The US government is considering allowing companies to “hack back” against cyber attackers. The Active Cyber Defense Certainty Act (ACDC) amends the Computer Fraud and Abuse Act to allow limited retaliatory strikes against cyber attackers. The full PDF amendment is available online. As noted in some comments in an article on the UK Register there is some skepticism about this law and the potential consequences. Here are a few more pros and cons to consider.
Why Allow Companies to Hack Back?
Hacking-back is appealing for a few reasons. One is that governments cannot arrest many cyber attackers who live in foreign countries. Law enforcement can only do so much. In some cases, they wait until the hackers go on vacation to arrest them. However, armies of cyber attackers working in other countries are less likely to travel. Additionally, citizens accuse law enforcement of spying when it watches and tries to stop attackers on private networks.
In the past, hacking-back has had some effectiveness. In the book Spam Nation by Brian Krebs, organized spam groups in foreign countries compromised the computers of many unsuspecting organizations and used to send unwanted email to the masses. At one point around 2005, I was getting over 900 spam messages per day and started looking at all the email headers to figure out the source of all this spam. To my surprise, the emails were coming from servers hosted by Microsoft, HP, and many small businesses at large managed hosting facilities.
To fight back, a company called Blue Frog launched a service that would bombard a spamming server with response emails from all its customers every time it received a spam message. All these replies acted as a DDOS attack and slowed down the offending server, thereby slowing down the spam, and reducing the effectiveness of the compromised machine. Hopefully, the company involved noticed their server was slowing down and resolved the problem. Did this work? For a time. I will let you read the book to find out what happened next.
What Problems Could Arise from Hacking Back?
I’ve been doing more work with my test network to look at the IP addresses hitting blocked ports. I recently published a list of another 500 IPs hitting my firewall. After looking up the source of the traffic as outlined in my prior blog post, I discovered that a large percentage of the traffic appears to be coming from residential networks. Other security researchers are noticing the same thing as noted in this tweet.
Although I still see attacks from some notorious networks mentioned in Krebs’s book, I suspect much of the traffic comes from hacked routers or IOT devices from consumer home networks or equipment included with home Internet service by ISPs. Most of the machines involved are undoubtedly running malware and have no idea that their systems are facilitating the nefarious activity.
In fact, people are selling proxy services and VPN services online that advertise the use of residential and commercial IP addresses. After I retweeted one of these services, the Twitter account blocked me. You can find these services with Twitter searches for terms like residential proxy, residential IP, and related.
I suspect that the owners of the residential IP addresses did not consent and do not realize they are part of this network. These proxy IP addresses allow attackers to use the services to hide the actual source of IP addresses that are performing the attack. My slides on Security for Complex Networks on AWS have some pictures showing how proxies work and may write about this in more detail in upcoming posts.
What will happen when someone at a company writes a script to go “hack back” against all these devices? People in homes who have no idea what is going on will have slow or malfunctioning Internet. The US Internet may slow down or become unusable. Because the law limits retaliation to US addresses, it could result in a self-inflicted DDOS attack on the whole country if the people retaliating don’t know what they are doing. Despite limitations outlined in the amendment, the chance of collateral damage exists.
If companies cannot secure their own networks, how much better will they be at attacking other networks in retaliation?
A Different Approach – Defending Our Networks
If people would start looking at their traffic logs and creating rules to block rogue networks as I outline in these other articles, then the real issues and problems will instantly be obvious. Preventing traffic from malicious sources is time-consuming; however, once people start to understand the source of all the traffic, the real issue – botnets and malware on everyone’s computers and devices – will lead to more productive conversations.
For example, could ISPs offer services to alert customers if their home devices are running malware based on network traffic patterns or abuse reports? Can ISPs or governments shut down the proxy, VPN, and DDOS services using other people’s IP addresses without permission? Will the makers of IOT devices start improving the security of the products they create?
Attackers are using other people’s computers, devices, and networks to do their dirty work. I don’t have all the answers to this problem, but I think it requires collective knowledge to understand the problem to stop it. Shared information such as the 500 rogue IP addresses I published, networks allowing malicious traffic to persist, and our WatchGuard Quarterly Security Report can be useful to get to the root of security issues – and fix them using intelligence-based solutions. — Teri Radichel (@teriradichel)
The PDF amendment link is dead. There is a press release here however..