August 15, 2012, 10:45 AM — In what it says is an attempt to turn the tables on malicious hackers, security vendor Prolexic on Tuesday released details of vulnerabilities it has discovered in a toolkit family used by hackers to launch distributed denial of service attacks against corporate networks.
The disclosure is designed to give IT security staff information they can use to mitigate attacks launched using the DDoS toolkit, according to Prolexic.
The company's vulnerability report specifically details flaws in the command & control component of the Dirt Jumper DDoS toolkit that has been associated with DDoS attacks recently. The flaws allow "counter-attackers to obtain access to the Command and Control (C&C) database backend, and potentially server-side files," the company noted in a statement.
Such counterattacks can result in a total compromise of the toolkit's attack capabilities, Prolexic said.
"With this information, it is possible to access the C&C server and stop the attack," Prolexic CEO Scott Hammack said in statement. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."
While such vulnerability disclosures involving malware products are likely to be welcomed by many in the security community, the legality of enterprises using the information to actually launch a counter attack against hackers remains an open question.
In 2004, when a security researcher at Sandia National Laboratories used reverse engineering techniques to trace attacks against the lab to a Chinese hacking group called Titan Rain, he was suspended and eventually fired. The researcher later sued the laboratory for unfair termination and was awarded $4.3 million in damages by a New Mexico jury. The case was later settled for an undisclosed sum.
Attitudes appear to have changed quite a bit since then though.
Earlier this week, for example, the Washington Post reported that the Pentagon is said to be considering allowing its Cyber Command specialists to take whatever defensive actions may be necessary to protect U.S. cyber assets even if it means combating attackers on private networks and in foreign countries.