8.11. Self-Help Options

In the prior sections, we have seen many of the issues and impediments to federal criminal prosecution that lead some executives to doubt the ability of federal law enforcement agencies to pursue criminal legal remedies, and some of the options for civil remedies available to victims. There still are some who wish to take matters into their own hands and "do something" about being attacked.

This subject is sometimes called Active (Network) Defense, Computer Network Defense (CND) Response Actions, or the extreme form, the popular media term hack back.^[6], ^[7]

^[6] The federal government has been given guidance on CND response actions that can be taken by military personnel. According to a Congressional Research Service report [Ser], p. 18, states, "The guidance, known as National Security Presidential Directive 16, was signed in July 2002, and is intended to clarify circumstances under which an information warfare attack by DOD would be justified, and who has authority to launch a computer attack."

^[7] While some use the term Active Defense (or Active Network Defense), this subject is also known as Computer Network Defense Response Actions (CND-RA). The popular media term hack back overemphasizes the most extreme forms of CND-RA. A new term, Active Response Continuum, is proposed by David Dittrich in [Bid04] to reflect that there is a measured progression of response actions that should be thoughtfully considered.

This is a complex and controversial topic that is gaining in prominence in computer security conferences and discussion lists. David Dittrich maintains a section of his Web page that includes a significant amount of material on the topic (see http://staff.washington.edu/dittrich/activedefense.html). The as yet unpublished Handbook on Information Security [Bid05] will include an article by Kenneth Himma and David Dittrich titled, "Active Response to Computer Intrusions" that covers this topic.

One option that has very little real chance of working is attempting to counter a DDoS attack with a DDoS attack. There are just too many reasons why this is simply a foolish option to pursue.

• It is too easy for a moderate to highly skilled attacker to build large DDoS attack networks that cannot be overwhelmed by a counterattack. Moderate-sized botnets can easily reach 10,000 to 30,000 hosts, and large botnets of 140,000 hosts were seen as early as 2003 [Fis03]. There is simply no way that a victim can counter this kind of available bandwidth without further damaging its own network.

• Going after smaller subsets of bots, say in the 1,000 to 5,000 range, has similar problems with trying to match firepower, and if the attacker controls 140,000 hosts, it would be impossible to keep up with the influx of new attacking hosts, 1,000 here, 1,000 there, for as long as the attacker has more resources.

• Attacking back to attempt to disable hosts can have side effects that are unpredictable. Since such an attack may be disproportional to the traffic coming out of the DDoS agents, the owner of those systems may turn around and press charges against you. The attacker may control a host that is used for patient care, process control, etc., but using it to attack may not cause it to fail completely. Your counterattack, specifically designed to disable the host completely, may cause more damage than the original attacker, and you may be found by a court to be legally responsible for this damage.

• Can the desired goal be attained without risking even greater retaliation? If you do not know who is attacking you, and you do not know whether they have already penetrated your network or not, it is impossible to expect that a counterattack that is limited to attempting to remove their access to compromised hosts will actually achieve that goal. If you fail, and they have control of other resources in your own network that you are not aware of, they may simply use these to increase the damage to your network.

The bottom line is that a counterattack against a DDoS attack is almost certainly guaranteed to fail, or to cause more damage than it prevents. Such a counterattack is also likely to violate computer crime statutes at the state and/or federal level, and to potentially also violate statutes in other nations (where some of the DDoS agents and handlers you will be attacking may be located) and further increase your legal risk exposure. Regardless of how much it may seem to be worth the risk, the chances that your resources, knowledge about the attacker, skill level, and ability to execute a tactical and strategic counteroffensive, and do it in an ethically and legally justifiable manner, are very, very slim at best. Even if you were to succeed in such a counterattack, you would be creating congestion and harming many other Internet users who have nothing to do with either you or the attacker.

At this point in time, your best course of action is to follow the guidance in Chapter 6 to collect evidence of the attack, and to then contact the sites that are involved in the attack as well as federal law enforcement agencies, and to work cooperatively with all sites involved to respond to the situation.