Tweet
Defender DoS and Don'ts
Okay, so people have been asking about countermeasures a bit.
As I've said I think with so much to gain for attackers, it's really hard to be anal about what defenders can do beyond enforcing the basic concept that there is a GPG keypair somewhere on the box, at least two services, and some kind of authenticated access on day two.
Just the same, the ever-resourceful DefCon community has come up with some wacky shit, so let me say what you can't do.
Beyond that, have fun. A few people are talking about "counterhack" kind of stuff. I dunno, I would hope that an attacker plugged into the DC network wouldn't have any kind of obvious, scriptable remote vulns on their laptop, but, hey, you never know.
You can definitely:
On VMs, the approach proposed by dYn4mic seems best. A fragment of the keypair on each VM, and the full keypair on the hypervisor / host. So owning all VMs, or owning the hypervisor, constitutes compromise.
This is kind of a FAQ-like entry, but I wanted a specific thread on countermeasures, because I'm interested in what folks are cooking up. You're entitled to the element of suprise, too, of course.
I personally will be non-obscure... All my shells (for my non-sacrificial entries) will be BBS door games and InfoCom games wrapped in a MAC technology yet to be disclosed. I may be generous and put the keys inside a game at the end of one, just for fun.
As I've said I think with so much to gain for attackers, it's really hard to be anal about what defenders can do beyond enforcing the basic concept that there is a GPG keypair somewhere on the box, at least two services, and some kind of authenticated access on day two.
Just the same, the ever-resourceful DefCon community has come up with some wacky shit, so let me say what you can't do.
- DoS the WiFi or contest LAN as a whole
- Lie about the preshared credentials or lock the accounts
- Anything that would disrupt defender <> attacker traffic other than your own
Beyond that, have fun. A few people are talking about "counterhack" kind of stuff. I dunno, I would hope that an attacker plugged into the DC network wouldn't have any kind of obvious, scriptable remote vulns on their laptop, but, hey, you never know.
You can definitely:
- Firewall / intercept / null-route attack traffic as detected
- Log off specific IPs when they do bad stuff
- bounce people into tarpits / honeypots / etc
- spoof services, use VMs, impersonation, etc
On VMs, the approach proposed by dYn4mic seems best. A fragment of the keypair on each VM, and the full keypair on the hypervisor / host. So owning all VMs, or owning the hypervisor, constitutes compromise.
This is kind of a FAQ-like entry, but I wanted a specific thread on countermeasures, because I'm interested in what folks are cooking up. You're entitled to the element of suprise, too, of course.
I personally will be non-obscure... All my shells (for my non-sacrificial entries) will be BBS door games and InfoCom games wrapped in a MAC technology yet to be disclosed. I may be generous and put the keys inside a game at the end of one, just for fun.
Comment