Launch Countermeasures!
Posted 6 Aug 2001 at 21:42 UTC by Mulad
Nearly a week's worth of data has now been collected on the
second-coming of Code Red. Looking at CAIDA's graphs,
it becomes obvious that there is a segment of the Internet population
that either hasn't seen reports of Code Red, or is composed of people
who don't believe that they are vulnerable to this problem. Many people
are now launching active countermeasures against attacking hosts,
attempting to disable those hosts in some way, or at least trying to
notify the system administrator.
Obviously, there has been a lot of concern in the security community
about crying
wolf. This is worrisome, since, as Bruce Schneier stated, ``This is
not an anomaly. It's the shape of things to come.''
If this is only the tip of the iceberg, then it is certainly very
important to discuss the situation before it gets much worse. Is it a
prudent course of action to
respond to this attack? If it is decided that countermeasures are
necessary, what should the response be?
A number of ideas have been generated
over on Slashdot. Perhaps folks would like to start with those..
They often make a wonderful DDOS tool for anyone who can fake an attack
as
coming from somewhere else. It could also land
you in hot water by attacking the wrong people who have a large legal
team and don't appreciate it.
I agree that any active countermeasures are likely to backfire on you. But there shouldn't be anything wrong with passive ones.
A lot of sites have mentioned a script that will complete the three way handshake on the CR request, but then never send any data.
This seems like a good solution. There are probably other easier ways to do this. Maybe a CGI script with nothing but a sleep
statement? Anything that slows the bandwidth consumption is a good start.
In the particular case of Code Red II, countermeasures are very easy and
impossible to mistarget: any infected host has a simple backdoor binary
installed.
I think one acceptable countermeasure would be to simply shut down the
worm and the insecure web server once it tries to attack you. For many
of the infected machines, the admin doesn't even know he _has_ a web server.
Of course, unless you write a worm yourself (very very dangerous), your
response script won't be able to hit _all_ the infected boxes, and
you'll have to rely on others to help you out by using the same script,
and that generally doesn't work. (If it did, ISP's could already be
blocking the worm at their end.)
It's a pretty good idea to shut down the infected servers, even if it
annoys the admin, before somebody starts using them to distribute the
world's largest DDOS.
Of course, the legal issues are another question...
Okay, so there are several types of countermeasures.
- passive (cause delays)
- benign/beneficial active (disinfect/shut down)
- hostile/haxxor active (install further back doors/delete stuff)
This being windows, there's not really any way to tell the difference
between numbers 2 and 3. More precisely, it's difficult to differentiate
between IP A which added a non-code red trojan, and IP B which
later cleaned the system of code red. So from a pure paranoia standpoint,
I don't want my IP anywhere near an infected machine.
Any countermeasures other than simply denying the attacking machine
access or doing something to hang the thread is a really bad idea.
For all you know, the machine you tamper with is also being used to
control a life-critical process (a bad idea in the first place, but
hey) and by rebooting it or crashing it you have just killed someone.
Do you want to go to jail for 20 years just so you don't have to put up
with some annoying network activity?
IMO, the proper response is to figure out where the offending machine
is, physically, and arrange for the police to shut it down as
an "attractive nuisance". A legally novel argument, but it might work.
:)
[btw, nice idea about the attractive nuisance :)]