S-00-02.htm
c5526e20dd087f27af5edfdcd78e9e4a08a9fc240c8cceb6638b56ea446643d8<html>
<head>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<title>CERT-NL S-00-02</title>
</head>
<body link="#009966" vlink="#006041">
<div align="left">
<table border="0" width="100%" cellspacing="0">
<tr>
<td colspan="3" bgcolor="#009966" width="760"><blockquote>
<p><font face="Arial"><strong><big>Security Advisory</big></strong></font></p>
</blockquote>
</td>
<td colspan="2" align="right" bgcolor="#009966" width="103"><img src="../../hs-kader-logo.gif" alt="hs-kader-logo.gif (586 bytes)" WIDTH="100" HEIGHT="41"></td>
<td align="center" bgcolor="#009966" colspan="2" width="95"><strong><font face="Arial">CERT-NL</font></strong></td>
</tr>
<tr>
<td width="115" bgcolor="#99CC99">Author/Source</td>
<td width="6" bgcolor="#99CC99">:</td>
<td width="100%">Teun Nijssen</td>
<td width="96" bgcolor="#99CC99">Index</td>
<td colspan="2" width="6" bgcolor="#99CC99">:</td>
<td align="right" width="90">S-00-02</td>
</tr>
<tr>
<td width="115" bgcolor="#99CC99">Distribution</td>
<td width="6" bgcolor="#99CC99">:</td>
<td width="627">World</td>
<td width="96" bgcolor="#99CC99">Page</td>
<td colspan="2" width="6" bgcolor="#99CC99">:</td>
<td align="right" width="90">1</td>
</tr>
<tr>
<td width="115" bgcolor="#99CC99">Classification</td>
<td width="6" bgcolor="#99CC99">:</td>
<td width="627">External</td>
<td width="96" bgcolor="#99CC99">Version</td>
<td colspan="2" width="6" bgcolor="#99CC99">:</td>
<td align="right" width="90">1</td>
</tr>
<tr>
<td width="115" bgcolor="#99CC99" valign="top">Subject</td>
<td width="6" bgcolor="#99CC99" valign="top">:</td>
<td width="627" bgcolor="#d4d4d4"><strong><big>Denial of Service mit Stacheldraht</big></strong></td>
<td width="96" bgcolor="#99CC99" valign="top">Date</td>
<td colspan="2" width="6" bgcolor="#99CC99" valign="top">:</td>
<td align="right" width="90" bgcolor="#D4D4D4" valign="top">04-Jan-2000</td>
</tr>
</table>
</div>
<p>By courtesy of the CERT Coordination Center and the Federal Computer Incident Response
Capability (FedCIRC) we received info on new developments in denial-of-service tools.</p>
<p>Note that the info in this advisory is related to CERT-NL advisory S-99-52.<br>
The use of the irresistable word Stacheldraht, the wide scope of the advisory and the
newly included URLs however motivated a new advisory.</p>
<hr size="1">
<p>CERT Advisory CA-2000-01 Denial-of-Service Developments</p>
<h4>Systems Affected</h4>
<blockquote>
<p>* All systems connected to the Internet can be affected by denial-of-service attacks.</p>
</blockquote>
<h3>I. Description</h3>
<h4>Continued Reports of Denial-of-Service Problems</h4>
<blockquote>
<p>We continue to receive reports of new developments in denial-of-service tools. This
advisory provides pointers to documents discussing some of the more recent attacks and
methods to detect some of the tools currently in use. Many of the denial-of-service tools
currently in use depend on the ability of an intruder to compromise systems first. That
is, intruders exploit known vulnerabilities to gain access to systems, which they then use
to launch further attacks.<br>
For information on how to protect your systems, see the solution section below.</p>
<p>Security is a community effort that requires diligence and cooperation from all sites
on the Internet.</p>
</blockquote>
<h4>Recent Denial-of-Service Tools and Developments</h4>
<blockquote>
<p>One recent report can be found in CERT Advisory CA-99-17.</p>
</blockquote>
<blockquote>
<p>A distributed denial-of-service tool called "Stacheldraht" has been<br>
discovered on multiple compromised hosts at several organizations. In<br>
addition, one organization reported what appears to be more than 100<br>
different connections to various Stacheldraht agents. At the present<br>
time, we have not been able to confirm that these are connections to<br>
Stacheldraht agents, though they are consistent with an analysis<br>
provided by Dave Dittrich of the University of Washington, available<br>
at</p>
<blockquote>
<p><a href="http://staff.washington.edu/dittrich/misc/stacheldraht.analysis">http://staff.washington.edu/dittrich/misc/stacheldraht.analysis</a></p>
