[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: counteracting an attack?

> I agree, countermeasures can have bad effects, both karmically, and legally.
> If script kiddies are running scripts to attack your machine, why not have your machine run scripts to attack attackers?

Because Scripts are a bad thing (tm), and they may be abused.

> I believe there are legal ramifications against this.  Even if there are not, however, anyone would have a difficult case in court against an attacker.  He attacked me, so I'm pressing charges or suing.  Yet he(or she) is counter suing for computer losses when their system was compromised as a result of their actions.  It's a sad story, but I've heard of cases with robers suing robees for hurting themselves when they were breaking in to a home...

But you do only then sue someone when you are _sure_ he is responsible.
So do not even use a script to automatically complain about an "attack"
(you will never be able to automatically detect real attacks... just
script kiddie wannabe-attacks):
It would be easy to abuse your script:
I look for the IP of some guy i hate, then start attacking different
"auto-counterattack / auto-complain" sites while forging his IP.
So my enemy's ISP will get a lot of complaints about my enemy (which is
innocent)

> While data collection (whois/nslookup, etc..) certainly isn't an attack, nmap/port scanning is somewhere on the fence with some people.  I heard of a case where a guy scanned his ISP in order determine if his ISP was secure enough.  He did this as part of his job, when supervisors asked him to make sure their website would be secure.  The ISP contacted him while he was doing it, and he told them what he was doing.  Some time after that some authorities came to arrest him.  Anything more than portscanning would probably be crossing the legal line.

You should not even send an automatically complaint to the "attacker"s
ISP, as i tried to explain above.

> Isn't there an option in portsentry to forward packets, once an 'attack' is detected, instead of dropping them?  So once portsentry decides someone is being malicous, it then starts forwarding all packets off to disney.com or something?  I think that's rather funny, however this may be another 'attack'.  Only now you're indirectly directly involved!

Well, Disney will think you are attacking them and will sue you, so do
this if you can't resist.
Any Defense should be passive (such as logging or maybe dropping all
packets), any further action has to be supervised by real intelligence
,)
Even automatically dropping routing from the offender can be abused.
And an automatical whois or nslookup is almost a waste of bandwith ,)

Greetings,
Erich
Reply to: