Speaker Enno Davids
Time 2008-01-28 11:30
Conference LCA2008

Reactive systems

Most systems only react after event has occurred. For example, spam checkers checking incoming emails.

Intrusion detection systems

e.g. snort


  • detects only


  • reactive IDS
  • detect complex threats
  • block dynamically
  • block all traffic from a source host for a given period


  • None of my legitimate users would use honeypot
  • All users of honey pot must of illegitimate and can be blocked.

Log scanning

  • Check logs generated by IDS
  • Watch for impossible events

DoS & DDoS attacks

consume all your bandwidth

large collections of compromised systems direct a modest volume of innocuous traffic at one target system

easy to detect… no network bandwidth.

often proceeded by blackmail/fraud/extortion attempt.

DDoS attack on site in some countries could bring out entire country, if country relies on slow links. For example, Australia.

Active defences

Some difficult ethical questions loom ahead.

Occasionally referred to as ‘aggressive’ network defence.

Castle analogy:

  • some time people would be forced out of the castle to defend themselves.
  • eg. otherwise they would starve.

May not stop attack, instead may just move it on to someone else.

Return “no such domain” might be better, don’t spread the pain.

ICMP redirect

  • redirect traffic to
  • no collateral damage

Network ICMP redirect now deprecated

lots of sanity checks in kernel before system will use ICMP redirect

works less well against open source operating systems

most bot herds composed of “that other operating system”

Have to renew redirect every 10 minutes for every bot. Might still overload network, depending on how many bots are attacking you.

  • Need to silence each herd member longer.
  • Upstream ISPs may want to help and assist. It is in there best interests, if you have such large bandwidth.
  • If upstream turns off your connection, it won’t help ISP solve their problem.

My bot-net vs your bot-net. Coming to a fox channel near you.

Most bot attacks are controlled by people who want to make a profit, and will do there best to evade.


icmp quench target

  • stop sending me traffic
  • needs to be authenticated

icmp path quench

  • stop sending all packets on path
  • harder to authenticate/prevent misuse

Silence somebody until marked time passes. e.g. 6 hours. Prevent replay attacks.

Back hacking

Bot computer was typical compromised through security hole or back door. Exploit this hole, patch PC, remove hole.

Liability issues is something goes wrong. Still is malware regardless on intentions.

Alternative, hack PCs in automated manner. Ethical considerations?

Open up a dialog box, that displays a message that the computer has been hacked. People were not amused…

Ethical frameworks for back hacking

Some spammers sue people who black list them.

are packet filters OK?

back hacking OK?

create policy, publish it, rigorously follow it.

Legal defence??? “Its not just you, we do the same thing to everyone”


No real solution to DDoS. Not considered in IPv6. Redirecting is harder in IPv6.