IDACAS :
Internet Deterrent And Counter Attack Systems

• Introduction
• The Problem
• Other Problems - Some Dealt With By Others
• Solutions: List, Tools & Services
• Money: Funding & Consultancy
• Soft Headed Failure
• Cost Effectiveness
• Lists Of Attacker Hosts
• List Format
• Mail List(s)
• Tools & Source Code Repository
• Technology
• Links To Other Sites
• Disclaimers &
• Incidents & Cautions

Deter hosts that launch un- provoked security probes &/or intrusion attempts / attacks on other sites : Consider Counter Attack !

Top of Page

• Many criminals are attempting Internet server intrusion, with far more hostile intent than a sub set of the foolish `Script Kiddies' who waste valuable administrator time just for fun'
• Criminal fraudsters run fake bank sites to defraud. Some doubtless on other's suborned systems, (automatically searched for & discovered to be insecure & invaded by criminals). Many system owners don't much care if [part of ] their system is [perhaps unknowingly] invaded & suborned, so as long as others get hurt, not them, & it mostly seems to work, (which clever fraudsters will probably ensure), & so long as they the rightful owners don't have to pay out money for competent security staff to ensure their servers are kept secure, & not stolen / hijacked by criminals.
  Here's one example of a criminal fraud, it took very little time to analyse it, & trace it back - lets have an automatic system to immediately analyse, counter attack & cripple criminal's bases - not difficult - just need to fund the development - please help ! (Some people have a strangely cautious approach to disabling a suborned server, but police are happy to cripple a stolen vehicle being used by criminals, so we should do same with suborned Internet servers: counter attack quickly ! Don't just send an email to eg Asia, & wait days for a reply to translate). Instead counter attack with various instant measures.
• The problem is world wide. The American government has long been reported as having counter attack capabilities. References to American counter attack test networks: DETER & EMIST
• The rest of the world needs to develop its own deterrents, as USA has consistently showed (from approx 1982 to 2003), that it is prepared to embargo sensitive software source exports, eg crypt.c etc, even to close allies such as Britain.
• The rest of the (non American) world needs to develop their own systems to [hopefully] co-operate with American systems, but not to just beg from the American plate, which would fail: Even if American technologists may be prepared to share source code, the USA government is likely to Munitions embargo either code &/or databases
• Very few sites that are platforms for intrusion attempts, action an intrusion complaint complete with log.
• Where complaints are issued to ISPs etc, ISPs usually hide behind their TOS, even if they do reply, they don't report who the miscreant was from their site/ customer base, & what disciplinary actions was taken.
• Being polite & reporting un- provoked attacks does not work.
• Active automatic defence may work better.
• Hostile counter attack may work yet better still. Nothing less might encourage some sites to discipline themselves &/or their users.
• ISPs who fail to inform complainants of efforts to terminate an abuser, are irresponsible complacent profit takers & commercial accomplices to crime, harbouring a criminal, liable to deterrent counter attack.
• Public logs of sites that have launched un- provoked attacks will help co-ordinate automatic analysis of sites appropriate for automatic defence or counter attack.
• It's time for war with sites & irresponsible ISPs etc who host script kiddies, criminal fraudsters, & the criminally negligent who run insecure systems suborned by other criminals to perpetrate crime.
• Know your Enemy: Tracking Botnets

Top of Page

This page & list are just confined to security attacks. Other issues below, though also bad, are not dealt with directly here.

• `Script Kiddies' who launch stupid robots that fill web forms with rubbish etc.
• Spammers who use scripts to alphabet flood their sometimes viral loaded excrement, & to seek open relays etc to do it. : The seeking of open relays belongs to the remit of this page. The prevention of spam does not belong directly to this page. SPAM is dealt with already by lots of others, eg volunteer organisations eg cauce.org. Public source code anti spam software (inc. some in FreeBSD Ports, by commercial anti spam & anti virus vendors, & by ISP (net access providers' additional services)).
• (*) Denial Of Service - Flood Attacks.
• (*) `Warez' Illegal Bootleggers, who invade un- safeguarded ftp servers & deposit eg bootleg copyright films/ movies, music, pictures, sometimes also with illegal &/or offensive content, beyond stolen copyright. The upload often overflows discs & causes loss of service to genuine users, & wasted time for administrators. The mass parallel downloads cause excessive telecoms bills from networking providers, & lack of availability / performance for genuine users.

Items Marked (*) Whether these may or may not be dealt with here is not yet decided, (a question of funding & politics), Prime interest is security: thus intrusion deterrence. Flood deterrence by counter flood is a particularly sensitive area, needing careful management).

Top of Page

• The aim is to co-operate with lists & tools for active dynamic defence & / or counter attack.
• Preference is to work on BSD (even nicer than Linux), to work with tools compatible with the extensive ports collection of FreeBSD; later porting anything necessary later to NetBSD (If multiple platforms are needed. - But remember most design will be for supplemental cheap BSD boxes to be connected to other heterogenous Unix servers, so we won't need full native run support on all Unixes direct); &/or OpenBSD (if security features there appeal above other BSDs at assessment time).

