Re: [ISN] Air Force Colonel Wants to Build a Military Botnet

From: InfoSec News (alerts@private)
Date: Tue May 13 2008 - 23:07:14 PDT

Forwarded from: Jason Coombs <jasonc (at)>

Kevin Poulsen fails to comprehend the nuances of certain modes of 
software vulnerability exploitation, which sometimes require a 
vulnerable host to be pressed into the chore of servicing a heavy load 
in order to cause the code which contains the targeted vulnerability 
ever to be executed in the first place.

Or the fact that launching a denial of service attack can be used merely 
to trick human users into opening certain URLs in their vulnerable web 
browsers as those clueless victims attempt to investigate or respond to 
the apparent DoS attack.

You don't break into a target network or host with a denial of service 
alone, but you can get people's attention quickly and change the 
behavior of human and computer alike using the DoS as a strategic tool 

... we can only wonder out loud whether our military cyber warfare 
spooks will ever make use of a DDoS as part of such a layered attack (or 
counter-attack) strategy, the way the real experts at intrusion 
(motivated black hats) commonly do.

Besides, the most useful DDoS platform is the one that gives the 
government the ability to hijack and/or spoof any node at any time for 
any reason in the name of a law enforcement emergency or a national 
security priority mission.

When all those FISA-ignoring telcos agreed to install direct fiber links 
into all those new top secret government communications hubs co-located 
on the other side of the wall from major backbone switching hubs what 
made the telcos stop at providing just a mirror of all the data streams 
for warrantless surveillance purposes? We know that most of the telcos 
cooperated and opened up their networks, why would they not also have 
provided the staging point needed to secretly, covertly alter routes and 
dynamically change, modify, or delete content including initiate 
brand-new traffic on-demand?

>From outside a telco the end result will look just like individual hosts 
at telco endpoints have been hijacked and are now zombies in some 
malicious botnet drone army, when in fact the endpoints need not be 
compromised at all.

These cooperating telcos can't (or won't) come forward to disclose the 
difference between their virtual botnet services being provided to the 
U.S. Government, under secret contract, and the conventional botnet 
services they provide under contract to the users of all those 
vulnerable Windows computers sitting at the actual endpoints on the 
telco's network. It will be decades before anyone does the forensics 
needed to notice this sort of large-scale virtual 
botnet-in-the-network-fabric exists at all.

Magic Lantern, Carnivore, DCS 1000/2000, and all these platforms' more 
recent distributed automated progeny courtesy of the coordinated 
American response to terrorism should already have positioned Uncle Sam 
to impersonate the entire Internet with the flip of a switch, so the 
idea of recycling old 386 boxes into botnets is probably meant to make 
people who aren't paying attention believe we're still computing in the 
stone age and nothing really sophisticated will happen for a few more 
decades yet so there's nothing to worry about, let the cyber crime spree 


Jason Coombs
jasonc (at)

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: InfoSec News <alerts (at)>
Date: Tue, 13 May 2008 03:26:12 
To:isn (at)
Subject: [ISN] Air Force Colonel Wants to Build a Military Botnet

By Kevin Poulsen 
Threat Level
May 12, 2008

While most government agencies are struggling to keep their computers 
out of the latest Russian botnets, Col. Charles W. Williamson III is 
proposing that the Air Force build its own zombie network, so it can 
launch distributed denial of service attacks on foreign enemies.

In the most lunatic idea to come out of the military since the gay bomb, 
Williamson writes in the Armed Force Journal that the Air Force should 
deliberately install DDoS code on its unclassified computers, as well as 
civilian government machines. He even wants to rescue old machines from 
the junk bin to enlist in the .mil botnet army.

    The U.S. would not, and need not, infect unwitting computers as 
    zombies. We can build enough power over time from our own resources.

    Rob Kaufman, of the Air Force Information Operations Center, 
    suggests mounting botnet code on the Air Force.s high-speed 
    intrusion-detection systems. Defensively, that allows a quick 
    response by directly linking our counterattack to the system that 
    detects an incoming attack. The systems also have enough processing 
    speed and communication capacity to handle large amounts of traffic.

    Next, in what is truly the most inventive part of this concept, Lt. 
    Chris Tollinger of the Air Force Intelligence, Surveillance and 
    Reconnaissance Agency envisions continually capturing the thousands 
    of computers the Air Force would normally discard every year for 
    technology refresh, removing the power-hungry and heat-inducing hard 
    drives, replacing them with low-power flash drives, then installing 
    them in any available space every Air Force base can find. Even 
    though those computers may no longer be sufficiently powerful to 
    work for our people, individual machines need not be cutting-edge 
    because the network as a whole can create massive power.

    After that, the Air Force could add botnet code to all its desktop 
    computers attached to the Nonsecret Internet Protocol Network 
    (NIPRNet). Once the system reaches a level of maturity, it can add 
    other .mil computers, then .gov machines.

Brilliant! The best defensive minds in the country want to build a 
massive distributed computing system to do nothing but pump crap into 
the internet. The article talks about carefully targeting attackers' 
machines, but this ignores all the intermediate networks between the Air 
Force and the target, which will have to contend with a flood of garbage 
packets whenever some cyber Dr. Strangelove decides to go nuclear.


Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting.

This archive was generated by hypermail 2.1.3 : Tue May 13 2008 - 23:14:06 PDT