[ivanca]

Is there something like cloudfare but more aggressive?

Like something that tries to find exploits on the machines used in the attack and try to shut them down, close their internet connection or inject a self-targeting DNS or something of the sort?

[Nacraile]

IANAL, but I've seen this discussion come up multiple times, and the problem is that the counterattack would technically be illegal. The fact that somebody else has already broken the law in order to compromise an innocent bystander does not give anybody else the right to do the same thing. Vigilantism is as illegal on the internet as it is in the real world.

This is a huge constraint for the people (e.g. at Microsoft) who work to identify and take down botnets: they expose themselves to significant legal/PR risk if they do anything harmful to the bots.

[ivanca]

But this could be considered self-defense which is granted by most law systems.

[Nacraile]

Again, IANAL, but my understanding is that the concept of self-defense is specific to the use of force, rather than broadly applicable. You'll find it difficult to prove an immediate thread of physical harm from a DDoS.

And even if it were legal, you'd still have to deal with all of the "$SELF_DEFENDER broke my web site" PR unpleasantness from the innocent bystanders.

[PeterisP]

Self-defense is granted only for a direct, immediate physical threat - for example, if someone is blackmailing you, defrauding you or extorting "fire insurance for your warehouse" then self-defense doesn't allow you to do anything to them; if you smash the computer of a blackmailer, it's just as any other computer-smashing.

[mobiplayer]

This is like someone hitting you with someone else's arm while they're sleeping (attackers use compromised hosts/networks) and then you go back and burn the sleepy guy.

That doesn't sound like self-defense at all :)

[ivanca]

That's probably the worst analogy I have ever heard; or is this killing with someone else hand something common... somewhere?

[mobiplayer]

Well, that's not common anywhere as far as I know, but you didn't say why is it a bad analogy.

I any case let me clarify what was my purpose as it seems I'm not good at analogies. The point is that you're attacked using compromised computers so it is incredibly stupid to retaliate to the source of the attack.

Hope that clarifies!

[ivanca]

Is incredibly stupid to assume you are not liable for what you own; that's the reason why the cardholders gets in trouble by lending his credit card to friends or not reporting it has been stolen. The same thing with cars; if someone else drives you car you are in big part responsible for what the car is being used for (i.e. a friend and a bank robbery)

Hope that destroys your absurd misconception!

[troels]

A ddos usually have many clients committing the attack and they are often unknowingly part part of the attack (E.g. regular users being compromised by a virus or similar). It would be impractical as well as unethical to counter attack them.

[buttscicles]

I'd imagine any business providing that is likely to get shut down pretty sharpish...

[ivanca]

It could be done by software (not an IAAS); because is likely that the criminals are not going to sue.