I first started thinking about black ice after reading Gibson’s Count Zero many years back. Black Ice is, in essence, counter offensive data. Count Zero’s protagonist Bobby Newmark was engaging corporate servers when Black Ice started to fry his brain. Hackers in the Gibsonesque stories jack into the net brain first so, to them, Black Ice is essentially lethal feedback. Today we don’t quite engage the net with anything nearly as sexy; however, the possibility for Black Ice certainly does exist.

Here’s the scenario:

ScriptKiddieA is port scanning Server-A. Server-A notes this and starts to probe SK-A for information. SK-A finds port 139 open and decides to try winNuke (an old OOB attack). SK-A isn’t all that bright. Server-A logs the attempt and goes into counter offensive mode. Server-A runs the information through a database of known DoS’ (Denial of Service) and selects a few that will knock SK-A off the grid. SK-A is frustrated after having to log back on again (undoubtedly fighting the AOL busy signal ;)and tries smurf and teardrop attacks. Server-A logs this then hurls some more counter offensive packets at SK-A. These packets penetrate the machine, dump a few viruses into memory, and power off the machine. SK-A is now presumably BSOD’ing (Blue Screen of Death) and can’t boot his computer anymore.

This is an extremely simple example of how this works. I was actually amazed to see this very concept in action one night at Collusion HQ. I was playing a friendly game of Quake2 and Tex (founder of Collusion) in his infinite wisdom noted the server I was playing and tried to OOB it. Tex had a LAN analyzer running with a visual depiction of IP traffic. After his failed attempt to knock out the Q2 server another IP popped up out of nowhere and launched a counter attack!

The rules of the net however don’t really support this model of network security. I was speaking with Jericho (www.attrition.org) about this topic at Defcon and he informed me that self defense theory doesn’t really apply to computers. Disabling a computer for any reason is illegal. You may log anything and everything a person does to your computer but not attack it. A very zen policy, but it definitely won’t last in the military and emerging corporate worlds.

Corporate servers could claim self defense of servers because their networks generate revenue, a theory any self respecting share holder would support. I picture a backplane of information exchange between trusted machines that would communicate attack patterns. If Server-A was under attack, it would send distress packets to other servers (what I called brotherhood machines) to request backup. The attacker could be using flooding techniques that would prevent the victim server from fighting back, or perhaps killing a routing path that the server otherwise needs to communicate this help. The brotherhood machines would be able to triangulate the attacker and counter attack from other subnets. Communication would have to be done via wireless or other means to prevent disruption. Even dialups could be used theoretically since it would be much harder to track down.

I can already see military leaders salivating over technology like this. With the slew of military sites being defaced and the sheer amount of probes that must occur to .mil and .gov sites, counter offensive technology would be a great relief to their systems administrators. I was informed of a Air Force base in Corpus Christi (AFIWC) that plays watchdog for military sites. A news special depicted airmen staring vigilantly at scrolling terminals trying to find patterns of attack. Now take this concept a step further. Think bigger. Janet Reno has been droning on and on about our Federal Intrusion Detection Network (fidnet); imagine what this could do for her. Think about a firewall that encompasses every node in America. Offensive packets are filtered out and logged. Attacks on corporate sites will earn a kick off the grid. Attacks on .mil and .gov sites will earn feedback that will turn your machine into a paper weight.

This theory does have flaws, I can’t lie about that. The biggest of which is spoofing. Servers would have to go through extraordinary lengths to verify IP’s before launching counter offensive strikes. If I were to attack a navy.mil site with a spoofed nsa.gov site, just imagine the fireworks that would ensue. Granted, that particular scenario would be really fun to watch or read about, but the issue of spoofing remains a burr in my shoe.

The last thing a system administrator would want is for his network guardians to attack innocent machines. Imagine if SK-A hacks ISP-A and resets their routing tables to focus on some other site that SK-A wants to DoS. Essentially ISP-A would think that they are counter attacking SK-A but in reality they are attacking someone else that SK-A wants them to attack. Lawsuits would abound from accidentally slain machines due to spoofing. I really think we have enough lawyers. Let’s not encourage them to spawn more.

The only plausible solution I saw to spoofing would involve having realtime access to every router in the world (or possibly the country) to use triangulation methods. That presents a problem that would require government size muscle to solve. I wouldn’t be surprised if the NSA (or FBI, SS, etc) required that every bandwidth provider installed a special backdoor for the government in their routers. It would follow the same pattern of intrusion they have exhibited with other communications technologies.

Along these same lines comes the issue of distributed attacks. Distributed attacks are a new genre in DoS attacks and pose a serious problem for Black Ice systems. Distributed attacks can occur when a malicious programmer or cracker that is automating attacks programs the victim to perform the DoS. Hundreds, even thousands, of machines can be infected to perform this attack. ZDNN featured an article about this very concept. Let’s assume 20,000 people became infected with an email virus that caused their machines to launch attacks against a Black Ice system. Once counter offensive mode was engaged, tens of thousands of innocent users would be knocked off the grid and wouldn’t even know why. Now further imagine that one of the infected users was a government worker in the Chinese embassy and the server under attack was a .gov machine. www.eWorldWarIII.com.