• If you are a company, organisation, or government agency with budget to help sponsor this, or to purchase Internet Intruder, passive &/or active defence, optionally with deterrent counter attack systems, services, &/or consultancy, Vector Systems Ltd & associates would be pleased to hear from you. Consultancy also available for other Unix server architectures.

Top of Page

The traditional soft European way that has Failed:

• Have a firewall, possibly with dynamic components, eg traffic filters, access failure detectors, DOS (Denial of service) traffic filters etc.
• Have an intrusion detection system
• Have optional `honey pots' to distract intruders & help detection.
• Log attempted & actual intrusions, & collect evidence to hopefully prosecute with (expensive) lawyers.
• Fix Intrusions

Logging is worthwhile to improve defences, justify a security budget, or counter attack. But ... Logging for management satisfaction &/or national eg German habit of formality, is a waste of money, when after admins carefully log & collect evidence, lawyers decide its not cost effective to sue internationally for damages.

• For many firms, the extra time off line, sealing original attacked media as evidence, & preparing on line duplicates, is business lost, & bad publicity even admitting it happened.
• Cost example: Apparently German (or Bavarian ?) police won't even forward an incident worth less than 50K Euro to their USA compatriots if incident launched from there, as not cost effective for less.
• Many attempts are global, eg from Asia & ex Soviet territory etc, some countries will obviously be next to impossible to pursue intruders in.
• Some will be unattended compromised / cuckoo proxies hosts)
• Some will be irresponsible large sub nets, who don't really care until your problem becomes their problem, eg Universities, Coffee shops with `Hot spots', Drive by bluetooth (`war driving') connections, Lax ISPs with dynamic IPs, etc.

• Better to have a deterrent totally automatic co-operative counter attack system, to flood/ attack/ disable adversary hosts & nets, (regardless if `innocent & subsumed' or not. - Turn back Your problem to be Their Problem - & Advertise Your Counter Attack facility prominently as a deterrent.

Top of Page

Some hosts that have recently launched un provoked attacks on author's hosts. (just a tiny example of a much wider problem).
Note I sometime don't bother logging isolated attacks, systematic multiple attacks are more likely listed though. Links to other lists are welcome. Mail me. URLs
A later list of hosts that co-operate to automatically combat intruders probably won't ever appear here, but will be be automatically updated by the protection software to be developed.

Top of Page

Format subject to change:
"|" separated fields (not normal Unix convention of ":" eg for tbl, as dates use ":".
Column Order

1. DATEDate[s] of attack (TZ=CET or CEST, ie GMT+01:00 or GMT+02:00 in summer). There may have been numerous attack before & since. A minimum of one date is noted. This column is first to ensure a sort will recreate chronological log order.
2. Number Of Attacker
3. DNS Address of Attacker OK or a Lie ?
   Whether via nslookup, after using RARP to match the IP# to name, the name then maps back full circle to IP number, as it should.
   Possible Values: (In sequential test & possible result order)

   Key	Explanation	Conclusion	Action Possible
   "!RARP"	R-ARP Fails: No DNS record maps number to name.	Secretive	Counter attack.
   "!FARP"	Forward Lookup fails (Inverse of R-ARP Fails): No DNS record maps name to number. (Even if number to name succeeds).	Secretive	Counter attack.
   "!A"	A Fails: No DNS record maps resultant name back to a number.	Liar	Counter attack.
   "False"	R-ARP & then DNS A-Name don't agree.	Liar	Counter attack.
   "Match"	DNS R-ARP & subsequent A records match, (even if A rec might be a cluster of IP numbers)	Perhaps a properly & honestly configured IP, with rogue user(s)	Warn First.

4. NAMEParent IP Domain Name of abuse@ owner of domain (may well not be the same as the IP number of the attacking host, eg attacking host chopok.fns.uniba.sk gets mapped to owner uniba.sk )
5. REPLY Response if any.

   "Fixed+Detail"	They fixed their problem, ie purged their customer or their customer server purged the user account etc. They appear to be an innocent provider doing their best to responsibly purge miscreants. They should Not be counter attacked. They are merely listed here to show what (small) percentage of providers take such responsible policing action.
   "Auto"	Automatic standard email reply
   "NS"	Not Sent: The results of nslookup &/ or http:// access made the domain too suspicious to complain to.

Top of Page

• Currently we have just one mail list:
• deter@ To discuss how best to design automatic counter attack technologies.
• Later the list may be split into sub lists, eg :
  • deter-announce@ likely moderated to ensure low traffic, basically just release announcements.
  • deter-dev@ for developers & source code
  • deter-users@ a self help mutual assistance group for users of the code & service. Users will be server administrators.
  • deter-finance@ to arrange funding of central service portions of the project
  • deter-law@ for those who want to discuss law & morality, (though IMO, un- provoked attackers lack morality, & law has failed & is pretty much irrelevant in a world with 190 nations that might house systems that could launch attacks on computers in any of the other 190 nations. Whose law ? A combination of 190 x 190 = 36100 combinations.

