Symbiot says it will release its product March 31. The Austin, Texas company has published “rules of engagement” that argue that in rare cases, the target has the right to respond with “asymmetric force,” including counter-DDoS attacks and “special operations applying invasive techniques.”
Symbiot’s iSIMS product is in the final phase of beta testing at “several customer sites and in use on live networks,” according to vice president William Hurley II, and is also being tested by partners for integration with other security solutions. Hurley said iSIMS will be sold under a subscription agreement, and deployed on a customer’s network as a set of server appliances.
“Symbiot has no intention of doing anything illegal, and we strongly discourage our clients from using our software in any way that is illegal, unethical, or violates any law,” said Hurley. “We contend that in incredibly rare circumstances, asymmetrical responses may be justified. We are enabling our customers to plan and execute appropriate countermeasures when malicious attackers have been accurately identified.”
The use of compromised machines in DDoS attacks makes such precise identifications difficult. “In many cases attacks are launched by zombie platforms, ‘owned’ remote machines allowing the attacker to not only mask their original location, but also their original intent,” writes Dana Epps. “When you counterstrike ‘grandma’s’ computer”, you are also affecting grandma’s ISP. And all routes in between.”
Symbiot says compromised machines will be fair game. “When a zombied host or an infected computer has been clearly identified as the source of an attack, it is our responsibility to empower customers to defend themselves,” Symbiot told OnLAMP. “An infected machine, one no longer under the control of its owner, is no longer an innocent bystander.”
Discussion on the North American Network Operators Group (NANOG) mailing list highlighted the possibility that any retaliatory measures against DDoS attacks might endanger agreements with other transport providers.
“Check your respective AUPs,” Rachael Treu wrote in a message to NANOG. “You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control. … There are not provisions made for DoS-ing a DoS-er.”
Rich Miller welcomes your comments.