Neutralizing Nimda: Technical, Moral, and Legal discussions of an Automated Strike-back presented at BlackHatAsia 2002

by Timothy ( Thor ) Mullen,

Summary : This session is more about questions than it is about answers. Though almost a year old, Nimda continues to propagate while it consumes bandwidth and resources in the process. Patches have been available since before Nimda struck and clean-up utilities are provided for free; yet we continue to log attacks against our servers on a daily basis. Nothing effective is being done: If you are lucky enough to get a response from an ISP, they will claim their hands are tied, and know-nothing administrators shrug as they delete notification emails.
So, what are your rights when it comes to defending yourself from attack? What are your rights to stop an attacking box from consuming your resources?
We have developed an automated strike-back method where a system can now defend itself against an attacker by neutralizing an attacking box. Currently, deployment of such a system would be considered illegal by many and immoral by others.
This session will discuss several technical methods one can use to stop such an attack (in varying degrees of "finality"), the moral and ethical ramifications of utilizing such a system, and will also attempt to broach legal questions such as "how much is too much," and discuss the application of physical law, i.e. "self defense," to internet events such as worm attacks. [Note- Mr. Mullen is not a lawyer. Though opinions and content may be contributed by practicing attorneys, this session is not an attempt to educate the public to the interpretation of law or provide legal guidance in any way.]