Hackback: (Too) Risky Business

Hackback (retaliating in kind against online attackers) might be a little too aggressive

When a denial-of-service (DOS) attack was launched against the World Trade Organization website during the WTO summit meeting in Seattle nearly four years ago, Conxion (the WTO's hosting service) retaliated. Conxion determined that the attack, consisting of a flood of page download requests, was coming from a single IP address belonging to a server run by a United Kingdom-based group called the E-Hippies Coalition. Conxion repelled the DOS attack by telling its filtering software to redirect network traffic coming from E-Hippies' server back to the offending machine. E-Hippies never publicly acknowledged the attack, but noted on its site that users were having a hard time getting through.

It's called hackback, and it's a still more extreme version of aggressive defense. Probably too extreme, in fact. Digex CSO Pamela Fusco, who generally advocates an aggressive defense strategy, says her company won't go as far as hackback because of the legal risks.

Jennifer Granick, executive director for the Stanford Law School Center for Internet and Society, runs through a litany of those risks: Placing unauthorized code on a person's machine without his consentespecially if the code maintains communications with a third partycould violate the provisions of 18 USC 1030, the general statute forbidding unauthorized access to computer systems. The statute is an outgrowth of the Computer Fraud and Abuse Act as modified by the Patriot Act and other actions. These actions can be prosecuted under the Computer Fraud and Abuse Act, the Unlawful Access to Stored Communications Act and the Electronic Communications Privacy Act. And even if a company's honeypot sends out honey tokens, which determine what kind of activities the alleged attacker is participating in on his own machines, Granick says it could be violating a host of privacy protections intended to prevent illegal wiretapping.

Granick further points out a simple logistical risk posed by hackback: Since hackers frequently disguise their attacks as coming from someone else, the counterstrike may wind up hitting an innocent party. In the WTO case, in press reports at the time, Conxion said it believed it had a clear trail back to the offending IP address at the E-Hippies server allowing it to reject the packets and return them to the sender. (NaviSite, the company which later acquired Conxion, did not return calls seeking comment for this story.)

Copyright © 2003 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline