Symbiot launches DDoS counter-strike tool

Symbiot launches DDoS counter-strike tool

Summary: Security company Symbiot is about to launch a product that can hit back at hackers and DDoS attacks by lashing out with its own arsenal of tricks, but experts say it may just be a bit too trigger-happy

TOPICS: Security

Symbiot, a Texas-based security firm, is preparing to launch a corporate defence system at the end of March that can fight back against distributed denial-of-service (DDoS) and hacker attacks by launching a counter-strike.

In advance of the product launch, Symbiot's president, Mike Erwin, and its chief scientist, Paco Nathan, have outlined a set of "rules of engagement for information warfare", which they say should be part of corporate security policy to help companies determine their exact response to an incoming attack.

"Until today, security solutions have been totally passive in nature. Merely erecting defensive walls around the perimeter of an enterprise network is not an adequate deterrent," said Erwin, who argues that to have a complete defence in place, offensive tactics must be employed. The company said it bases its theory on the military doctrine of "necessity and proportionality", which means the response to an attack is proportionate to the attack's ferocity. According to the company, a response could range from "profiling and blacklisting upstream providers" or it could be escalated to launch a "distributed denial of service counter-strike".

Security experts expressed alarm at the company's plans.

Graham Titterington, principal analyst at Ovum, said "such a counterattack would not be regarded as self-defence and would therefore be an attack. It would be illegal in those jurisdictions where an anti-hacking law is in place." He added that because many hacking and DDoS attacks are launched from hijacked computers, the system would be unlikely to find its real target: "Attacks are often launched from a site that has been hijacked, making it an unwitting and innocent -- although possibly slightly negligent -- party."

Richard Starnes, director of incident response at Cable and Wireless Managed Security Services, said he would not employ an "active defence technique" because there are legal and ethical issues involved. Also, he would not be happy about any product "specifically designed to launch attacks" being put into commercial production. Starnes said it would be easy to hit the wrong target and even if it was the right target, there could be collateral damage: "You may be taking out grandma's computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up. The attack could also knock over a Point of Presence (PoP), so you are not only attacking the target, but also the feeds before them -- this means taking out ISPs, businesses and home users."

Jay Heiser, chief analyst at IT risk management company TruSecure, said that he expects the product to have "emotional appeal" to companies that have been targets, but "that is a very bad criterion for choosing risk-reduction measures."

"There is no evidence that this is the most effective way to deal with the problems and there is quite a bit of historical precedence that indicates it is totally counterproductive," added Heiser.

Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries, he says.

ZDNet UK's Graeme Wearden contributed to this story.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Blindly counter attacking seems like a bad idea. Target identification is non-trivial since the actual packets are coming from machines infected with Windows. A counterstike will only result in more nasty packets clogging the net. We already have spammers to fill that ecological niche.

    I suggest hiring a professional investigator to track down the attacker. Then go to his house and beat the stuffing out of him. Keep it off the net.
  • I'm not saying I think this is necessarily the best solution, BUT

    Everyone has a responsibility to maintain their own system(s). If you can not and your system is used to commit a DoS or DDoS attack, I feel you forfeit your right to uninterrupted usage, of the net or your system. Imagine if this was standard procedure, Everyone would be taking measures to keep their system(s) clean, and those that didn't would not be able to use them or have them used by others. ISP's would finally take a role in policing their users, and stop violators to prevent potential service outages, those that didn't would be rendered useless.

    In some ways I wish the company which provides my company with SPAM and Virus filtering between the net any my mail server had such a system. Last weak they were hit with a DDoS attack, their 5 redundant and load balanced data centers could not keep up with the 100,000,000 mail messages per hour which were being thrown against them. If they could have taken out the "Zombie" systems it would have prevented thousands of companies from loosing incoming and in some cases out going e-mail.

    Like I said it's not the best, but I think it would make a positive difference.
  • This is a very bad idea, though it'll probably be welcomed by ultra-lazy hackers. Why? Say you don't want to go through the effort of actually attacking someone yourself - now all you need to do is spoof an attack from your intended target against a party using 'Symbiot', then go make a sandwich.

    And what happens when a system using 'Symbiot' is used to attack another similary 'protected' system? The packets are really going to fly...

