One problem with defending our networks against hackers is that we do not take action against the hackers. For example, suppose a machine attempts to use an IIS buffer overflow exploit against one of our IP addresses. There are several possible results:
- The target has an unpatched IIS server, and the attack succeeds. By the time we find out, we probably have no way of identifying the attacker.
- The target has a patched IIS server or another webserver entirely, and the attack fails.
- Our firewall blocks port 80 for the target, and the attack fails.
- The target IP address is unused, or has no webserver, and the attack fails.
For cases (ii) and (iii) we might have log entries that show the source of the attack, but no damage was done and no crime was committed so there is nothing to report to the Police. An enthusiastic Administrator might identify the responsible ISP and report to their ‘abuse’ or ‘postmaster’ addresses, but the lack of response quickly becomes discouraging. Any kind of retaliation at the source would be illegal, and, as a worm like CodeRed might be involved, it could be targeting another innocent victim.
DShield.org is a reporting experiment (or a Distributed Intrusion Detection System) operated by Euclidian Consulting. Organisations send their packet filter logs, and DShield analyses them, extracting statistics. Importantly, there are tools to automate the log submission. DShield also picks strong cases of abuse (from reports where the organisation has agreed to this use of the data) and contacts the relevant ISP. Hopefully, the ISP is more likely to take action because a pattern of abuse can be shown. The danger with this is that organisations are revealing their packet filter logs, which could give useful information to an attacker. DShield has a privacy policy on their site, but many organisations would find it difficult to trust an unknown company. It would be good to see this idea adopted by publicly accountable organisations, such as CERTs.
The second idea is from HackBusters who have a more controversial approach. In their own words, "Here at HackBusters, we believe that an active defense is equal to a good offense. That’s why we’ve developed LaBrea." Simply, their software allows a machine to be set up to respond to all attempts to connect to unused IP addresses on a network, establishing connections and then allowing them to timeout. A more aggressive mode puts the client into the persist state indefinitely. Thus, any attacker port scanning will spend a long time on each of the unused IP addresses. This can reduce the bandwidth wasted by the attacks, and permit more time for compromised machine’s administrators to be contacted before further damage is done. However, this does break the TCP specifications, so it should be studied very carefully before introduction. It assumes that any attempt to connect to an unused IP address is a hacking attempt. Largely, this is true - port scanning is very common, but mistakes, perhaps in updating DNS records, do happen and this "tarpit" will also trap innocent mistakes, and perhaps make recognising and correcting them more difficult.