Tuesday, May 13, 2008

.mil botnet?

along the lines of my inet doom n gloom blurb, now via security focus there is an AF col who is suggesting we build our own .mil botnet to counter the emerging inet threats from china and others...

my post focused mostly on defensive measures, such as filtering, but this guy turns it around and thinks about how we can be offensive so as to have a "deterrent we lack"...

the theme of the piece is that we already know that defense is not an acceptable posture. every example of warfare in the past has shown that holing up in a castle or fort won't keep you safe from an attacker... so we should have offensive strike capability in our arsenal to augment our existing fortifications...

in a nutshell, he says the US should have a botnet to counter-attack attackers. he talks about how they could integrate the code into .mil IDS/IPS, and then goes on to say that they shouldn't throw away obsolete PCs, but rather put botnet code on them and stuff "them in any available space every Air Force base can find". past that, he wants to begin installing the code on .mil machines, and then later on .gov machines.

this weapon would be a DDOS machine. and since we need volume to DDOS, he points out that the entire network must be able to be activated by a single commander, and not sliced up into sections controlled by different military factions. the paper degenerates into endless blathering here, making case after case that the weapon should be controlled by a specific segment of the AF... .mil politics and internal power struggles make me barf in my own mouth... then the last 1/3 of the paper is devoted to countering predicted counter-arguments to such a system.

imo, the guy is missing some key points here. for one, a DDOS botnet isn't an effective counter-attack tool to end an ongoing attack. if successful, it is at best similar to a mute button. once you stop counter-DDOSing your attacker, they will be free to continue their attack on you. you haven't removed the machine from the hostile botnet, or acheived permanent disruption of the attackers C&C, or anything. so what did you achieve?

he says that in some cases, the attacker won't be readily identifiable, but we could make reasonable conclusions on who the host entity is, and just attack them. yea, that'd go over really well. but there is a bigger problem wrapped up in this point. see, an unethical attacker will be controlling a botnet which is global in scope. we won't know where they are coming from, but an entity who found itself under "counter-attack" from our DDOS botnet would know where _we_ are coming from. They can blackhole route .mil and .gov subnets at their border routers, and then we'll need the bandwidth to flood every pipe going into and out of china? right... oh, well we could just spoof the source IP's, except that he points out that spoofing could make an attacker "guilty of the war crime of perfidy" or in violation of UN rules (which the US would *never* violate).

another big issue is that he is talking about running code which can generate (raw?) packets on every non-secret network the US govt has, with remote control capability. let's think about unintended consequences here for a second. we define risk by combining the liklihood of an event with the damage such an event would have if it were to occur. so yea, maybe it's unlikely that an attacker could compromise our official .mil botnet, but if an attacker did, it could be a pretty serious problem. he says the system will have:

protection with various mechanisms, including disabling the botnet code if an automated check indicated the code has been altered. The af.mil botnet could protect against fratricide by having filters to prevent attacks against .mil, .gov or registered allied addresses, unless specifically overridden.

but if you can override them, then maybe an attacker could too... at one very interesting point which ties in w/ the end of my last post, he says:

if the U.S. is defending itself against an attack that originates from a computer which was co-opted by an attacker, then there are real questions about whether the owner of that computer is truly innocent. At the least, the owner may be culpably negligent, and that does not, in fairness or law, prevent America from defending itself if the harm is sufficiently grave

emphasis added there... wow... so anyway, this guy has a few other choice quotes i wanted to include:

We want potential adversaries to know this capability works and will be used when needed. In fact, we should do live-fire demonstrations on the Internet against range targets so foreign signals intelligence organizations can observe. Of course, we should fire inert rounds so as to not give away secrets.

wot? are we talking DDOS here? whatever... and then there's this jewel:

Brute force has an elegance all its own.

anyway, this has become a monster post. despite my belief that a .mil DDOS botnet isn't the right next step, i think the author has hit upon an important point. today the internet is the wild west, and there are little bastions of civility and law, but if a big group of bandits comes riding along, you might have a problem. we aren't going to secure the internet at large by installing firewalls and IDS's at client sites. that does nothing about the badness right outside your fort which is hanging out trying to figure out how to get in.

when this thing reaches a boiling point, and change is at our door, i expect we'll see proactive security methods introduced into the internet at large. there's lots of possibilities, and lots of potential consequences... but, as i'll continue to state, i don't believe the status quo of infosec can be maintained...

No comments: