Is it ever appropriate to fight back?

Question

When an website or system is being attacked, is there ever a scenario where it should automatically take action against the attackers rather than just passively handling the attack? If so, what responses are appropriate and legal? Are there any examples (good or bad) of this happening in the wild?

Answer 1

Passive scanning such as determining geo location, IP address, network routes is probably a good idea (to give you an understanding of where attacks are originating from).

Update: Actually for larger institutions this is kind of essential in determining whether the attack is a large scale organised attack or simply a lone hacker testing out the defences. Either way it will probably be distributed. In either case it will provide useful information for further locking down the firewalls.

Depending on the legal framework of the country you live in, retaliating to an attack with a active network attack of your own (such as DOS or virus) would constitute an illegal act.

Answer 2

Fighting back is what the cool kids do! >:)

Regarding law, I grabbed this snippet from http://lawmeme.law.yale.edu/static/pastevents/digitalcops/papers/karnow_newcops.pdf (2005)

"CONCLUSION Even under nuisance law, not every counterstrike – or “self help” effort – is automatically immune. It has to be reasonable, and proportional to the nuisance, issues I discussed in connection with a similar requirement under self-defense. And as always, the light cast by ancient doctrine upon novel technologies will produce illumination and shadow both. Courts will “fudge” on the analysis and struggle for precedent, sometimes testing out the wrong one. Just as no one wants to roll out version 1 (new software), no one wants to be a test case in court. It is, as a surgeon might say when considering a complex, multi-organ transplant, an interesting case – not something the patient likes to hear."

On a serious note there are so many bad hack-back scenarios to imagine that you have to wonder when you would be ready to pull the trigger; for example, what if you hack-back to stop a botnet attack only to later learn that some of the systems you counter-attacked were critical hospital system that were inadvertently part of the botnet herd.

Regarding examples, Richard Bejtlich blogged in 2005:

"I disagree with the strike-back idea, as I believe it steps over the line into vigilante justices. It is telling that Tim's papers all pre-date the Welchia worm, which demonstrated how dangerous strike-back can really be. You'll remember the devastating ICMP traffic caused by Welchia as it searched for live machines for purposes of disabling the Blaster worm. "

Answer 3

The #1 Question for me is: what do you hope to achieve in "fighting back"?

If I get stung by a mosquito, I'll kill it, but if it gets away I won't chase it across the field. If I get attacked by a swarm of bees defending their hive, I won't swat them - I'll protect myself by running away.

The dangers of fighting back are well presented in the other answers, but I'll repeat them:

1. legality - your reaction might be illegal
2. collateral damage / joe jobs - your reaction harms a relatively innocent 3rd party

My personal choice of reactions:

1. Try to keep a decent level of security on my site so attacks have a reduced chance of success.
2. Gather info about attacks to assess the severity.
3. Potentially, block the IP, or if it's a bandwidth flood attack, try to get my ISP to block the IPs. Note that this will likely block non-malicious traffic to your site too (collateral damage), but most of the damage will be to you (reduce traffic / access) rather than to some 3rd party.

Hack-back also leads to a new type of attack: Kallisti. "Joe Jobs" spoof the source of attack to trick defenders into attacking the spoofed source. The "Kallisti" attack would try to cause a hack-back loop between 2 or more sites, either to create noise in which to hide the "real" attack or just to cause chaos. (Hail Eris)

Answer 4

A related response could be to set-up a honey trap to attract attackers and make them think they succeeded. Let them waste time and effort while you trace them, maybe. Although that sounds like a bad script from a Hollywood film.

Answer 5

An interesting case in the Netherlands is appropriate here.

The Dutch Police (KLPD) brought down some servers that run a big botnet. They deemed it legal to use the botnet now to send a message to the owners of the machines to inform them that they are infected.

There is some discussion about whether it was actually legal, but I think most people agree it's an ethical thing to do.

This case is quite different from what you as a company would face, but if this is already questioned as being not legal when done by the police, one should wonder whether any action towards the attacker can be taken at all.

Answer 6

Is it ever appropriate to become a criminal and put yourself, your organization and your entire livelihood in jeopardy of legal action? This is not a case of a masked gunman putting you in a fight or flight situation. Yes, you could concoct a scenario where an internet borne attacker is threatening human life through an attack on systems critical to hospitals or some such thing. However, even in those situations, there is no precedent that I am aware of that justifies the same reactive force be applied as in a physical altercation. Likely the systems that you would be attacking are innocent service providers or end users that have been hijacked for malicious purposes. It would be no different than setting fire to an automobile that was stolen and used in a bank robbery.

