AusCert 2010: Australia protected by anti-DDoS vigilantes

According to SecureWorks malware researcher and group member, Joe Stewart, DDoS defenders may face persecution for launching what he says are essential retailiatory attacks

An informal, low-lying group of sharp minds might be the world's best defence against Distributed Denial of Service (DDoS) attacks, but legal uncertainty is hindering their capabilities.

These IT vigilantes do not fill out forms to join; nor do they answer to a hierarchy. Moreover, the loose members of this almost shadow group resist formalised structures, and some refuse to be identified.

Their meeting places are not offices, but the grounds of IT conferences, bars and website forums.

And it is through this IT grapevine that these groups of researchers and engineers will be notified when a significant DDoS attack strikes.

But according to SecureWorks malware researcher and group member, Joe Stewart, these DDoS defenders may face persecution for launching what he says are essential retailiatory attacks due to legal grey areas.

"Fear of persecution keeps those able to respond from doing so with all measures available," Stewart told the annual AusCERT conference being held in Queensland. "Legislators need to understand the issues and provide options for self-defense without fear of persecution.

"Law enforcement is unable to repsond in a timely fashion to protect the innocent. Politicians don't understand the attacks or how to defend against them."

Stewart said the defences used against DDoS botnet attacks are a mix of passive and aggressive measures that may or may not be legal.

"It is probably safe to say [the defences] are mostly legal but it is a grey area. Some countries have anti-nuisance laws in which taking out an attacking sever could be okay," he said.

He added the defence tactics require a deft eye for detail, looking for a misplaced capitalisation or syntax, which can take years to acquire.

"As a victim, you have to identify the IP address that is attacking you. For Tarpitting (a defence against HTTP-based DDOS attacks), set your TCP/IP window size to zero [which] means the attacker will keep resending un-acknowledged packets and will be stuck in a loop. The overall effect is that traffic reduces more using tarpits than if you drop it and don't respond.

"When we drop packets, the CPU load of the bot is constant and the bot can handle it. But when we used tarpits, and the packets waited, the CPU usage of the bot went up 100 per cent so the bot became almost unuseable - you could call this a passive-agressive defence, and it is very effective."

Stewart said victims of DDoS attacks can find the group experts mentioned in news articles covering the attacks, and through social networks within the industry.

He poured cold water on hype surrounding the use of peer-to-peer networks to control botnets, and said they are too difficult to control and fully decentralise. He said the infamous Storm botnet used peer-to-peer networks to connect nodes, as an "overlay", but the coommand and control servers connected normally and were taken down.

"It is hard to hard to control what not to hijack in a decentralised peer-to-peer network. Those that write the botnets aren't the brightest," he said, adding the situation will be dire if a kit based on a successful peer-to-peer model is created.

He said Google Groups and Twitter are often used to obfuscate botnets.

Department of Defence staff present at AusCert would not comment on national DDoS defence, but acknowleged counter-attacks may be illegal.