Counter DoS

http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm

Comments?

This is not really a comment about this article. But I really think it
would have been better if people don't just put the link and then say
"comments" but actually posted most important part of the article.

In this case it should have been mentioned that is another article about
Symbiot (remember thread about it just last week) and their threatened
counter-strike anti-dos system... Here ared some quotes from this article:

<quote from above listed url; ... = snip>
Symbiot launches DDoS counter-strike tool
Munir Kotadia
ZDNet UK
March 10, 2004, e5:15 GMT
...
In advance of the product launch, Symbiot's president, Mike Erwin, and its
chief scientist, Paco Nathan, have outlined a set of "rules of engagement
for information warfare"
...
The company said it bases its theory on the military doctrine of
"necessity and proportionality", which means the response to an attack is
proportionate to the attack's ferocity. According to the company, a response
could range from "profiling and blacklisting upstream providers" or it
could be escalated to launch a "distributed denial of service counter-strike"
...
Governments could soon be using hacker tools for law enforcement and the
pursuit of justice, according to an expert on IT and Internet law. Joel
Reidenberg, professor of law at New York-based Fordham University, believes
it likely that denial of service attacks (DoS) and packet-blocking technology
will be employed by nation states to enforce their laws. This could even
include attacks on companies based in other countries, he says.
</quote>

To be fair I choose specific parts of the article and it does list views
and concern of some security experts

<other quotes from same article>
...
Security experts expressed alarm at the company's plans.

Graham Titterington, principal analyst at Ovum, said "such a counterattack
wo,ld not be regarded as self-defence and would therefore be an attack. It
would be illegal in those jurisdictions where an anti-hacking law is in place.
" He added that because many hacking and DDoS attacks are launched from
hijacked computers, the system would be unlikely to find its real target:
"Attacks are often launched from a site that has been hijacked, making it
an unwitting and innocent -- although possibly slightly negligent -- party."

Richard Starnes, director of incident response at Cable and Wireless
Managed Security Services, said he would not employ an "active defence
technique" because there are legal and ethical issues involved. Also, he
would not be happy about any product "specifically designed to launch
attacks" being put into commercial production. Starnes said it would be
easy to hit the wrong target and even if it was the right target, there
could be collateral damage: "You may be taking out grandma's computer in
Birmingham that has got a 100-year-old cookie recipe that has not been
backed up. The attack could also knock over a Point of Presence (PoP), so
you are not only attacking the target, but also the feeds before them --
this means taking out ISPs, businesses and home users."
</other quotes>

The company said it bases its theory on the military doctrine of
"necessity and proportionality", which means the response to
an attack is
proportionate to the attack's ferocity. According to the
company, a response could range from "profiling and
blacklisting upstream providers" or it
could be escalated to launch a "distributed denial of service
counter-strike" ...

Their ROE white paper is full of pseudo-military phraseology
that suggests lots of safeguards in place to respond only to
verifiably culpable adversaries and to ensure responsible
executive oversight.....right up to the point when they
start talking about distributed denial of service counterattacks
(under the heading which they refer to as "assymmetric measures").

I wonder, are they planning to launch these DDoS attacks from
compromised hosts belonging to unwitting accomplices like the
bad guys do? Or by enlisting the computing resources of all
Symbiot customers (i.e., if customer A gets attacked, hosts
at customers B, C, and D are employed in the retailiation)?
I'm assuming they use the term "distributed" advisedly.

Either way, it sounds illegal by design.

hopefully they will spend their time attacking that pesky attacker:
127.0.0.1... he's always attacking customers, shouldn't he have been
caught by now?