what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2000-01.distributed

CA-2000-01.distributed
Posted Jan 4, 2000

CERT Advisory CA-2000-01 - Denial-of-Service Developments. A distributed denial-of-service tool called "Stacheldraht" has been discovered on multiple compromised hosts at several organizations. X-Force released a paper on trin00 and TFN. CERT DoS homepage here.

SHA-256 | 6339c83f968cb750f6a8fb5ee9b7be786a3003fc9952c6968cb89beab356d156

CA-2000-01.distributed

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




CERT Advisory CA-2000-01 Denial-of-Service Developments

This advisory is being published jointly by the CERT Coordination Center and
the Federal Computer Incident Response Capability (FedCIRC).

Original release date: January 3, 2000
Source: CERT/CC and FedCIRC

A complete revision history is at the end of this file.

Systems Affected

* All systems connected to the Internet can be affected by
denial-of-service attacks.

I. Description

Continued Reports of Denial-of-Service Problems

We continue to receive reports of new developments in
denial-of-service tools. This advisory provides pointers to documents
discussing some of the more recent attacks and methods to detect some
of the tools currently in use. Many of the denial-of-service tools
currently in use depend on the ability of an intruder to compromise
systems first. That is, intruders exploit known vulnerabilities to
gain access to systems, which they then use to launch further attacks.
For information on how to protect your systems, see the solution
section below.

Security is a community effort that requires diligence and cooperation
from all sites on the Internet.

Recent Denial-of-Service Tools and Developments

One recent report can be found in CERT Advisory CA-99-17.

A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations. In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents. At the present
time, we have not been able to confirm that these are connections to
Stacheldraht agents, though they are consistent with an analysis
provided by Dave Dittrich of the University of Washington, available
at

http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

Also, Randy Marchany of Virginia Tech released an analysis of a
TFN-like toolkit, available at

http://www.sans.org/y2k/TFN_toolkit.htm

The ISS X-Force Security Research Team published information about
trin00 and TFN in their December 7 Advisory, available at

http://xforce.iss.net/alerts/advise40.php3

A general discussion of denial-of-service attacks can be found in a
CERT/CC Tech Tip available at

http://www.cert.org/tech_tips/denial_of_service.html

II. Impact

Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.

III. Solution

Solutions to this problem fall into a variety of categories.

Awareness

We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:
* Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general.
Likewise, your security (or lack thereof) can cause serious harm
to others, even if intruders do no direct harm to your
organization. Similarly, machines that are not part of centralized
computing facilities and that may be managed by novice or
part-time system administrators or may be unmanaged, can be used
by intruders to inflict harm on others, even if those systems have
no strategic value to your organization.
* Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.
* Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all
sites to implement ingress filtering to reduce source address
spoofing on as many routers as possible. For more information, see
RFC2267.
* Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans
where possible.
* Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our
recent workshop before you are a victim of a distributed
denial-of-service attack. This document is available at

http://www.cert.org/reports/dsit_workshop.pdf

Detection

A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your
network.

The National Infrastructure Protection Center has recently announced a
tool to detect trin00 and TFN on some systems. For more information,
see

http://www.fbi.gov/nipc/trinoo.htm

Part of the analysis done by Dave Dittrich includes a Perl script
named gag which can be used to detect stacheldraht agents running on
your local network. See Appendix A of that analysis for more
information.

Internet Security Systems released updates to some of their tools to
aid sites in detecting trin00 and TFN. For more information, see

http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
22899199.plt

Prevention

We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see

http://www.cert.org/security-improvement
http://www.sans.org

Response

For information on responding to intrusions when they do occur, please
see

http://www.cert.org/nav/recovering.html
http://www.sans.org/newlook/publications/incident_handling.htm

The United States Federal Bureau of Investigation is conducting
criminal investigations involving TFN where systems appears to have
been compromised. U.S. recipients are encouraged to contact their
local FBI Office.
_________________________________________________________________

We thank Dave Dittrich of the University of Washington, Randy Marchany
of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
National Infrastructure Protection Center, Alan Paller and Steve
Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
of The Massachusetts Institute of Technology, Jim Ellis of Sun
Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
Richard Forno of Network Solutions.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2000-01.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in

http://www.cert.org/legal_stuff.html

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Revision History

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOHEdfFr9kb5qlZHQEQLb0wCfamz6K9wLBAx6lBIo7Ph9x5E3ESwAnArG
KhrLvJmknyRwOF2k/mq3e8LK
=v8LK
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close