[maeon3]

The solution to this is not to launch a counter attack on the attacker, but to automatically launch automated collaborative investigation where evidence is gathered to try to nudge the attacker into doing something that reveals his location/identity.

1. Software notices inappropriate behavior.

2. Launches a honeypot service with lots of holes in it to give attacker opportunity to get root.

3. Root takes them to a locked down part of the computer.

4. Have the system project a computer where the admins are complete fools, making the attackers feel a false sense of security.

5. Send investigation information about the attacker to other servers running this software, ask other servers to "Help me find the bozo using this spoofed IP address". If you see someone transmitting on this IP, help me find its true origin.

The software could recursively trace right back to the ISP that is hosting the computer of the attacker. Don't have it launch a counter attack, the goal here is not to send the attacker to goatse (he probably enjoys it). The counterattack should be in the form of a policeman tapping the attacker on the shoulder and saying: "you have the right to remain silent".

The answer is not fighting back immediately, it's sun tzu's legendary advice, let the enemy think they have gamed your box, so they launch a bolder move, then you catch them with their hand in the cookie jar.

[younewman]

How exactly is this "recursive trace" going to work? As soon as you get to a computer the attacker controls he can subvert whatever mechanism you're thinking of.

[xpaulbettsx]

If you were clever with virtualization software, you could let the VM guest get taken over, and use heuristics on the host to detect where they were coming from.