Managing Network Security

Returning Fire

by Fred Cohen

Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


This is another one of those articles inspired by a discussion with Winn Schwartau. Winn is a nice guy and he has a tendency to stretch the edges of the envelope in his own way. We were recently discussing some of the issues surrounding the US military decision to return fire on cyber attackers and the increasing willingness of corporate defenders to do the same, and it occurred to me that you, my readers, might like to hear about some of the issues that others have discussed in this area.

I began consistently returning fire in a fairly gentile way by automatically notifying remote systems administrators of every attempted entry into my system beginning early in 1996. As the ferocity of the attempts went up, the number of notices went up, and at one point, it appears that I over-informed a site that was particularly malicious and they ran out of disk space because of the flood of email. Given that even this gentle sort of return of fire can result in such side effects, a natural question arises about the benefits and liabilities associated with such an activity.

I have subsequently ceased to automatically return fire, not because I am particularly opposed to it, but rather because I have adopted a stealth strategy for now. My publicly accessible (and advertised) Web site is now hosted by a vendor, and most of the bad guys don't know my actual IP address range. Of course, having now published this fact, I will likely have to begin returning fire again soon...

The process of returning fire is a complex one because in order to do a good job of it, it is necessary that you be able to do several things quite well. In particular, you need to be able to (1) prepare yourself conceptually, legally, technically, organizationally, publicity-wise, and so forth; (2) accurately identify the proper target to return fire towards; and (3) be sufficiently competent as an attacker to be effective in your fire. This portion of this month's article is about part (1) of this list.

Legal Preparation: The term Legal Liability comes quickly to mind when contemplating any action that might cause harm to others. While I am not a lawyer and thus am not competent to give legal advice, the issue to me seems to be one of self defense. At the same time, others would call return of fires being a vigilante. As I told Winn in our discussion, the reason you get vigilantes is because law enforcement is ineffective. The legal precedent here is very limited, but as uncertain as this may be, from a risk management standpoint, the expected loss from legal liabilities resulting from such a return of fire is often far less than to potential loss that could result from ongoing attacks that would otherwise take place if fires were not returned. The notion here is that returning fire has a benefit in suppressing attack activity, and history seems to support this notion. Hence the saying that a good offense is the best defense.

Technical Preparation: Technical preparation consists predominantly of acquiring the ability to reliably determine the source of an attack and suppress the attack. Attack suppression (and retribution) may be done in a wide variety of ways and need not be limited to the cyber domain. For example, breaking into an attackers location and destroying their computers, or cutting the cable that carries their Internet connection are highly effective, even if criminal. In extreme cases, extreme sanctions may even be used, such as dropping bombs on enemy cyber-warfare positions. While most corporations would probably hesitate to do this, military organizations engaged with hostile enemies may well use this tactic without hesitation.

Organizational Preparation: When you up the ante, you risk escalation. If you start returning fire against someone with a malicious bent, you may find that they too will escalate and that your organization may come under heavy attack from many quarters. The rattling of sabers may either scare the enemy or increase their resolve. If you start down this path, you must be organizationally prepared to follow it through to its conclusion. This may range from the attacker sending you thousands of anchovy pizzas to cutting all of your telephone lines to throwing had grenades into your lobby to an attack with poisonous gas. You must know what you are dealing with and prepare your organization for the consequences.

Public Relations: The perception management game will be at its height when word of this activity and its consequences hit the fan. You may well be on the front page of the Times or the Journal and you had better be prepared both to help form the story and to respond to it if it forms out of your control.

Other Concerns: Returning fire may have a wide range of other consequences, and you have to think this through thoroughly before you engage in such an activity.


Aiming your return of fire is the next vital step you have to take. While it is almost always easy to identify the apparent direct source of a substantial attack - by caller ID or perhaps IP address - you may cause a lot of collateral damage by striking back directly, and you will often miss the real target. Most sensible attackers who cause substantial harm do so through one or more intermediaries.

There is a case to be made for returning fire at intermediaries, and you may rest assured that when someone breaks into your firewall because you have a weakness you were unaware of, the next site attacked from there will crash your network connection, just as you will crash theirs when you find out about their return of fire. From the attacker's standpoint, it's called killing two systems with one packet.

Nothing is as bad as missing the target and harming innocent victims. With the widespread dissemination of IP address forgery tools and the total lack of source authentication in the Internet today, many folks harass rather than penetrate. Denial of service is commonly the result of such an attack, and returning fires to the source address of the IP packets is ineffective. Thus many companies who engage in the return of fire have a substantial effort directed toward tracing attacks back through the infrastructure.

My favorite technique for this consists of figuring out the topology of the Internet and ovewhealming one link at a time starting from the victim site and working back toward the attacking site. Each step of the way, you overwhelm each of the incoming links to figure out which one is the source of the packets. This is a linear time process since each device in the path between two points has only a fixed (and usually small) number of other links attached to it and there are only a fairly small number of links between you and the source of the attacks. The best part of this process, in its non-refined form, is that you take down large sections of the Internet along the way.

Unfortunately, once the Internet Service Providers became aware of this technique they decided to cooperate with their customers and those of other providers by changing router tables to have a similar tracing effect without causing widespread outages. This saves them and their customers a lot of bandwidth and stress and down-time and does the traceback almost as efficiently, but it's not nearly as fun as doing it without their cooperation.

