Aggressive Network Self-Defense 128
| Agressive Network Self-Defense | |
| author | Neil Archibald, Seth Fogie, Chris Hurley, Dan Kaminsky, Johnny Long, Haroon Meer, Bruce Potter, Roelof Temmingh, Neil R. Wyler, Timothy Mullen |
| pages | 416 |
| publisher | Syngress |
| rating | 8 |
| reviewer | Jose Nazario |
| ISBN | 193183625 |
| summary | take your security into your own hands to identify, target, and nullify your adversaries |
Not being a big fan of most fiction (I tend to prefer history), it's hard to say definitively good or bad things about the quality of the writing. What I can say is that it's infinitely less irritating, and far more realistic, than Neal Stephenson's Cryptonomicon or Gibson's Neuromancer. No over-the-top smearing of adjectives to describe the mundane, and no unrealistic sequences of events. Then again, there's no character development and no real story progression, so it's not great fiction.
As a series of hacker vignettes, the book works just fine, and very well for the purposes at hand. Basically, what the authors want you to get from the book is two-fold: First, they want you to debate the issues around "strike back" attack methodologies. Several of the authors are open advocates of what are legal grey areas and open moral questions in the field of network security. Secondly, they want you to see how it's done, what you do when you actually use a tool to achieve a goal. Most books that do this, like Hacking Exposed, cover far more tools, but they usually do so without showing you each tool's use in a real-world scenario.
I won't bore you with a lengthy, detailed overview of the first part of the book. Like I said, it's a series of part fiction, part tutorial series of short stories. In them, you'll see tools like Metasploit, virus creation, some nmap, sniffers, and keystroke loggers, all in action, being used as an operator would use them, and achieving real goals. This is more valuable than a basic manual, and the stories themselves act as a nice setting. While not great fiction writers, the authors are decent enough at the job, and they write the technical material clearly.
The second part of the book is interesting. It makes up about a fifth of the book in volume, but a lot more in technical weight. The book bills this section as "The technologies and concepts behind network strike-back," and that's an accurate summary. It's a series of four unique perspectives and technical chapters that complement the rest of the book quite well.
The first introduces ADAM, the "Active Defense Algorithm and Model," which develops a methodology for network administrators to actively defend their networks against attacks. It's quite interesting, and brings together a number of risk models in an uncommon take. The authors are academic researchers from the University of Idaho, so it's a lot more academic than the previous material in Aggressive Network Self-Defense, but it formalizes a lot of the thinking that was present in the writing of the stories and techniques.
The second is Tim Mullen's classic "Defending your right to defend." This is the original position paper shared by Mullen with the information security community in 2002 or so. Here, Mullen makes a compelling case for actually striking back at worm infected hosts. After all, the position holds, someone should do something about them to help clean up the Internet. While it's a position I disagreed with at the time and still do, Mullen's writing is articulate and an important read. It really helps you understand a lot of the thinking that went into the book itself.
Dan Kaminsky wrote the next chapter, "MD5 to be considered harmful someday." Largely considered to be a follow-on to Joux and Wang's one-way hash function research, what it shows is how practical such an attack can be. Kaminsky never fails to come up with interesting ideas he puts into practice, and he adds another level of depth to this book.
Finally, Aggressive Network Self-Defense ends with an interesting paper, "When the tables turn: Passive strike-back." Like any good paper, it has a clear and thoughtful motivation, and really demonstrates the principles at play, namely building network resources that don't simply lure the attacker in, they trip her up. There are so many ways to do this, the authors show us, and ultimately it's almost fun. A good way to end the book.
An over-arching concern with the book that I have is the question of ethics. Mullen, in the foreword, states that he hopes the book stirs a debate about the ethics of the actions in the book. However, the book itself falls short in this area. Instead, sometimes the characters get busted, and sometimes they don't, but just because they didn't get caught doesn't mean some ethical lines weren't crossed. All too often the authors leave the ethical debate up in the air. While I prefer this to overt preaching or questions, the style leaves me wondering if this goal was achieved.