</blockquote>
<p>Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like toolkit,
available at</p>
<blockquote>
<p><a href="http://www.sans.org/y2k/TFN_toolkit.htm">http://www.sans.org/y2k/TFN_toolkit.htm</a></p>
</blockquote>
<p>The ISS X-Force Security Research Team published information about trin00 and TFN in
their December 7 Advisory, available at</p>
<blockquote>
<p><a href="http://xforce.iss.net/alerts/advise40.php3">http://xforce.iss.net/alerts/advise40.php3</a></p>
</blockquote>
</blockquote>
<blockquote>
<p>A general discussion of denial-of-service attacks can be found in a CERT/CC Tech Tip
available at</p>
<blockquote>
<p><a href="http://www.cert.org/tech_tips/denial_of_service.html">http://www.cert.org/tech_tips/denial_of_service.html</a></p>
</blockquote>
</blockquote>
<h3>II. Impact</h3>
<blockquote>
<p>Denial-of-service attacks can severely limit the ability of an organization to conduct
normal business on the Internet. </p>
</blockquote>
<h3>III. Solution</h3>
<blockquote>
<p>Solutions to this problem fall into a variety of categories.</p>
</blockquote>
<h4>Awareness</h4>
<blockquote>
<p>We urge all sites on the Internet to be aware of the problems presented by
denial-of-service attacks. In particular, keep the following points in mind:</p>
</blockquote>
<blockquote>
<ul>
<li>Security on the Internet is a community effort. Your security depends on the overall
security of the Internet in general.<br>
Likewise, your security (or lack thereof) can cause serious harm to others, even if
intruders do no direct harm to your organization. Similarly, machines that are not part of
centralized computing facilities and that may be managed by novice or part-time system
administrators or may be unmanaged, can be used by intruders to inflict harm on others,
even if those systems have no strategic value to your organization.</li>
<li>Systems used by intruders to execute denial-of-service attacks are often compromised via
well-known vulnerabilities. Keep up-to-date with patches and workarounds on all systems.</li>
<li>Intruders often use source-address spoofing to conceal their location when executing
denial-of-service attacks. We urge all sites to implement ingress filtering to reduce
source address spoofing on as many routers as possible. For more information, see RFC2267.</li>
<li>Because your security is dependent on the overall security of the Internet, we urge you
to consider the effects of an extended network or system outage and make appropriate
contingency plans where possible.</li>
<li>Responding to a denial-of-service attack may require the cooperation of multiple
parties. We urge all sites to develop the relationships and capabilities described in the
results of our recent workshop before you are a victim of a distributed denial-of-service
attack. This document is available at</li>
</ul>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p><a href="http://www.cert.org/reports/dsit_workshop.pdf">http://www.cert.org/reports/dsit_workshop.pdf</a></p>
</blockquote>
</blockquote>
</blockquote>
<h4>Detection</h4>
<blockquote>
<p>A variety of tools are available to detect, eliminate, and analyze distributed
denial-of-service tools that may be installed on your network.</p>
<p>The National Infrastructure Protection Center has recently announced a tool to detect
trin00 and TFN on some systems. For more information, see</p>
<blockquote>
<p><a href="http://www.fbi.gov/nipc/trinoo.htm">http://www.fbi.gov/nipc/trinoo.htm</a></p>
</blockquote>
<p>Part of the analysis done by Dave Dittrich includes a Perl script named gag which can
be used to detect stacheldraht agents running on your local network. See Appendix A of
that analysis for more information.</p>
<p>Internet Security Systems released updates to some of their tools to aid sites in
detecting trin00 and TFN. For more information, see</p>
<blockquote>
<p><a href="http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt">http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt</a></p>
</blockquote>
</blockquote>
<h4>Prevention</h4>
<blockquote>
<p>We urge all sites to follow sound security practices on all Internet-connected systems.
