-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-00-02
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Denial of Service mit Stacheldraht          Date   :04-Jan-2000
===============================================================================

By courtesy of the CERT Coordination Center and the Federal Computer Incident
Response Capability (FedCIRC) we received info on new developments in
denial-of-service tools.

Note that the info in this advisory is related to CERT-NL advisory S-99-52.
The use of the irresistable word Stacheldraht, the wide scope of the advisory
and the newly included URLs however motivated a new advisory.

   ______________________________________________________________________

CERT Advisory CA-2000-01 Denial-of-Service Developments

Systems Affected

     * All systems connected to the Internet can be affected by
       denial-of-service attacks.

I. Description

Continued Reports of Denial-of-Service Problems

   We continue to receive reports of new developments in
   denial-of-service tools. This advisory provides pointers to documents
   discussing some of the more recent attacks and methods to detect some
   of the tools currently in use. Many of the denial-of-service tools
   currently in use depend on the ability of an intruder to compromise
   systems first. That is, intruders exploit known vulnerabilities to
   gain access to systems, which they then use to launch further attacks.
   For information on how to protect your systems, see the solution
   section below.

   Security is a community effort that requires diligence and cooperation
   from all sites on the Internet.

Recent Denial-of-Service Tools and Developments

   One recent report can be found in CERT Advisory CA-99-17.

   A distributed denial-of-service tool called "Stacheldraht" has been
   discovered on multiple compromised hosts at several organizations. In
   addition, one organization reported what appears to be more than 100
   different connections to various Stacheldraht agents. At the present
   time, we have not been able to confirm that these are connections to
   Stacheldraht agents, though they are consistent with an analysis
   provided by Dave Dittrich of the University of Washington, available
   at

   http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

   Also, Randy Marchany of Virginia Tech released an analysis of a
   TFN-like toolkit, available at

   http://www.sans.org/y2k/TFN_toolkit.htm

   The ISS X-Force Security Research Team published information about
   trin00 and TFN in their December 7 Advisory, available at

   http://xforce.iss.net/alerts/advise40.php3

   A general discussion of denial-of-service attacks can be found in a
   CERT/CC Tech Tip available at

   http://www.cert.org/tech_tips/denial_of_service.html

II. Impact

   Denial-of-service attacks can severely limit the ability of an
   organization to conduct normal business on the Internet.

III. Solution

   Solutions to this problem fall into a variety of categories.

Awareness

   We urge all sites on the Internet to be aware of the problems
   presented by denial-of-service attacks. In particular, keep the
   following points in mind:
     * Security on the Internet is a community effort. Your security
       depends on the overall security of the Internet in general.
       Likewise, your security (or lack thereof) can cause serious harm
       to others, even if intruders do no direct harm to your
       organization. Similarly, machines that are not part of centralized
       computing facilities and that may be managed by novice or
       part-time system administrators or may be unmanaged, can be used
       by intruders to inflict harm on others, even if those systems have
       no strategic value to your organization.
     * Systems used by intruders to execute denial-of-service attacks are
       often compromised via well-known vulnerabilities. Keep up-to-date
       with patches and workarounds on all systems.
     * Intruders often use source-address spoofing to conceal their
       location when executing denial-of-service attacks. We urge all
       sites to implement ingress filtering to reduce source address
       spoofing on as many routers as possible. For more information, see
       RFC2267.
     * Because your security is dependent on the overall security of the
       Internet, we urge you to consider the effects of an extended
       network or system outage and make appropriate contingency plans
       where possible.
     * Responding to a denial-of-service attack may require the
       cooperation of multiple parties. We urge all sites to develop the
       relationships and capabilities described in the results of our
       recent workshop before you are a victim of a distributed
       denial-of-service attack. This document is available at

        http://www.cert.org/reports/dsit_workshop.pdf

Detection

   A variety of tools are available to detect, eliminate, and analyze
   distributed denial-of-service tools that may be installed on your
   network.

   The National Infrastructure Protection Center has recently announced a
   tool to detect trin00 and TFN on some systems. For more information,
   see

   http://www.fbi.gov/nipc/trinoo.htm

   Part of the analysis done by Dave Dittrich includes a Perl script
   named gag which can be used to detect stacheldraht agents running on
   your local network. See Appendix A of that analysis for more
   information.

   Internet Security Systems released updates to some of their tools to
   aid sites in detecting trin00 and TFN. For more information, see

   http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
          22899199.plt

Prevention

   We urge all sites to follow sound security practices on all
   Internet-connected systems. For helpful information, please see

   http://www.cert.org/security-improvement
          http://www.sans.org

Response

   For information on responding to intrusions when they do occur, please
   see

   http://www.cert.org/nav/recovering.html
          http://www.sans.org/newlook/publications/incident_handling.htm

   The United States Federal Bureau of Investigation is conducting
   criminal investigations involving TFN where systems appears to have
   been compromised. U.S. recipients are encouraged to contact their
   local FBI Office.
     _________________________________________________________________

   We thank Dave Dittrich of the University of Washington, Randy Marchany
   of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
   National Infrastructure Protection Center, Alan Paller and Steve
   Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
   of The Massachusetts Institute of Technology, Jim Ellis of Sun
   Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
   Richard Forno of Network Solutions.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2000-01.html

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IBTSYjBqwfc9jEQKb9ACgiMnLHB+kpOxAeECYJYw4o+Z4gIIAoM9Q
XZil3pD6Fcw+/DQFI7otBPwY
=vvST
-----END PGP SIGNATURE-----