So, where do I stand on Aggressive Network Self-Defense? In the end, I like it, more so than a book like Hacking Exposed or other "hacking how-to" types. The style of presentation doesn't lend itself all that well to exploring a very wide number of tools, but it does give you a deeper context to see how they assemble into something larger. For many people I expect it will be a page turner, and I think the format has some utility, as shown here.
You can purchase Aggressive Network Self-Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Concise Review... (Score:5, Funny)
Re:Concise Review... (Score:3, Insightful)
It's much harder with networks. All you really know is that someone sent a message to someone sent a message to someone, and you received something because of it. How do you attack back in such an environment?
The best way is to prevent a counterattack from working against anyone who's innocent of attacking you in the first place. Embedding a counterattack in a TCP session started by your enemy is one approach; if the session was spoofed, your malicious r
Re:Concise Review... (Score:3, Insightful)
Oh, I don't know. Mere possession of a firearm doesn't give you IFF, x-ray low-light vision, or even basic good sight picture. If you want, you can blast away in the general direction of a perceived threat. In fact, aimed fire is pretty rare, even among law-enforcement professionals. [theppsc.org] And how many innocent cattle die each deer hunting season because "trained" hunters risk shots through cover at a barely-glimpsed "deer"? Hell, how many hunters are fired on und
Re:Concise Review... (Score:2)
I hate to break this one to you, but NO "trained hunter" would take a shot at a target he couldn't identify.
Your "guns and 'active network defense'" analogy only applies when you're talking about UNtrained gun owners and poorly programmed automatic network defense mechanisms.
Properly trained gun owners are safer with their guns than you will ever be with your car, and an actual trained professional network administrator operating t
Re:Concise Review... (Score:2)
My point is that there are both enough both people with guns and enough people with the capacity to strike back on the network for whom no amount of training or good intentions can prevent from doing the
Re:Concise Review... (Score:2)
Tell that to the relatives of Amadou Diallou, or the relatives of the victims of Bloody Sunday, or the relatives of the many civilians shot in Iraq by US/UK soldiers for no good reason (went past a checkpoint they didn't know was there/driving fast to get an family member to hospital/caught between US and Iraqi forces/etc).
With guns, you know you're shooting at a person across the way. History shows that the shooter often doesn't know who the person is, c
You know your admin has read this (Score:5, Funny)
"I know Kung Fu"
Re:You know your admin has read this (Score:3, Funny)
Re:You know your admin has read this (Score:3, Funny)
Re:You know your admin has read this (Score:3, Funny)
Integration is the real problem with security (Score:3, Insightful)
Agressive (Score:5, Funny)
Swatch, Snort, Portsentry (Score:3, Informative)
Re:Swatch, Snort, Portsentry (Score:3, Informative)
http://swatch.sourceforge.net/ [sourceforge.net]
http://www.snort.org/ [snort.org]
http://sourceforge.net/projects/sentrytools/ [sourceforge.net]
Re:Swatch, Snort, Portsentry (Score:2)
It's a damn shame that they've not been updated for years, and I've sent several emails to Psionic asking about taking them over but I haven't ever received a reply. (Portsentry still works fine, but logwatch and hostsentry need to be updated)
Re:Swatch, Snort, Portsentry (Score:2)
Nowadays at my dayjob doing brainsurgery/rocket science/abstract math I often think back at those day peering thru endless manuals. Fun it was learning those jolly programs. Easy too!
Re:Swatch, Snort, Portsentry (Score:2)
Re:Swatch, Snort, Portsentry (Score:1)
Viability of recommendations. (Score:4, Funny)
Re:Viability of recommendations. (Score:2)
Re:Viability of recommendations. (Score:1)
Re:Viability of recommendations. (Score:3, Funny)
Then, when they least expect it, whip out your ASP baton, and start bashing anyone within reach yelling repeatedly "THIS IS YOUR COMPUTER BEING INFECTED!"
So Dan Kaminski wrote the MD5 chapter... (Score:5, Interesting)
Re:So Dan Kaminsky wrote the MD5 chapter... (Score:2)
As long as we're discussing the MD5 stuff:
Slashdot [slashdot.org]
E-Print of the original paper [iacr.org]
Vlastimil Kilma's research on the topic [iacr.org]
The finally released paper by Xiaoyun Wang, the original discoverer of this attack [sdu.edu.cn]
Enjoy!
