your mail

[Gerald Combs]

On Wed, 22 Aug 2001, Ahmik wrote:

> What would be the legal grounds for a program that retaliates against an
> attacking machine once it has determined an attack is going on ... a self
> defence mechanism ... the right to protect property ?

1) Most IDS systems generate false positives.  A while back I ran an ftp
server using the abomination that is wu-ftpd.  At least twice a month I'd
get email from people who were certain that my machine was trying to break
into theirs.  In _EVERY_SINGLE_CASE_ it turned out that they were running
"personal firewall" software that couldn't recognize a non-PASV FTP
connection.  Can your program dertermine with absolute 100% certainty that
you're being attacked?

2) Consider the following scenario: A nasty person at location "A" breaks
into a charitable organization's computer at location "B".  They then
launch an attack from "B" to your machine.  Suddenly you're in the news
for viciously attacking the benevolent web site at "B".

3) In a similar vein, someone determines the behavioral characteristics of
your attack mechanism and starts sending spoofed packets in your
direction.  Suddenly, you're attacking half the Internet.