Network security, wild west style

Network scans, crackers and viruses are all part of normal Internet life. If you’re running any sort of decent firewall, your logs should have numerous examples of scans and connection attempts from various random IP addresses. And that’s just for

Network scans, crackers and viruses are all part of normal Internet life. If you're running any sort of decent firewall, your logs should have numerous examples of scans and connection attempts from various random IP addresses. And that's just for home users.

Take a look at the system log of any 24/7 Internet host (such as Atomic) and you'll see a much wider variety of interesting phenomenon. Code Red malformed URL attacks; the seemingly immortal Nimda doing its Unicode thing; a few port scans covering reserved ports; and occasionally, a full system scan that'll cover all 65k+ ports on your machine.

Most competent admins keep up with security mailing lists such as Buqtraq, Vuln-dev and the like. They also keep up to date with patches and updates from vendors of the software they use. By doing this, in conjunction with pro-active security measures such as DMZ's, Intrusion Detection Systems, firewalls and systems such as tripwire, your average highly trafficked Internet site is kept secure. However, there are admins out there who, due to lack of knowledge, ignorance of the issue or simple laziness, fail to keep their systems secure. It's these users who provide the bulk of Nimda, Code Red and Code Red 2 exploit attacks today, despite wide availability of patches securing against said vulnerabilities.

Should the status-quo continue? Should competent admins be subjected to inflated security workloads and simply put up with the vast number of compromised hosts battering against their firewalls every day? According to Security Focus columnist Tim Mullen, the answer is no.

In Tim's latest column, he proposed that admins who find their networks under attack by obviously compromised hosts be endowed with the legal right to fight back. In other words, don't sit there and watch syslogd scroll past at rate of knots: hack back.

Tim's suggestion seems logical and perhaps even workable: 'I am talking about neutralizing an attacking machine in singularity when it is clearly and definitively infected with a worm that will continue to attack every box it can find until stopped.' He even clarifies it so that your average trigger happy skiddiot doesn't get too excited: 'I am not talking about some vigilante strike… at the drop of a packet'. Still, Tim's suggestion throws down a huge array of potential problems, questions and pitfalls.

First and most obvious, how do you define 'clearly and definitively'? Tim cites Nimda infected boxes attacking various random hosts for months on end. But how does an admin know if the box attempting to infect their systems has itself been infected for an hour, a day or a month? A compromised system that stays compromised for a month is negligence. Compromised systems that have only been infected for an hour or so, is not. If your company's server is cracked/infected at 3am on Sunday morning, it's unreasonable to suggest that the admin responsible for said box be notified, take action and fix the problem all within the space of a single hour. Of course, we're ignoring the fact that Nimda patches have been available for some time. It's simply a convenient example.

Another problem along the same vein: How do you determine which acts are actionable and which are not? Is a quick nmap of your company's firewall actionable? Is a sustained DoS against your border router actionable? Drawing the line between relatively harmless network activity and acts that justify retaliatory action is almost impossible. And then there's the fact that almost no-one would agree on where exactly the line should lie.

Other problems exist with the 'hack back' theory. However as Tim points out, what other solutions are there? Emailing the admin responsible, and perhaps his upstream network provider, can take some time. Even then, many either don't care or don't take adequate action. And then you're still left with the fact that the very same boxes, administered by the very same person, will likely fall prey to the next widespread worm, virus or vulnerability to hit Bugtraq.

The solution, in my opinion, comes down to education and knowledge. If an administrator doesn't know about the potential security risks to his or her machines, he or she should learn them. Learn about them and then learn how to deal with them. Then, hopefully, learn how to proactively reduce the risks their systems face by being connected to a massive network of other, potentially malicious, systems.

Only when we have the majority of system administrators educated about the issues involved, thinking always with a view to system security and taking the actions necessary to proactively secure their networks, will we see any real progress.

--Brad Webb