Striking back at hackers

September 20, 2001 12:45 PM   Subscribe

Striking back at hackers
"LaBrea" is a free, open-source tool that deters worms and other hack attacks by transforming unused network resources into decoy-computers that appear and act just like normal machines on a network. But when malicious hackers or mindless worms such as Nimda or Code Red attempt to connect with a LaBrea-equipped system, they get sucked into a virtual tarpit that grabs their computer's connection -- and doesn't release it.
Is this an ethical use of network resources, or just vigilante justice? What other methods have you used to strike back at hostile software?
posted by TheChump (8 comments total)
well, it doesn't consume much bandwidth to do this... it sounds like it could occupy sockets, which might become a problem if you're getting hit REALLY hard (you might run out of sockets, which is a common symptom of a denial of service attack). on the other hand, the network resources on the other end are out of your hand: again, little bandwidth is consumed (just the initial HTTP GET requests), but sockets in the sockets in the tcp stack are consumed, and as these are often limited in number, you may be preventing some sites which have been hit pretty hard by nimda from doing their business. add to that the fact that the "attacker" is probably, themselves, getting hit with nimda requests, and they're in the shitter. so, yah, it could be a little vigilante -- at least to these, the results of my glancing opinion of the article and the issue.
posted by moz at 1:01 PM on September 20, 2001

There's nothing unethical about this. The network bandwith consumed is considerably less than that used by the worm in its normal course of business. LaBrea does not increase the resources consumed on the machine hosting the worm. It does uses resources on the machine running LaBrea, but somebody had to decide to do this.

The vigilante approach would be to patch the computer running the worm without the owner's permission.
posted by bravada at 2:25 PM on September 20, 2001

I can't see the ethical problem here. Holding threads keeps the other machine from moving on to other machines. Overall you reducing the internet load and you can hardly argue that using the resources of a compromised computer that is actively trying to subvert other machines is bad.

The bigger question is will it make a difference? The answer is Yes just like peeing in Lake Ontario makes a difference. Which is not much of a difference at all.

What would really make a difference would be if server operators (and home users) who have been compromised are liable if they don't resolve their security problems once they have been made aware of them.
posted by srboisvert at 2:30 PM on September 20, 2001


are you sure? i think both ends of a tcp connection need to have sockets opened in order to be established, and as that uses a slot in the stack for each machine, that's one less slot for other processes to use.
posted by moz at 2:32 PM on September 20, 2001


how can you say that it's not bad to use up those resources on another's machine? maybe, in an eye-for-an-eye world, you would be justified -- but, even then, you would only be justified insofar as the owner of the computer is aware that his computer has been infected. if this LaBrea program were to become as widespread as nimda (doubtful), the DoS consequences could become real. at least, judging from how much traffic i'm getting from nimda-infected computers, i believe those consequences could become real.

i suppose if we were all to subscribe to a unitarian philosophy, where the many is greater than the one, LaBrea sounds good. of course, not everyone does subscribe to such a philosophy...
posted by moz at 3:03 PM on September 20, 2001

moz - the worms use all available capacity to spread. If someone uses LaBrea, it lowers the number of threads available to attack other networks *and* lowers the resource usage on the infected system (as it's waiting on the network instead of attacking). There are no denial-of-service consequences as the system is already basically unavailable for legitimate users.
posted by adamsc at 6:48 PM on September 20, 2001

adam: good point.
posted by moz at 7:11 PM on September 20, 2001


The previous post addresses the attacking machine. As far as the machine running LaBrea is concerned, the user makes a choice to run it or not. If the user runs it, then LaBrea will consume resources on the machine.

Is the Code Red Vigilante a true vigilante? It attempts to notify the infected machines admin about the infection.
posted by bravada at 7:11 PM on September 20, 2001

« Older Indian school children being harrased.   |   NYC subways might flood. Newer »

This thread has been archived and is closed to new comments