--Dan
Re:So Dan Kaminsky wrote the MD5 chapter... (Score:1)
Re:So Dan Kaminski wrote the MD5 chapter... (Score:2)
automated responses to probes? (Score:5, Interesting)
Mar 2 22:42:37 inetd[32684]: refused connection from 210.29.1.3, service sshd (tcp)
Mar 2 22:42:38 inetd[1534]: ssh from 210.29.1.3 exceeded counts/min (limit 1/min)
Mar 2 22:43:09 last message repeated 38 times
Mar 2 22:45:09 last message repeated 114 times
Mar 2 22:55:10 last message repeated 644 times
Mar 2 23:05:10 last message repeated 509 times
I routinely run into foreign systems hitting my server at extraordinary rates. These seem to be bursts here and there, more looking to probe the system than DoS it but sometimes a DoS condition occurrs.
I routinely to an IPWHOIS of these locales and send e-mail to the IP administrators, but some of the foreign ones are unresponsive. So what can you do?
Are there any scripts out there that can automate the process of reporting system probes?
Is there any recourse in taking aggressive counteraction against, for example, the hoards of chinese IPs that routinely probe and attack domestic hosts?
Re:automated responses to probes? (Score:1, Funny)
Re:automated responses to probes? (Score:5, Informative)
Is there any recourse in taking aggressive counteraction against, for example, the hoards of chinese IPs that routinely probe and attack domestic hosts?
No, but I find the simplest thing to do is lookup the netblocks/ips for addresses I will be connecting to my SSH/OpenVPN from (in my case, work and my mobile phone GPRS provider) and then crafting a couple of iptables rules to only allow those addresses to connect. I find this cures half of the far east trying to connect :-)
Re: (Score:2)
Re:automated responses to probes? (Score:1)
Re:automated responses to probes? (Score:1)
If you are concerned malicious activity and brute force attacks on you ssh service then simply use public key authentication to login, disable passwords and disable root login (login as user and su to root).
I have found swatch to be an excellent log monitorin
Re:automated responses to probes? (Score:1)
Re:automated responses to probes? (Score:1)
Not only did their Firewall logs quite down but the amount of Spam hitting their Exchange server dropped by a massive ammount.
Re:automated responses to probes? (Score:1)
It's even better when you disconnect from the Internet and only use your local network. Firewall logs and spam traffic will immediately go to zero in most cases.
SCNR
Re:automated responses to probes? (Score:1)
Re:automated responses to probes? (Score:1, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
Re:automated responses to probes? (Score:2)
One issue is that I've already mass-blocked most of the offending foreign IP space in hosts.allow, but this doesn't stop them from consuming inetd resources while probing. In some cases I have router access, and on other servers I don't, so I can't always count on using hardware firewalls.
This is one reason why i ultimately think that the future of computer
Re:automated responses to probes? (Score:2)
Yep. Throw the US in there and that should go up to about 90%.
Re:automated responses to probes? (Score:1)
I use swatch to look for these SSH probes. Two rules seems to catch most of these: 1) looking for illegal users (such as test, which occurs most frequently) and 2) looking for root login password failures. If you need to allow root logins, I'd recommend requiring that auth be key-based with the poorly-worded without-password option for PermitRootLogin. Then, there would be no situation in which a legit SSH root login would trigger the rul
Don't use the standard port (Score:2)
This keeps the 5|<r1p7 |<1dd3z from being able to trivially find you SSH server.
Ideally, you want to do this in combination with code that watches for a port-scan and adds a firewall rule to block the scanning address.
Yes, this won't completely stop abuses of your SSH server - there's always a chance that somebody will stumble across it, so you should keep it up to date on security
Re:automated responses to probes? (Score:2)
I get false SSH login attempts all the time even with a very threatening ssh banner. (untilI firewalled it off)
Re:automated responses to probes? (Score:2, Informative)
For example:
Re:automated responses to probes? (Score:2)
Where's the help? (Score:1)
Here is an md5 hash of the book content... (Score:3, Informative)
character development (Score:2, Interesting)
Character development is massively overrated in lit. I'm not sure if this refers to how fleshed out a character is or how much he changes during the course of the story but in either case it saddens me to think that some people think this is the point of fiction.
