts, attempting to disable those hosts in some way, or at least trying to notify the system administrator.

Obviously, there has been a lot of concern in the security community about crying wolf. This is worrisome, since, as Bruce Schneier stated, ``This is not an anomaly. It's the shape of things to come.''

If this is only the tip of the iceberg, then it is certainly very important to discuss the situation before it gets much worse. Is it a prudent course of action to respond to this attack? If it is decided that countermeasures are necessary, what should the response be?

A number of ideas have been generated over on Slashdot. Perhaps folks would like to start with those..

beware of active countermeasures, posted 6 Aug 2001 at 23:32 UTC by splork » (Master)

They often make a wonderful DDOS tool for anyone who can fake an attack as coming from somewhere else. It could also land you in hot water by attacking the wrong people who have a large legal team and don't appreciate it.

passive countermeasures, posted 7 Aug 2001 at 22:35 UTC by mobius » (Master)

I agree that any active countermeasures are likely to backfire on you. But there shouldn't be anything wrong with passive ones.

A lot of sites have mentioned a script that will complete the three way handshake on the CR request, but then never send any data. This seems like a good solution. There are probably other easier ways to do this. Maybe a CGI script with nothing but a sleep statement? Anything that slows the bandwidth consumption is a good start.

Countermeasures aren't necessarily so bad, posted 7 Aug 2001 at 23:11 UTC by apenwarr » (Master)

In the particular case of Code Red II, countermeasures are very easy and impossible to mistarget: any infected host has a simple backdoor binary installed.

I think one acceptable countermeasure would be to simply shut down the worm and the insecure web server once it tries to attack you. For many of the infected machines, the admin doesn't even know he _has_ a web server.

Of course, unless you write a worm yourself (very very dangerous), your response script won't be able to hit _all_ the infected boxes, and you'll have to rely on others to help you out by using the same script, and that generally doesn't work. (If it did, ISP's could already be blocking the worm at their end.)

It's a pretty good idea to shut down the infected servers, even if it annoys the admin, before somebody starts using them to distribute the world's largest DDOS.

Of course, the legal issues are another question...

types of countermeasures, posted 7 Aug 2001 at 23:55 UTC by mobius » (Master)

Okay, so there are several types of countermeasures.

  1. passive (cause delays)
  2. benign/beneficial active (disinfect/shut down)
  3. hostile/haxxor active (install further back doors/delete stuff)
This being windows, there's not really any way to tell the difference between numbers 2 and 3. More precisely, it's difficult to differentiate between IP A which added a non-code red trojan, and IP B which later cleaned the system of code red. So from a pure paranoia standpoint, I don't want my IP anywhere near an infected machine.

Countermeasures (other than passive blocking) are a bad idea, posted 8 Aug 2001 at 16:58 UTC by kelly » (Master)

Any countermeasures other than simply denying the attacking machine access or doing something to hang the thread is a really bad idea.

For all you know, the machine you tamper with is also being used to control a life-critical process (a bad idea in the first place, but hey) and by rebooting it or crashing it you have just killed someone. Do you want to go to jail for 20 years just so you don't have to put up with some annoying network activity?

IMO, the proper response is to figure out where the offending machine is, physically, and arrange for the police to shut it down as an "attractive nuisance". A legally novel argument, but it might work.

what is a mission-critical server doing on the internet?, posted 8 Aug 2001 at 23:29 UTC by lkcl » (Master)


[btw, nice idea about the attractive nuisance :)]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page