June 21, 2004
Attacking the attackers

Fed up with denial-of-service attacks? Well, how about fighting fire with fire?

Symbiot Security, based in Austin, says its new Intelligent Security Infrastructure Management Systems not only defends networks but lets them fight back, too. Symbiot says the product is already in use in some corporate, government and military networks.


The offering, known as iSIMS, comes amid growing frustration over computer intruders. The U.S.-government-funded CERT Coordination Center handled 137,529 computer security incidents in 2003, up from 82,094 last year and 52,658 in 2001.

Hackers, worms and data attacks are costing companies dearly and open the door to identity theft and the loss of intellectual property.

"Make no mistake," reads a document on Symbiot's Web site, "we are in the midst of an information warfare conflict which we have not been fighting."

Symbiot's iSIMS consists of hardware, software and support services. Much of it is focused on traditional defensive measures like blocking unwanted traffic or deflecting it to where it can do no harm. But it can also escalate the response and return fire.

In documents on the company's Web site, Symbiot advocates a gradual escalation of action based on the best information available and the customer's preference.

However, privately held Symbiot won't reveal what shape the most aggressive attacks might take.

It also won't say whether any iSIMS clients, whom it will not name, have taken aggressive offensive measures. It did say, however, that iSIMS has been deployed on "several enterprise, government and military networks."

"When we're talking about this, the technical details become extremely important," said Tim Mullen, chief software architect of the secure accounting program maker AnchorIS.

Mullen, who has no relationship with Symbiot, says he supports striking back in certain situations.

A position paper attributed to Symbiot's executives and posted on its Web site broadly outlines the counterstrike philosophy. "On the Rules of Engagement for Information Warfare" says computer intrusions deserve a response in kind including "asymmetric" countermeasures that can include flooding the attacking computers with data, rendering them Internet-blind and other measures to neutralize the problem.

Needless to say, this is a controversial approach, and there are a number of quotes from other experts who give their reasons for doubting the efficacy of Symbiot's tactics. I suspect that it will be as popular and as polarizing as the Realtime Blacklist is for fighting spam. I do know that I'd want to know an awful lot more about it before I risked becoming a legal precedent for liability in the event that my counterattack caused collateral damage.

Posted by Charles Kuffner on June 21, 2004 to Technology, science, and math | TrackBack

"I'd want to know an awful lot more about it before I risked becoming a legal precedent for liability in the event that my counterattack caused collateral damage."

Symbiot's press release is deliberately coy about what kinds of "attacks" can launch a "counterattack" response, but I'm with you, Charles: I'd be very wary of this strategy.

A typical D.O.S. attack doesn't come directly from the attacker's machines, for obvious reasons. Instead, an attacker typically enlists an army of "zombies" - computers, owned and operated by innocent bystanders, which have been compromised by some sort of malware. There's generally no way to unmask the real attacker without doing some (human) investigation, and even if you do find out who the real attacker is, methinks it'd make more sense to haul his ass into court than to launch a counter-D.O.S. attack. The prospect of having to shell out a few $10G's in damages is more likely to concentrate the mind than getting kicked off the Internet for a few days.

Counterattacking the "zombies" is usually not practical - there are simply too many of them - and the people it hurts are mostly innocent bystanders. (Kind of like the invasion of Iraq.)

Posted by: Mathwiz on June 21, 2004 4:16 PM