Jump to content

Defensive DoS Attack Attack Theory


newbi3

Recommended Posts

This could work in theory: What if you have a server out in the cloud looking at the connectivity of your network and if someone were to do a DoS attack on you then the server would go on the defense and attack the attacker. Since the server isn't on your LAN it would be able to do that because it is not being attacked. Now the only problem with this theory is how would you be able to get the attackers IP and send it to the server before its to late?

This is just something that came to my mind after watching Eli The Computer guys video about auto replying to spammers with spam. I'm sure someone on here would have the know how to do something like this if it hasn't already been done, and if you think you know a way let me know because I would like to attempt to develop this.

Link to comment
Share on other sites

Wouldn't really be practical for many reasons. One being, you would be committing a crime if your automation did get any unauthorized access to a machine. And let's not forget that you would probably be attacking legit users as well. As well as attacking proxy servers that may be used as well to cause even more headaches for yourself.

Link to comment
Share on other sites

DoS attacks in general, are usually carried out by more than one machine against a single target, and some attacks, don't even need to be from real senders. You can use fake sender addresses and return IP's with packet forging. You can have things in place to auto ban IP's coming into your site if a DoS attack is detected, but even then, your site would most likely be overwhelmed in a true Dos or DDoS attack, and you would need a fat pipe with help from something like Cloudflare, to drop packets from reaching your real domains IP address, essentially shielding you from the attacks, since they would be hitting cloudflare's IP and servers, for which they have redundant and dynamic capabilities with co-location caching services that help keep sites up when being attacked.

There are tools and WAF(Web application firewalls) that to some extent can help mitigate and throttle a clients access to the site, but most would be ineffective at a large, targetted attack. Tools like Dave Kennedy's Project Artillery though, will setup Honey Ports, for people trying to scan your site, make it seem like the port is open, then return expected data to the attacker, reel them in, then block them via Firewall rules and add their IP to his global database of known attacking IP's. The Ip would then be banned from reaching the site, so this can help mitigate recon attacks like people scanning you with nmap for example, and then will auto block their IP and I think, even make it send packets back at itself if they try certain attacks, he turns the attack back at the attacker, sent to them self from them self.

I forgot to mention, Bwall has his own WAF he is developing, that also blocks automated scanners and most scripted bot net attacks, and logs the attacks for you while adding them to iptables to block them from coming back. Should check out Ballast Security for more info. https://www.ballastsecurity.net/

Edited by digip
Link to comment
Share on other sites

As mentioned, many dos attacks come from forged packets, making it difficult to go on the offense against them. DoS also, IMO, isn't really that big of a threat, just a headache. It just becomes a pain if you're a public site with a lot of traffic and you can't simply white list client IP's or change your server IP on the go and have to stay public, on one IP, and devote a lot of server resources to blacklisting every IP perceived as a threat.

I think you should give it a go. You'll never know how it will actually work until you try it.

Edited by bobbyb1980
Link to comment
Share on other sites

  • 3 weeks later...

This could work in theory: What if you have a server out in the cloud looking at the connectivity of your network and if someone were to do a DoS attack on you then the server would go on the defense and attack the attacker. Since the server isn't on your LAN it would be able to do that because it is not being attacked. Now the only problem with this theory is how would you be able to get the attackers IP and send it to the server before its to late?

This is just something that came to my mind after watching Eli The Computer guys video about auto replying to spammers with spam. I'm sure someone on here would have the know how to do something like this if it hasn't already been done, and if you think you know a way let me know because I would like to attempt to develop this.

This isnt theory its practical practice in many networks. I use a combination of PFsense firewall with portscanner then snort with custom rules that will write to the firewall. Then on the window systems I have a python executable that will monitor the server and if that server is running say web (http) port 80 only and someone scans it or trys to connect to any other port than 80 the python program calls to snort and writes a block rule on that IP address, (Honeypot systems are great too)

All this takes time planning and careful implemetation then testing. what you do not want to do is have your system attack a federal system or a system that has been hacked and used a man in the middle attack, also need to avoid a clever (CRACKER not Hacker) from blocking your own IPs or subnets from legit traffic.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...