In what it says is an attempt to turn the tables on malicious hackers, security vendor Prolexic on Tuesday released details of vulnerabilities it has discovered in a toolkit family used by hackers to launch distributed denial of service attacks against corporate networks.
The disclosure is designed to give IT security staff information they can use to mitigate attacks launched using the DDoS toolkit, according to Prolexic.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
The company's vulnerability report specifically details flaws in the command & control component of the Dirt Jumper DDoS toolkit that has been associated with DDoS attacks recently. The flaws allow "counter-attackers to obtain access to the Command and Control (C&C) database backend, and potentially server-side files," the company noted in a statement.
Such counterattacks can result in a total compromise of the toolkit's attack capabilities, Prolexic said.
"With this information, it is possible to access the C&C server and stop the attack," Prolexic CEO Scott Hammack said in statement. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."
While such vulnerability disclosures involving malware products are likely to be welcomed by many in the security community, the legality of enterprises using the information to actually launch a counter attack against hackers remains an open question.
In 2004, when a security researcher at Sandia National Laboratories used reverse engineering techniques to trace attacks against the lab to a Chinese hacking group called Titan Rain, he was suspended and eventually fired. The researcher later sued the laboratory for unfair termination and was awarded $4.3 million in damages by a New Mexico jury. The case was later settled for an undisclosed sum.
Attitudes appear to have changed quite a bit since then though.
Earlier this week, for example, the Washington Post reported that the Pentagon is said to be considering allowing its Cyber Command specialists to take whatever defensive actions may be necessary to protect U.S. cyber assets, even if it means combating attackers on private networks and in foreign countries.
The plan, apparently, is to introduce new rules that would permit U.S. military cyber specialists to take action outside U.S. military networks under some pretty narrow circumstances involving threats that could result in "deaths, severe injury, or damage to national security", the Post reported.
The proposed rules, if adopted, would represent a marked change from present policies that allow the military to take defensive actions only on its own networks.
With traditional network defenses and security products increasingly unable to stop targeted cyber threats, even many enterprise security executives have begun looking at more military-style approaches for protecting their networks.