For helpful information, please see</p>
<blockquote>
<p><a href="http://www.cert.org/security-improvement">http://www.cert.org/security-improvement</a><br>
<a href="http://www.sans.org">http://www.sans.org</a></p>
</blockquote>
</blockquote>
<h4>Response</h4>
<blockquote>
<p>For information on responding to intrusions when they do occur, please see </p>
<blockquote>
<p><a href="http://www.cert.org/nav/recovering.html">http://www.cert.org/nav/recovering.html</a><br>
<a href="http://www.sans.org/newlook/publications/incident_handling.htm">http://www.sans.org/newlook/publications/incident_handling.htm</a></p>
</blockquote>
<p>The United States Federal Bureau of Investigation is conducting<br>
criminal investigations involving TFN where systems appears to have<br>
been compromised. U.S. recipients are encouraged to contact their<br>
local FBI Office.</p>
</blockquote>
<hr size="1">
<blockquote>
<p>We thank Dave Dittrich of the University of Washington, Randy Marchany of Virginia
Tech, Internet Security systems, UUNet, the Y2K-ICC, the National Infrastructure
Protection Center, Alan Paller and Steve Northcutt of The SANS Institute, The MITRE
Corporation, Jeff Schiller of The Massachusetts Institute of Technology, Jim Ellis of Sun
Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and Richard Forno of Network
Solutions.</p>
</blockquote>
<hr size="1">
<blockquote>
<p>This document is available from:</p>
</blockquote>
<blockquote>
<blockquote>
<p><a href="http://www.cert.org/advisories/CA-2000-01.html">http://www.cert.org/advisories/CA-2000-01.html</a></p>
</blockquote>
</blockquote>
<hr>
<p><font color="#006041"><strong>CERT-NL</strong> </font>is the Computer Emergency
Response Team for SURFnet customers. SURFnet is the Dutch network for educational,
research and related institutes. <strong><font color="#006041">CERT-NL</font></strong> is
a member of the Forum of Incident Response and Security Teams (<a href="http://www.first.org">FIRST</a>).</p>
<p>All <strong><font color="#006041">CERT-NL</font></strong> material is available under:<br>
<a href="http://cert.surfnet.nl/">http://cert.surfnet.nl/</a></p>
<p>In case of computer or network security problems please contact your local
CERT/security-team or<font color="#006041"> <strong>CERT-NL</strong></font> (if your
institute is NOT a SURFnet customer please address the appropriate (local)
CERT/security-team).</p>
<p><strong><font color="#006041">CERT-NL</font></strong> is one/two hour(s) ahead of UTC
(GMT) in winter/summer,<br>
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).</p>
<div align="left">
<table border="0" width="80%" bgcolor="#DCDCDC" cellspacing="0" height="192">
<tr>
<td valign="top" height="24">Email:</td>
<td height="24"><a href="mailto:cert-nl@surfnet.nl">cert-nl@surfnet.nl</a></td>
<td height="24">ATTENDED REGULARLY ALL DAYS</td>
</tr>
<tr>
<td valign="top" height="24">Phone:</td>
<td height="24">+31 302 305 305</td>
<td height="24">BUSINESS HOURS ONLY</td>
</tr>
<tr>
<td valign="top" height="24">Fax: </td>
<td height="24">+31 302 305 329 </td>
<td height="24">BUSINESS HOURS ONLY</td>
</tr>
<tr>
<td valign="top" height="112">Snailmail:</td>
<td height="112">SURFnet bv<br>
Attn. CERT-NL<br>
P.O. Box 19035<br>
NL - 3501 DA UTRECHT<br>
The Netherlands</td>
<td height="112">.</td>
</tr>
</table>
</div>
<p>NOODGEVALLEN: 06 22 92 35 64 ALTIJD
BEREIKBAAR<br>
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES<br>
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:<br>
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING
WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER.
CERT-NL WILL THEN CONTACT YOU.</p>
<hr>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr align="left" valign="top">
<td><img src="../../hs-c-1999.gif" alt="copyright
SURFnet 1999" WIDTH="100" HEIGHT="19"><a href="mailto:redactie@SURFnet.nl"><br>
<img src="../../hs-email-red.gif" border="0" alt="email
naar redactie@SURFnet.nl" WIDTH="100" HEIGHT="26"></a></td>
<td width="100%" bgcolor="#C0C0C0"><table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr align="left" valign="top">
<td><img src="../../n-route.gif" border="0" alt="<-" WIDTH="19" HEIGHT="20"></td>
<td width="100%" valign="middle"><font face="Geneva, Arial" size="1"><a href="http://www.surfnet.nl/home.html" target="_top">Homepage</a> | <a href="http://www.surfnet.nl/diensten/">Diensten </a>| <a href="http://www.surfnet.nl/diensten/beveiliging/">Beveiliging</a> | <a href="http://www.surfnet.nl/diensten/beveiliging/cert" target="_top">CERT-NL home</a>|:</font></td>
</tr>
<tr align="left" valign="top">
<td colspan="2"><img src="/images/n-verlooplijn.gif" width="142" height="5" border="0" alt="-------------------"></td>
</tr>
<tr align="left" valign="top">
<td><a href="#top"><img src="../../n-top.gif" border="0" alt="<-" WIDTH="19" HEIGHT="20"></a></td>
<td width="100%" valign="middle"><font face="Geneva,
Arial" size="1"><a href="#top">Naar
begin van deze pagina</a></font></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed