newbi3 Posted November 13, 2012 Share Posted November 13, 2012 This could work in theory: What if you have a server out in the cloud looking at the connectivity of your network and if someone were to do a DoS attack on you then the server would go on the defense and attack the attacker. Since the server isn't on your LAN it would be able to do that because it is not being attacked. Now the only problem with this theory is how would you be able to get the attackers IP and send it to the server before its to late? This is just something that came to my mind after watching Eli The Computer guys video about auto replying to spammers with spam. I'm sure someone on here would have the know how to do something like this if it hasn't already been done, and if you think you know a way let me know because I would like to attempt to develop this. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted November 13, 2012 Share Posted November 13, 2012 Wouldn't really be practical for many reasons. One being, you would be committing a crime if your automation did get any unauthorized access to a machine. And let's not forget that you would probably be attacking legit users as well. As well as attacking proxy servers that may be used as well to cause even more headaches for yourself. Quote Link to comment Share on other sites More sharing options...
digip Posted November 14, 2012 Share Posted November 14, 2012 (edited) DoS attacks in general, are usually carried out by more than one machine against a single target, and some attacks, don't even need to be from real senders. You can use fake sender addresses and return IP's with packet forging. You can have things in place to auto ban IP's coming into your site if a DoS attack is detected, but even then, your site would most likely be overwhelmed in a true Dos or DDoS attack, and you would need a fat pipe with help from something like Cloudflare, to drop packets from reaching your real domains IP address, essentially shielding you from the attacks, since they would be hitting cloudflare's IP and servers, for which they have redundant and dynamic capabilities with co-location caching services that help keep sites up when being attacked. There are tools and WAF(Web application firewalls) that to some extent can help mitigate and throttle a clients access to the site, but most would be ineffective at a large, targetted attack. Tools like Dave Kennedy's Project Artillery though, will setup Honey Ports, for people trying to scan your site, make it seem like the port is open, then return expected data to the attacker, reel them in, then block them via Firewall rules and add their IP to his global database of known attacking IP's. The Ip would then be banned from reaching the site, so this can help mitigate recon attacks like people scanning you with nmap for example, and then will auto block their IP and I think, even make it send packets back at itself if they try certain attacks, he turns the attack back at the attacker, sent to them self from them self. I forgot to mention, Bwall has his own WAF he is developing, that also blocks automated scanners and most scripted bot net attacks, and logs the attacks for you while adding them to iptables to block them from coming back. Should check out Ballast Security for more info. https://www.ballastsecurity.net/ Edited November 14, 2012 by digip Quote Link to comment Share on other sites More sharing options...
newbi3 Posted November 15, 2012 Author Share Posted November 15, 2012 Digip you made a lot of good points, thanks, and I'll check out Ballast Security! Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 15, 2012 Share Posted November 15, 2012 (edited) As mentioned, many dos attacks come from forged packets, making it difficult to go on the offense against them. DoS also, IMO, isn't really that big of a threat, just a headache. It just becomes a pain if you're a public site with a lot of traffic and you can't simply white list client IP's or change your server IP on the go and have to stay public, on one IP, and devote a lot of server resources to blacklisting every IP perceived as a threat. I think you should give it a go. You'll never know how it will actually work until you try it. Edited November 15, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
ghosthunter007 Posted December 2, 2012 Share Posted December 2, 2012 This could work in theory: What if you have a server out in the cloud looking at the connectivity of your network and if someone were to do a DoS attack on you then the server would go on the defense and attack the attacker. Since the server isn't on your LAN it would be able to do that because it is not being attacked. Now the only problem with this theory is how would you be able to get the attackers IP and send it to the server before its to late? This is just something that came to my mind after watching Eli The Computer guys video about auto replying to spammers with spam. I'm sure someone on here would have the know how to do something like this if it hasn't already been done, and if you think you know a way let me know because I would like to attempt to develop this. This isnt theory its practical practice in many networks. I use a combination of PFsense firewall with portscanner then snort with custom rules that will write to the firewall. Then on the window systems I have a python executable that will monitor the server and if that server is running say web (http) port 80 only and someone scans it or trys to connect to any other port than 80 the python program calls to snort and writes a block rule on that IP address, (Honeypot systems are great too) All this takes time planning and careful implemetation then testing. what you do not want to do is have your system attack a federal system or a system that has been hacked and used a man in the middle attack, also need to avoid a clever (CRACKER not Hacker) from blocking your own IPs or subnets from legit traffic. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.