Immediately plug the holes that an attacker is exploiting. Immediately report the incident to the proper authorities. Do not let your emotions take over and convince you to stoop to the same level as your aggressors.

Answer 7

Another point to take into account, is how the badguys can subvert your counter-attack.

For example, they can send malicious packets with spoofed IP addresses, knowing you will detect this, and in retaliation attack the source of the attack - or actually, the innocent server that is actually registered at the spoofed IP.

Thus, they are using you to attack their victim, the spoofed 3rd party.

Don't forget, the attacked company will now believe - correctly - that your servers are attacking theirs. Never mind that you believed that you had just cause to do so - that is irrelevant, point of fact that you are actively attacking them. And they will have reason to press charges, or whatever.

An interesting scenario would be if the 3rd party victim is also configured to counter-attack. Then, of course, you will be receiving actual attacks from their server - this time, for real, but of course that was YOUR fault, wasnt it?

Both sides would probably DoS each other before real harm was done... unless they both choose to escalate and scale out... THEY COULD BRING DOWN THE WHOLE INTERTUBES!

Answer 8

The answer is pretty certainly no, don't do it.

I can imagine a scenario where a worm is attacking you and because you know that the worm spreads via vulnerability X, you know that all computers that are attacking you have vulnerability X. It may be possible for you to use vulnerability X to access the infected computers and warn their users, or even shut them down.

While you might think this is a morally acceptable thing to do, it's very dangerous ground. What if something you do goes wrong, e.g. leading to data loss that wasn't caused by the worm, or you anger the original worm creator who then wants to retaliate against you in another way. It's likely to be illegal in most jurisdictions as well.

Answer 9

When you are the victim of an attack, your situation implies that you currently have:

1. a problem;
2. the protection of the Law;
3. the moral high ground.

By "fighting back", you loose the third, and most probably the second. You will not necessarily get rid of the problem, though. Fighting back is illegal in most countries; it will prevent you from claiming assistance from police forces and, perhaps more importantly, it will void insurance (your insurance company will be quick at pointing that out). Last but not least, your retaliation may harm bystanders and plunge you into bigger trouble than what you started with.

So, no, not worth it. Use passive protection, and call the police.

Answer 10

I have an excellent example stated by Ivan Orton (Senior Deputy Prosecuting Attorney who specializes on IT crimes) during his speech for Stanford online course's students (Sorry I can not upload the video to youtube, because of the policy of website):

Imagine that you have a boutique brokerage company in Seattle. Boutique meaning small number of customers, high dollar value accounts, and the customers are actively involved in trading on their accounts, They depend upon the services that the boutique company provides over their website in terms of real-time quotes, real-time trading information, trend analysis, and all kinds of services that the company provides. That company on one of those typical triple witching Fridays which is when three things are happening at the same time and the stock market is extremely volatile in Seattle at twelve:25,25 their system goes down, that's about 35 minutes before closing time on the stock exchange in New York. Their system goes down which means they have no active or, or real trading information or, or quote information, no ability to make trades, all of their trend analysis and other things is down and not available. The boss comes screaming back with a comp-sys analysis and says, what's going on and fix it. And the sys analyst real quick looks at the IP address, uses some of his tools, and he says, it's coming from a computer and a router, in particular, at the University of Oregon. And the boss says, shut that router down right now. And the guy says, I don't know what that router associated with. I don't know what I'm going to be doing. And the boss said, we only need it shut down for 35 minutes. You can start it back up, you can stop whatever you were doing in 35 minutes. But we need our system back up till one:00, and so the guy under pressure, shuts the router down. Well, it turns out that the router's actually a router associated with the University of Oregon medical system and it's a router that controls the distribution of a database that lists all the drug interactions that patients at University of Oregon have. And a patient comes into the emergency room at that time who is a known patient so he's in the system. And in his sys, in his data is indications of a couple of drug interactions that are, that are high, he has a highly allergic reaction to them. He has a condition for which the first line of defense is one of those drugs. The doctor's try to access the database, they can't find any information, the guy's in real critical situation so they administer one of the drugs, and he dies. Then, the system is back up again and everything's hunky-dory. That's a radical scenario.

what happens is the family sues the University of Oregon Medical System. The University of Oregon Medical System, because they find out all about this, sues the boutique in Seattle. What should the boutique do?

After having this question he speaks a lot about different similar scenarios in non electronic word (it is too long to put it here, but if someone would like, I would) and in the end he stated: You may be tempted to use active defence and you may have some liability associated with that and keep in mind but right now there is no clear law regarding this issue and a lot depends on the jury (This is not exactly his words - it is shortening of his 7 minutes talk regarding this issue)

I hope this will make it clear, how unclear the situation with active defence is.