Unfortunately, I have some experience at the notion of doing things the hard way when the people who run things are not willing to be helpful, and it seems to me that this is at the heart of the issue of returning fire. Without further ado, I will just conclude that it hurts us all when you have poor aim.


In many cases, intermediaries are not-so-innocent victims either because they maintain very easily exploited systems that are taken advantage of, or because they are complicity in the attacks. During one attack, I awakened a University systems administrator from his bed at home at 2 in the morning and had him go to their computer center and stop sending packets to my site. He provided a less than satisfactory explanation of how his system was caused to attack mine, but one way or another, the packets stopped and he gained no joy from the process. Either he took actions to make his system more secure, or he decided that participating in the attack was not worth being awakened in the middle of the night - it doesn't really matter to me which.

This is, of course, my favorite way to return fire. It has the human touch, but more importantly, when you are talking to a real malicious attacker who went through several intermediaries along the way, you can hear them cry inside when you ask for their explanation. For years I have gotten email from folks I have caught and called in this way with the simple content: You Rule!!! It's even more fun when they get an email back (at their real email address, not the fake one they used as the return address) saying How True.

As a philosophy, you need to decide why you are firing back in order to do a proper job of it. Is your goal to stop an ongoing attack (i.e., self defense), prevent future attacks, retribution, one-upsmanship, or what? Without this, the rest of the decision process cannot be carried out properly and, perhaps even more to the point, you will never achieve satisfaction. Let's look at some of the options for the goals I just mentioned:

Once you have your motivation lined up and your techniques working properly, and you have properly identified the target, you pull the trigger or push the go button, and you are now engaged in the return of fires.

So What?

Unless and until you can assess damage, you will not know whether you have been effective in your return of fire. Damage assessment starts at your goals. If your goal is to stop an ongoing denial of service attack against your site, you can pretty much tell if you succeed by the return of service availability, but in most other cases, measuring damage is a bit harder. Measuring future attacks and associating them with responses can be deceptive. For example, when you counter-attack, the attacker may decide to be more careful or use more covert means. Retribution and one-upsmanship are probably best measured in psychological terms. Self satisfaction might be better attained by other means, but it can certainly only be measured by the feelings you get.

In addition to measuring the effect on the attacks, there are the direct and indirect effects on your costs, your way of doing business, your reputation, and so forth - consequences is, I believe, the legal term. In some cases these may be negligible, while in others they may be far greater than the loss from the actual attacks might have been.

Getting Away Clean

As you are probably well aware, almost everything I have identified in the article would be technically illegal for an individual or corporation to do in the United States today. This means that, in order to avoid arrest and prosecution, you need to find a way to get away uncaught by law enforcement - or at least able to legally defend yourself.

The self defense plea may sound good, but the time and cost of an innocent verdict hardly seem justified if you can find a way to avoid a trial. Plea bargaining is also a bad idea because of the adverse exposure to publicity, the fact that you have just paid still more for the attack, and so forth.

I am personally in favor of litigation avoidance when feasible - except when it comes to prosecuting the bad people who break into systems - but then if the so-called defender does this...

I would strongly advise you not to hire me to help you fire back unless you are the United States Government or someone like that - because, as I said, I am a firm believer in risk avoidance when it comes to litigation.

So rule number one of returning fire is probably to do it from a competitor's IP address or telephone switch. Then they will get into trouble - except that you have again probably violated the law and run the risk of getting caught.

OK - Rule number 1 - don't get caught. And that implies...

Rule number 2 - Hope they don't hire someone like me to do the investigation. The reason is that, despite the rumors of little or no audit information in the global information infrastructure, audit in one form or another is largely there for those who do forensic analysis, even if it may be hard to get at. Which leads to...

Rule number 3 - The more power, money, and influence the attacker has, the more dangerous it is to return fire. Consequently, this is a method for the strong to use against the weak.

Assuming you do not follow these rules, you can expect a lively engagement indeed.


I wish I could tell you that there were viable alternatives to returning fire when under serious cyber-attack, but if wishers were pennies, we would all be rich. Law enforcement has not kept up with the need, prevention will eventually fail under sufficiently concerted attack, and the only hope for the defender under seige therefore lies in detection and response.

There are other responses one might try. For example, having exceedingly good relationships with law enforcement, infrastructure providers, and skilled professional defenders worldwide is of great help. A good enough set of defenders can likely fend off attack after attack for a very long time before an attack succeeds, and with proper skills, the consequences of the attack can be mitigated as well.

To date, non-aggressive defenses have been only marginally successful for most companies, and as losses pile up, the choice has to be made between higher quality defenses and returning fire. I, for one, lean toward the higher quality of defense.


Returning fire is not a job for the unskilled or meek, and definitely has its risks. On the other hand, it can be a very successful technique for defeating even the most serious of attacker. In the end, a strong offense is a good defense, assuming you can find the attackers. I do not advocate returning fire, but I can understand that the inability of the police to protect the average citizen leads to vigilante behavior. Perhaps an alternative would be a more effective police force, but then who wants to live in a police state?

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at or visiting /