    Perhaps it should be renamed 'Idiot'.
  • Great idea Anonymous, lets clog up the available bandwidth with yet more crap, bound to be a step in the right direction. I'm sure Granny and Uncle Dave will be straight off to a 'computer security for dummies' class. Sarcasm aside this sort of counter-strike tool might make you feel better in the short term but in the long term would just lead to total chaos. It's also illegal.
  • This is the legal use of Grey Ice. Black is next:

    White Ice = Defensive Only
    Grey Ice = Offensive vs Attacker's Computer
    Black Ice = Kills the Attacker

    (Shadowrun RPG source)
  • GWTPict,

    If the system were to blindly initiate attacks, I would agree with you, BUT

    If this system does what they says it does, then we are not talking about blind retaliation. What we are talking about is a system designed to actively monitor, spot potential abuse, watch for trends, report repeated abuse through industry organizations, request a stop of the abuse, report abuse to authorities, ect. If all of that does not succeed then it gives the owners of the organization the ability to seek resolution through the utilization of a controlled and proportional attack.

    As fair as Granny and Uncle Dave are concerned if they are not able to secure their system with AV, and or a Firewall then they should seek a service that can provide them protected access, which would not only block attacks on them but also prevent them from initiating attacks themselves. I realize that ISPs do not currently offer this type of service, but they are taking the steps to get there.

    I wish this world was a place where you could mind your own business and not have to worry about someone else attacking or invading you but it is not, and neather is the net.
  • IF the system works as advertised, and advertising is all I've seen so far, great, but I have my doubts and I can see lazy/technically illiterate admins launching counterattacks left right and centre. As for Granny and Uncle Dave, they don't even know what a firewall is, I set a laptop up with AV and a firewall for a friend who runs her business from it, she got the idea of AV but got someone else to switch the firewall off because 'it wasn't working properly' read she didn't understand it. Now she does, education is the answer here, not all out war resulting in widespread 'collateral' damage.
  • Here's why this is completely ridiculous:

    If your company can identify the DOS attacker, then your server can ignore that attacker and simply not respond.

    If your company can't, then your hare-brained scheme of 'strike back at the haxors ' obviously won't work because you don't know where the DOS attack is coming from.

    This approach is so flawed it doesn't even merit a glance.

    It either won't work, or it is completely capable of identifying, then ignoring, the attack and the 'strike back' aspect is entirely useless.

  • Considered as a biological system, this kind of counter-attack makes sense. Counter-attacking the attacker inhibits them, and if they have been hijacked, lets them know about it (just make sure that the DDOS gives the reason in the method).

    By localising some of the damage to where it's being caused (since there's a kind of redistribution going on here, as the attacking machine is less able to continue its attack), economic forces come into play, and the would-be hijacked system-owners then have an economic reason to fix their security.

    Far from victimising "innocent hijack victims", return DDOSs ensure that resources are more efficiently put to use within the economy as a whole. This is an excellent idea.
  • For GOD'S SAKE people it's an April fools joke.
  • Hey all. I'm Tommy, AKA Silicon Valey. I think this is an April Fools joke and the writer is either in on it or was taken for a ride. Other than the countdown pointing to the obvious approximation, here are a few sound reasons....

    I say this given my background of having worked in a major NOC in Silicon Valley, San Mateo, CA to be exact. At that location at or near the top of the food chain, you can study data that reveal the closing and opening of ports as the mathematical or theoretical limit of a system is reached. It's pretty cool when you first see the data...but in real time firing back? I do not think so. This image of a classifiable type of warfare, linear and definable as having come from a singular opponent does not occur except by morons who are easily caught. Unless stated outright by an opponent an attack-response will require verifiable evidence that an attack is taking place by the opponent through their own will, which can only be discovered through a call to the NOC of the opponent, obtaining that verification or the lack thereof and your corporation shutting off _the_ router or switch port causing the trouble. Shutting off the nodes/ports in question are performed through access to trusty APC MasterSwitch Plus Web SNMP or other hardware that gain acces though aux ports or dialup and are never in the line of fire. You wouldn't even need to get out of the NOC console chair to reboot half the Internet. This is the main reason why in my opinion this is an April Fools joke. Attacking any system would cause the response no matter how measured to cause you to use your own bandwidth up or bandwidth that you do not own and will soon be litigated to pay for having disrupted! That is not what you want to do. You would be flooding your own and every other parties switch and router ports on the way to the target! Doh! You want your own systems to communicate within the geographical area that you have control of.