Network Security App Name (Score:1)
Re:Network Security App Name (Score:2, Funny)
Aggressive Network Self-Defense (Score:1, Funny)
If someone attacks my network, it attacks them right back. You scaning my network ? then all my machines scans you right back. It also ddoses random webservers just for practice.
Re:Aggressive Network Self-Defense (Score:1)
Excellent! (Score:3, Informative)
So close, and yet so far!
--grendel drago
Interesting... (Score:1)
bo
Not hard to set up snort+iptables (Score:1)
Port scans are part of the business. I don't care who scans me - only port 22, 80, and 443 are open, so what?
Author of ADAM (Score:5, Informative)
Ugh. (Score:1, Flamebait)
I always hear these two books mentioned when people talk about computers in science fiction(aside only from 2001:A Space Odessey).
I have yet to read Cryptonomicon, so I cannot comment on that. I have, however, read Neuromancer.
The book is utter crap. The main character is unbelievable, and acts contrary to what his own mind and desires would be. The other character
Re:Ugh. (Score:1)
Re:Ugh. (Score:2)
Re:Ugh. (Score:1)
Actually, they fought to a draw: (Score:2)
4) Who would win? (Score:5, Funny) - by Call Me Black Cloud
In a fight between you and William Gibson, who would win?
Neal:
You don't have to settle for mere idle speculation. Let me tell you how it came out on the three occasions when we did fight.
The first time was a year or two after SNOW CRASH came out. I was doing a reading/signing at White Dwarf Books in Vancouver. Gibson stopped by to say
Re:Actually, they fought to a draw: (Score:2)
I'll second the notion of Gibson is crap. I've read several of his books and they were boring, contrived and incoherent. Stephenson was riveting, intelligent and didn't cheat. I haven't read the Baroque Cycle yet, but Cryptonomicron was fantastic.
I've only heard two complaints levied against Stephenson. One, that his endings can be abrupt. I would have loved for Snow Crash to go on for another 20 pages. Second, that he has a large number of characters, as he does in Cryptono
Re:Actually, they fought to a draw: (Score:2)
I've dug everything Stephenson wrote except Big U - he was still learning. Some nice ideas, but a little too easy, somehow. I may not get through Baroque Cycle. The first was o.k., but didn't grab me nearly as much as Cryptonomicon. I was looking forward to it, too. Mmmm...5000 pages of stephenson...I think part of my problem was in placing stephensonisms in a historical context. When people acted a little post-modern in the 19
Re:Ugh. (Score:1)
Thoughtful characterizes the man indeed- in his writing and his person. I've had the fortune to meet Vinge, and a dozen or so other prominent writers, at conventions and other events, and Vinge stands out in his demeanor and presence. When not speaking, or being spoken to, he rarely seems to make eye contact, but scribbles and scratches in his notes, furitively glancing around him. His voice is soft and ten
Re:Ugh. (Score:2)
Re:Ugh. (Score:2)
I just don't see what the hoopla is. I keep seeing Neuromancer mentioned in geek circles as if it's on the level of Foundation, Mote in God's Eye, Stranger in a Strange Land, and other Science Fiction novels. It's a REALLY bad story, but beautiful world and environment.
I hope Gibson has improved since, but no part of me cares to read anymore of his work to find out.
Re:Ugh. (Score:2)
Diversity of opinion is what makes the world interesting. So I respect the fact that you don't like Gibson.
Obviously my take on things is different. In my opinion Stranger in a Strange Land is a work that would appeal only to teenagers. I liked Mote in God's Eye but I don't find it more than entertaining.
In contrast there are parts of Neuromancer that fascinate me. The description of Tessier-Ashpool as a wasp like organism.
Perhaps Neuromancer is a generational thing. My parents generation love
Re:Ugh. (Score:2)
Re:Ugh. (Score:2)
Thank you for your concise and interesting review.
Now fuck off.
You're the moron who comes out of EVERY movie theater I've ever been in saying, loudly, so everyone in the lobby can hear, "Well, THAT SUCKED!"
Nobody gives a shit what you think.