Top of Page

• A CVS based source code repository may later be provided by Berklix.
• If we get public eg government or industry contribution authorising a public repository.
• Alternatively, if the funding is not public, the repository may have to be private too.
• The repository will be on berklix servers in Europe, immune to disruption from insular/ nationalist USA politicians who might want to again disrupt international developer co-cooperation, (as USA government did with Crypt.c & Munitions laws between about 1982 & 2003, (despite the fact the then posited `enemy' already had Crypt code).

Analysis of some Distributed Denial Of Service (DDOS) tools

• trinoo
• tfn
• stacheldraht
• http://staff.washington.edu/dittrich/misc/ddos/

As intruders already have used these tools, we should consider using similar tools for defence by deterrent counter attack.

Top of Page

We need to combat attackers, optionally by counter intrusion & attempted disabling, flood, etc. Optionally by counter flood of compromised equally harmful proxies, to alert the immediately upstream adjacent carriers, to realise _they_ have a problem customer to terminate immediately, & that our problem is not theirs to ignore, but theirs to resolve, urgently. We need to develop software & co-ordination bases, for active, automatic, mutually co-ordinated, mass multi server launched, hostile counter attack. It needs safety checks to avoid Internet melt down. Variable escalation criteria dependent on time zones, work days, public holidays, root national domains, if targeting offender direct, or escalation alert levels for innocent but possibly lethargic neighbouring carrier etc. Systems envisaged to be based on standard cheap PC Server hardware bases, linked to the existing organisations gateways. Based on public source code operating systems & tools, (eg http://www.freebsd.org/ports/net & .../security ), thus not vulnerable to Microsoft viruses, weaknesses & exploits etc. Using code extensively security reviewed. Based on open free co-operative international standards (not proprietary commercial pseudo standards attempting to monopolise the market). To run on Internet server systems, installed & run by professionals, to protect users, but Not for end users to run themselves. National co-ordination servers may or may not be under national control, but the technology itself should be internationally co-operative.

Top of Page

The term `Hacker' is mostly wrongly used, exhibiting how ignorant the speaker is.
`Hacker' is just a name for a usually well intentioned

• programmer who hacks up (generates) code of public benefit to give away ,
• journalist, who hacks up articles to be published
• horse rider, who I suppose hacks up hedges jumping across

. `Cracker' is a better pejorative to apply to Internet intruders. The same word "Cracker" as in "Safe Cracker", a specialist burglar who steals valuables.

Extra Disclaimer: Content of links may or may not be agreed with, but may have pointers to technology, laws, disputes, etc.

• http://www.freebsd.org/ports/security.html Extra System security software that run on top of Freebsd
• http://www.freebsd.org/ports/net Extra Networking utilities that run on top of Freebsd
• http://www.imsec.ch/act/hack/hackerletter.html An Open Letter to A Hacker
  Dear Intruder, Hacker, Cracker, or whatever you like to call yourself
• FreeBSD ddos_scan/pkg-descr :-
  Scans for distributed denial of service (ddos) agents. eg "trinoo", "TFN" and "stacheldraht".
• Search engine to case of Abbott V. Act Up Paris, which may have pointers to French law

Top of Page

More legal verbiage may be necessary here later, but when reading this page, writing tools, or reading the list, etc note:

• New entries to the Un-provoked Attackers List may be innocent, they may just not have had time to track & kill their rogue user account & report back yet.
• Some hosts may be innocent, just having DNS entries screwed, or in transition.
• Some sites may be innocent, just having guilty host computer(s).
• Some hosts may have been for innocent purposes, but been cracked & compromised.
• Some administrators may be innocent, but clueless or incompetent.
• Some hosts may be largely innocent, but with one or more guilty users.
• Recipient (of attack & investigating ISPs return mail) may have been away & not received response yet.
• Occasional mail failure may occur.
• IP spoofing etc exists.
• Use your own detective skills, including comparing this list to other intrusion lists, to decide yourself which sites merit counter attack.
• I don't guarantee all intrusion attempts I know of will be logged. (Some recipients of un- provoked attack may not want that). Others may qualify for immediate defence or hostile counter attack etc, particularly repeat offenders.
• The Disclaimer on the side bar applies.
• The Extra Disclaimer above applies.
• Counter attacking is doubtless illegal in some jurisdictions. Especially where politicians haven't woken up to the fact the Internet has no national boundaries, & local laws do Not protect their citizens & state infrastructure.
• Where any legal jurisdiction forbids something, I & we do Not encourage you to do it.
• It's Your responsibility to comply with Your laws, wherever you are on planet Earth.
• I & we hereby disclaim everything in & out of sight & inference etc.
• Use your common sense !
• Decide yourself what's moral, legal, technically feasible, reasonably or likely safe, unsafe etc.