    If the attack is inside your own LAN or WAN area and you have to gain control over it...that is an interesting problem and one that research has been done on. You might try switching the heartbeat of the LAN/WAN on and off temporarily until you can locate the nodes or systems that are causing the problem, all the while shielding the DNS and TLD systems.

    The worm wars are waging because the cover afforded is valuable, and the property involved given the distribution and nearness to likely targets is valuable. Sort of like trying to buy a nice property at the seaside. The view is great. The proponents of that game are vying for the free ride, which given the outcomes will certainly give them great distributed systems located on LANs from which to wage attacks on systems and resources on the WAN/Internet. A single system for defensive or offensive work is hogwash. It takes hundreds if not thousands of systems working in a coordinated manner at or near the nodes of opportunity in order to play the game.

    At this time I cannot foresee the justifiable use of the system being rolled out. Small bandwidth players will be locked out of the fray just as they were on "Sept 11." You need fat OC pipes just to be able to see the end of the first node when all heck breaks loose, systems located on thousands of nodes reporting back to you and a means of resetting ports on switches and routers up and down the entire segment(or multiple segments) that are not in the line of fire or are waiting to be lit up when needed. This is if you want to be able to respond in time by shutting down the nodes leading to your systems. The only people that any of this makes any sense for are Tier 1, backbone providers, purchasers of those systems and governments who may engage in the battle first by closing nodes...not flodding them with their own packets. Given the state of the art in these areas smaller pipes computing systems will be relegated to distributed DoS where they can provide the most damage in tight
  • >>>
    [Graham Titterington] added that because many hacking and DDoS attacks are launched from hijacked computers, the system would be unlikely to find its real target: "Attacks are often launched from a site that has been hijacked, making it an unwitting and innocent -- although possibly slightly negligent -- party."

    Boy, does he have that right. Launching counterattacks is a great idea in principle: I'd love to slam the bastards that mess around in this way.

    The fact is, however, that it is nearly impossible to detect the actual party responsible for the code that launches DDoS attacks. Launching such "counter-attacks" is about as hare-brained as notifying everyone listed as the sender of the last 200 email viruses you received, that they're infected--these folks just happened to be unlucky enough that their email address was found on an infected machine.

    Let's not punish innocent, if *possibly* negligent, persons.
  • As one who has recently experienced being spoofed. Yes, I received automated e-mails from legitimate businesses saying my e-mail account sent them a virus blocked by their firewall. Yes, my Norton Anti-virus is running and up to date. And No, I did not send those e-mails.
    I can definitely guarantee that if one of those same firms generated a DDoS or any other attack on my system (as one of those responses) I would begin legal proceedings. And I'd win too.
  • Launching a counter-attack no matter how justified is a violation of USC Title 18, Section: 1030. As stated by this law, any computer is considered a "Protected Computer" if and I quote,
  • Definatly a Aprils Fools - Looks like its got most people though lol
  • Given the article was posted on 10 March, it is unlikely to be an April Fool...

    Attacking the "Apparently From" is, as previous commenters have noted, useless as they are just unlucky to be on someone's contact list who has a virus (in my case, two spammers - I don't know anyone in the Phillipines or VA - as well as a friend on broadband whose child clicked on the attachment, a survey provider and a local council officer, and someone at work in an IT role who really ought to have known better and should have had antivirus up to date... That's just the ones I bothered to investigate).

    The only way that this would work is to use a parser similar to that used by abuse services such as SpamCop to identifying the originating IP address (avoiding forged lines added by the virus). This could only be reported to the ISP for the IP block - obtainable from lookups such as ARIN - warning them that the IP address appears to be infected with a virus.

    Second level, if the infected computer continues to send, i.e. the ISP does not ensure the owner of the infected PC cleans up, is to block the ISP's range of IP addresses (after fair warning has been given). This has worked for spam, automating it (with manual exceptions handling process - who knows what virii writers will come up with next!) may well work with virus creators.

    If the software is made freely available, it may even be able to trace back to the virus writer. That would be sweet justice.
  • thatz the most insane thing that i have heard !. this is gonna ignite a war between Symbiot software. one ignites it some where and it could be possible that symbiot softwares which could be installed on the innoscent anonymous user and the corporate firewall both get to attack each other infinitely !.
    Sounds too stupid