Besides which, your review is crap because you obviously have no fucking clue what the story was about because you have no fucking clue why the characters did what they did.
Take your no fucking clueless self elsewhere.
Re:Ugh. (Score:2)
Re:Ugh. (Score:2)
Excerpt from book (Score:1)
Re:Excerpt from book (Score:1)
My checklist (Score:5, Interesting)
1. NMAP the offender.
2. NSLookup, Whois, etc. I even go so far as to use GeoIP to get city, state, ISP, etc. Get email addresses to send to.
3. Look for open proxies on the address in the case of SPAM. If so, just drop the search there.
4. Nessus check for potential vulns that might have been exploited by common/known worms. Essentially, find how they were exploited, and if there is no known reason, assume they are malicious.
5. Take necessary actions to blacklist or block the IP on the offending protocol, or in some rare cases, kill the IP altogether. (rarer cases, the subnet)
6. Google. You'd be amazed at what I can do here. I put in the direct IP, I put in email addresses I've collected to find out where the person posts, etc. I get to know the individual, who they are, and further deduce if they are malicious. I used to even go so far as to imiate someone of the opposite sex their age and talk to them on their favorite IM and ask them if they are a h4x0r and can help me "get back at my brother, the bully at school, the girl that stole my boyfriend" etc. (never assume the gender of a
7. Email at a minimum 5 people, including Incident Response (https://forms.us-cert.gov/report/), the offending ISP, any emails off of the website of the IP in question, etc. Half the emails I CC just so that the individuals take the email seriously. Occasionally these will contain logs, IM logs, who the person is, what they do in their spare time, what forums they visit, their picture (if any) and etc. I do this from a TOR-accessed Hushmail account, so no one knows who the hell it is. One time I sent the email to the offender's mother. He sure thanked me with some profanities on that one (which were subsequently forwarded to his mother).
There's ways of "attacking back" in such a way that script kiddies die out, but you have to totally overwhelm them with your sheer capability to outsmart them.
Let's face it, we're all guilty of being lax in our network activity and leave IP trails on logs that Google indexes. It makes no sense to sit back and complain about script kiddies when it's quite obvious that we're unwilling to take them to task when they probe. The information is there, you just gotta do some digging and learn how to use Google's Advanced features. It's important to make your response to their actions overwhelming, so they are never tempted to turn back to random probing again.
Re:My checklist (Score:1)
No Action: A threat is detected, but no action is taken.
Internal Notification: Using the organizational structure to notify the designated responder(s) of an active response situation.
Internal Response: Applying active response actions within the domain over which the responder has authority (e.g. close a threat vector's associated port).
IP DATABASE! (Score:2)
Where are the detailed IP databases? Who is compiling them? (You know some intelligence and other agencies are surely generating these database, but are there any that are public other than the search engines?)
Google would be great if you could put in an IP and get a list of all the things that IP searched on. Imagine the possibilities in tracking people down. Yes, a huge security issue, but you know it's being done. A few select co
Dshield! (Score:3, Informative)
Counter-argument (Score:2, Informative)
Not having read the book, I can't be sure, but according to the review there didn't seem to be much of a dissenting opinion in the book on the question of whether aggressive tactics are desirable (or effective).
That's unfortunate, since as you'll see in my article, I think a good argument can be made that aggressive network defense is both
Re:Counter-argument (Score:1)
Re:Counter-argument (Score:1)
Re:Counter-argument (Score:1)
Re:Counter-argument (Score:1)
I honestly don't recall how I could have missed the final few slides of your presentation, where you indeed answer the questions that I posed in my SF article, i.e. you set limits on what should be done. I have to say that my paper was way too harsh considering that fact.
If it seemed like I
Help..... Me..... (Score:1)
Re:Help..... Me..... (Score:1)
Re:Help..... Me..... (Score:1)
Re:Two G's, you fucking SPEDs! (Score:1, Informative)
You know, I thought of that. (Score:1, Troll)
I also am not asking for money for my services.
Dick.
--grendel drago
Re:FP? (Score:1, Funny)
Re:I've often *thought* of doing this, but... (Score:2)
If not, then keep thumping them to keep their infected shit off the net and from bothering others.