Subject Denial of Service mit Stacheldraht Date 04-Jan-2000
911a651da0b891df94689db1cf06a27fe11a938d11f9bab3b7d812c1f7564a90
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen Index : S-00-02
Distribution : World Page : 1
Classification: External Version: 1
Subject : Denial of Service mit Stacheldraht Date :04-Jan-2000
===============================================================================
By courtesy of the CERT Coordination Center and the Federal Computer Incident
Response Capability (FedCIRC) we received info on new developments in
denial-of-service tools.
Note that the info in this advisory is related to CERT-NL advisory S-99-52.
The use of the irresistable word Stacheldraht, the wide scope of the advisory
and the newly included URLs however motivated a new advisory.
______________________________________________________________________
CERT Advisory CA-2000-01 Denial-of-Service Developments
Systems Affected
* All systems connected to the Internet can be affected by
denial-of-service attacks.
I. Description
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in
denial-of-service tools. This advisory provides pointers to documents
discussing some of the more recent attacks and methods to detect some
of the tools currently in use. Many of the denial-of-service tools
currently in use depend on the ability of an intruder to compromise
systems first. That is, intruders exploit known vulnerabilities to
gain access to systems, which they then use to launch further attacks.
For information on how to protect your systems, see the solution
section below.
Security is a community effort that requires diligence and cooperation
from all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations. In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents. At the present
time, we have not been able to confirm that these are connections to
Stacheldraht agents, though they are consistent with an analysis
provided by Dave Dittrich of the University of Washington, available
at
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Also, Randy Marchany of Virginia Tech released an analysis of a
TFN-like toolkit, available at
http://www.sans.org/y2k/TFN_toolkit.htm
The ISS X-Force Security Research Team published information about
trin00 and TFN in their December 7 Advisory, available at
http://xforce.iss.net/alerts/advise40.php3
A general discussion of denial-of-service attacks can be found in a
CERT/CC Tech Tip available at
http://www.cert.org/tech_tips/denial_of_service.html
II. Impact
Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.
III. Solution
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:
* Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general.
Likewise, your security (or lack thereof) can cause serious harm
to others, even if intruders do no direct harm to your
organization. Similarly, machines that are not part of centralized
computing facilities and that may be managed by novice or
part-time system administrators or may be unmanaged, can be used
by intruders to inflict harm on others, even if those systems have
no strategic value to your organization.
* Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.
* Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all
sites to implement ingress filtering to reduce source address
spoofing on as many routers as possible. For more information, see
RFC2267.
* Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans
where possible.
* Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our
recent workshop before you are a victim of a distributed
denial-of-service attack. This document is available at
http://www.cert.org/reports/dsit_workshop.pdf
Detection
A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your
network.
The National Infrastructure Protection Center has recently announced a
tool to detect trin00 and TFN on some systems. For more information,
see
http://www.fbi.gov/nipc/trinoo.htm
Part of the analysis done by Dave Dittrich includes a Perl script
named gag which can be used to detect stacheldraht agents running on
your local network. See Appendix A of that analysis for more
information.
Internet Security Systems released updates to some of their tools to
aid sites in detecting trin00 and TFN. For more information, see
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
22899199.plt
Prevention
We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see
http://www.cert.org/security-improvement
http://www.sans.org
Response
For information on responding to intrusions when they do occur, please
see
http://www.cert.org/nav/recovering.html
http://www.sans.org/newlook/publications/incident_handling.htm
The United States Federal Bureau of Investigation is conducting
criminal investigations involving TFN where systems appears to have
been compromised. U.S. recipients are encouraged to contact their
local FBI Office.
_________________________________________________________________
We thank Dave Dittrich of the University of Washington, Randy Marchany
of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
National Infrastructure Protection Center, Alan Paller and Steve
Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
of The Massachusetts Institute of Technology, Jim Ellis of Sun
Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
Richard Forno of Network Solutions.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-01.html
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IBTSYjBqwfc9jEQKb9ACgiMnLHB+kpOxAeECYJYw4o+Z4gIIAoM9Q
XZil3pD6Fcw+/DQFI7otBPwY
=vvST
-----END PGP SIGNATURE-----