when a "hack back" is appropriate?

[phishphreek]

Tim Mullen @ securtity focus has written a paper on why he thinks "hack backs" should not be illegal.

When Striking Back is The Best Defense

It makes for an interesting read... let the controversary begin... or continue...

oh... looks like

Columnist Tim Mullen is on vacation. This article originally appeared July 29th, 2002.

still an interesting read for those who have not already read this...

[br_fusion]

Very nice read I must say, and I agree.

[skiddieleet]

I still get those requests from machines infected with nimda. It's about three ip's that I get many of these requests from. Maybe I should do something. Mwahahahaha. But I think that now they have something for iptables, that you can put in a string and it will drop requests containing that string. I haven't used it yet because I don't have the .so file. I think it requires a newer version of iptables and is not as simple as just putting the .so file where it belongs. I need to secure my box better though, I still haven't figured out how to get my iptables to block requests from a certain ip. Can anyone show me step by step. Because it is always the same ip's that issue these requests. I would like to setup a rule for each that blocks all requests from that ip. Help. Sorry I just started typing and it ended up turning into me asking for help.

[ghostofanonion]

I have to agree BUT were talking about the Amendment which is really an american thing.

Just becuase someone hit me dosn't mean I am entitled to hit them back, if someone thieves from me I am not allowed to hit them back.

If someone inadvertantly smashes my car I am not allowed to trash their car in return... There are a lot of things that this issue will refer to. I'd be carefull what you all wish for

[hypronix]

iptables -s x.x.x.x

this would do something to packets from the respective IP. what? we use -j [jump] to decide...

iptables -s x.x.x.x -j DROP

this would drop the packages, which is a stealth measure for the most part. other options are ACCEPT and DENY. In the case of the latter the other machine receives a "request denied" so it is preferable to use DROP.. nothing gets sent back, so in the case of pings nobody would know you are there

iptables -A CHAIN -s x.x.x.x -p tcp --destination-port ftp -j DROP

This is used in order to add rules to those already existent. For how to create a new chain and stuff, iptables --help or man iptables should help you out... that's really not a big deal

so, the -A stands for append, CHAIN is which chain you want to use, -s x.x.x.x is source IP, -p is the protocol [tcp in this case, also could be udp or icmp], and --destination-port specifies only certain ports to use this rule. Port's can be assigned by name or number. FTP in this case could be 21... Also, the -j DROP means "jump to DROP"... DROP being a specific mode of iptables.

You could also have something like...

iptables -A CHAIN -d x.x.x.x -p tcp --source-port ftp -j DENY

Here you see we have -d x.x.x.x and --source-port... it means destination IP and the port on your machine from where communications starts. It's use to restrict certain users from certain stuff. I'm sure you can think of some uses...

iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP

This command stops all communications on interface ppp0 [or you could have eth0 here]. -i stands for input and -o for output... Then we have the rule, which says that on protocol tcp, all syn packages _except_ [the '!'] those to port 80 will be dropped.

Again, iptables --help or man iptables should teach you quickly how to save these new chains [so that upon reboot your new rules are still in place] and... further info [where I learnt iptables, pretty much, except for the man ] here!

I just thought I should give you a nutshell of what's there anyway. Hope it helps!

[edit]
issue with URL
[/edit]

[fl34bit3]

If someone inadvertantly smashes my car I am not allowed to trash their car in return...

Hmmm i dunno if someone smashes your car its a good chance theirs is going to be a bit smashed as well. Oh well back on subject

I agree that yes hack backs could be legitimate depending on the situation. I mean if a system is attacking you non stop and its costing you then you have to do what is necessary to stop the attack. Even if that means neutralizing the system. Im not talking about just attacking because of a ping that would be rediculous. I think you will understand what im talking about.

PeacE
-BoB

[Tedob1]

if someone has to wonder if a hack back is ethical or not they shouldn't even attempt it. some un-ethical son of gun is just going to kick the crap out of them

[souleman]

Originally posted here by fl34bit3 I mean if a system is attacking you non stop and its costing you then you have to do what is necessary to stop the attack. Even if that means neutralizing the system. Im not talking about just attacking because of a ping that would be rediculous. I think you will understand what im talking about.

Or you could block them at the firewall. And if your firewall doesn't work, then contact your ISP and ask them to block it at the router. And also contact the ISP of the offencing machine and show them logs proving what is going on. Better results then a "hack back" and completely legal.

[tonybradley]

When dealing with law it is much simpler to keep it as black and white as possible. Either something IS or it ISN'T legal. If you start trying to spell out scenarios where it is legal or isn't legal you open it up to interpretation and you never know who is going to be the one drawing the line.

Its like our freedoms here in the U.S. We have the freedom of expression, religion, etc. I think the KKK is abhorant and should be illegal, but if I decide that their beliefs are illegal, what is to stop the next congress from deciding MY beliefs are illegal. Once you start drawing lines its a slippery slope and you don't know if you'll like the next line that is drawn- you may be on the wrong side of it.

I wrote an article a while back in which I think I may have even referenced Tim Mulle's presentation: Counter-Hacking: Savior or Vigilante?

[Striek]

Ig he thinks he can "hack back" without forensically contaminating the evidence stored on a machine, he is an idiot. The machine is infected with a virus. You know and I know whether or not tht virus changes timestamps. But try exlaining that to a jury and you'll begin to understand the problem.

He would find it incredibly difficult, if not impossible, to convince either judge or jury that the timestamps can be proven to be accurate and that therefore his attack was not the one which got the machine infected in the first place.

But beyond that, this practice is just unethical. This type of eye-for-an-eye justice is what our legal system is designed to avoid. I don't know where he comes from, but in the civilized world we base our justice system on rehabilitation, not revenge.