DDoS Counterstrikes Prompt Debate

How far can companies go to defend their web sites against distributed denial of service (DDoS) attacks? The question was hotly debated in security circles this week after Symbiot Inc. announced an upcoming product that can launch "counterstrikes" against DDoS perpetrators.

The notion of retaliatory attacks was panned by security analysts and network operators, who say such actions would congest networks, damage innocent parties and violate acceptable use policies - if not the law. Such tactics are unlikely avenues for corporate DDoS victims such as Microsoft or The SCO Group.

But they may be of interest to subjects of "DDoS blackmail" schemes, which in recent months have targeted online gambling sites. Several online casinos have admitted making payments to cyber-extortionists. Some who have refused to pay, including the Irish bookmaker Paddy Power, say their operations were subsequently disrupted by DDoS attacks.

Symbiot says it will release its product March 31. The Austin, Texas company has published "rules of engagement" that argue that in rare cases, the target has the right to respond with "asymmetric force," including counter-DDoS attacks and "special operations applying invasive techniques."

Symbiot's iSIMS product is in the final phase of beta testing at "several customer sites and in use on live networks," according to vice president William Hurley II, and is also being tested by partners for integration with other security solutions. Hurley said iSIMS will be sold under a subscription agreement, and deployed on a customer's network as a set of server appliances.

"Symbiot has no intention of doing anything illegal, and we strongly discourage our clients from using our software in any way that is illegal, unethical, or violates any law," said Hurley. "We contend that in incredibly rare circumstances, asymmetrical responses may be justified. We are enabling our customers to plan and execute appropriate countermeasures when malicious attackers have been accurately identified."

The use of compromised machines in DDoS attacks makes such precise identifications difficult. "In many cases attacks are launched by zombie platforms, 'owned' remote machines allowing the attacker to not only mask their original location, but also their original intent," writes Dana Epps. "When you counterstrike 'grandma's' computer", you are also affecting grandma's ISP. And all routes in between."

Symbiot says compromised machines will be fair game. "When a zombied host or an infected computer has been clearly identified as the source of an attack, it is our responsibility to empower customers to defend themselves," Symbiot told OnLAMP. "An infected machine, one no longer under the control of its owner, is no longer an innocent bystander."

Discussion on the North American Network Operators Group (NANOG) mailing list highlighted the possibility that any retaliatory measures against DDoS attacks might endanger agreements with other transport providers.

"Check your respective AUPs," Rachael Treu wrote in a message to NANOG. "You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control. ... There are not provisions made for DoS-ing a DoS-er."

Rich Miller welcomes your comments.