I'm doing a research project for a computer security class and the topic I chose was based off of the book "Aggressive Network Self-Defense". Basically, going on the offensive rather than just playing defense. Based on the book, I know there is some research going on in this area but I was curious if anyone here knew of any actual programs or techniques that people are actually using "in the wild" so to speak.

IMNSHO offensive measures are a waste of time because 0) in an automated B-class scan one IP lashing back won't hurt anyone, 1) you have no clue the IP address isn't some subverted intermediary (especially since the rise of the botnets), 2) actions itself may violate laws and most importantly 3) it doesn't make your host or subnet any more secure. In short a waste of time.

That said, and with all due respect, but if you're doing a research project I think it would be valuable for you if you do your research yourself instead of asking for pointers (if you want me to explain the reasons just ask). Archives of high volume mailing lists like those hosted by Securityfocus.com and Insecure.org are invaluable resources. We also got some discussions in this forum where people opted for going on the offensive although those cases are rare.

I was going to reply to this earlier, but wanted to leave it in the zero-reply queue in case someone had some really useful info.

Now that it's out, I'll add this (which reiterates unSpawn's post) - Going on the offensive is, more often than not, counter-productive. I did a bit of research on the subject after having been hacked, myself (a rootkitted node in my cluster was being used to send spam) & started my own offensive against the perp. As it turned out then, as well as many - if not most - cases, the initial attack came from a hacked machine. While I could have dug through that machine to find out where that attack came from and so on, I had other things to do rather than track down a single hacker (or whatever you'd like to call them) who I know was part of a larger group. I know this because after I locked down the cluster nodes, I saw a good 50-60 failed login attempts PER DAY for the next month or so until finally trailing off several months later. I was now on a list - lots of people (or things) made attempts - so who should I go after?

It's futile. ... an ounce of prevention, and so forth ...

Striking back is usually bad. If you tick off the attacker, the attack could become much worse. There's also the issue of the attacker actually being a zombie machine, where your attack damages someone's personal or corporate data, leaving you possibly responsible for damages.

There's also ethics involved. Attacking for the sake of retaliaton solves nothing. Gaining certs such as the CISSP will depend on you not conducting such malicious operations...you can lie but security communities tend to be big but small enough that rumors spread very quickly...if you typically lie regarding this, you'd better do it very well.

What is your definition of attack? In some countries, port scanning can be perceived as an attack. I've seen people get bent out of shape when our office visited anonymous FTP servers to test the permissions state of the servers' file systems...they were saying we were hacking them. I've had people accusing my team of attacking a host when we were telnetting to a port to discern if the port was open to the world.

I heard of this one story of someone taking down a whole ISP's network segment because they saw some next-hop IPs that they thought were malicious hosts...they attacked those hosts.

I've also read a few books and stories that appear to be sanctioning retalitory strikes. Such strikes need to be surgical in precision and even then, you may be striking the wrong host.

The better method is preparing a good defense, IMO.

Additionally, do you really think that the IP that's "attacking" you is a known-conspirator? Surely the effect of "attacking back" is to become an attacker yourself - you don't KNOW that the IP that's attacking you is doing that at all - it could be faked. Fake packets with fake sources are easy to generate (slightly hard to make propogate across the Internet but nowhere near impossible) - so if you "attack back" what you're actually doing is performing a DDoS on BEHALF of the real attackers. So then someone (innocent of the original attack) sees your packets and attacks you back... and takes you offline. And then you try to attack THEM back. And so on, and so on.

You cannot say who or what the source of any packet is without thorough investigation. And 99.9% of the time it's going to be fake, a botnet, etc. - i.e. not your attacker, so they won't care about your retalitation. This is why quite a few large Internet sites block "unallocated" IP ranges - it's easy for botnets etc. to fake source IP addresses (because of dumb ISP's admittedly) and they choose random ones which means sometimes they use an address that hasn't even been allocated to anyone yet. So some large companies filter out all unknown, unallocated IP addresses before they even look at the rest of the packet.

So retaliation is not only:

1) Pointless
2) Illegal
3) Stupid
4) Ineffective

but it also means that you can easily be manipulated into becoming the attacker yourself. And guess what the admins at the other end of "your" attack are thinking - "what idiot lets their systems aim tons of traffic at an IP to try to take it down?".

In this instance, your attacker probably doesn't even know/care who you are, they won't even know that you are trying to attack them back, they won't even see a single one of your packets. Why should they care about moving to another (faked) IP and attacking you again? And guess who's just sent a million packets at a large corporation's IP from a well-known, non-faked source IP that CAN be traced back to you, and is now telnetting their ports etc. to find holes from a country that has MUCH stricter laws about such things... YOU. That's what's so incredibly stupid about trying to attack someone back over the Internet. It's like saying "let's send all the spam we recieve back to its From: address". It's stupid.

That's the reality. Attacks by proxy.