Friday, April 08, 2005

Review of Aggressive Network Self-Defense Posted

Amazon.com just posted my four star review of Aggressive Network Self-Defense. From the review:

"Aggressive Network Self-Defense (ANSD) is another innovative Syngress book. It leaps beyond the theories of digital self-defense initially proposed by Tim Mullen in 2002. Tim tried to justify using 'neutralizing agents' to disable malicious processes (like Code Red or Nimda) on infected hosts attacking one's enterprise. ANSD does not speak of neutralizing agents in the eight fictional cases the comprise the bulk of the book, but those chapters make for thought-provoking reading."

Tim Mullen's SecurityFocus.com articles on strike-back include The Right to Defend and Strikeback, Part Deux. His Defending your right to defend: Considerations of an automated strike-back technology is also online.

I disagree with the strike-back idea, as I believe it steps over the line into vigilante justices. It is telling that Tim's papers all pre-date the Welchia worm, which demonstrated how dangerous strike-back can really be. You'll remember the devastating ICMP traffic caused by Welchia as it searched for live machines for purposes of disabling the Blaster worm.

My review mentions that three of the chapters in the second part of the book are already online. In addition to Tim's works, you'll find Dan Kaminsky's MD5 To Be Considered Harmful Someday (.pdf) and Sensepost's When the tables turn A discussion paper on passive strike-back (.doc) online.

Update: The author of chapter 9 (Sergio Caltagirone) started a blog a few weeks ago -- activeresponse.org.

1 comment:

jbmoore said...

Strike back on the Internet is a no-no, I agree. But the technique is useful for cleaning up private and corporate networks otherwise, IPSes wouldn't be selling. Laurent Oudot had a nice article about using Honeyd and shell scripts coupled with exploit code to clean blaster off of infected corporate machines. Microsoft's own corporate network had blaster running on it for months when I was a contractor there. You couldn't plug an unpatched system into the network for fear of getting infected with blaster. Perhaps they've cleaned it off by now.