Date: Mon, 3 Jan 2000 18:17:35 -0500 (EST)
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Advisory CA-2000-01
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-2000-01 Denial-of-Service Developments
This advisory is being published jointly by the CERT Coordination Center and
the Federal Computer Incident Response Capability (FedCIRC).
Original release date: January 3, 2000
Source: CERT/CC and FedCIRC
A complete revision history is at the end of this file.
Systems Affected
* All systems connected to the Internet can be affected by
denial-of-service attacks.
I. Description
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in
denial-of-service tools. This advisory provides pointers to documents
discussing some of the more recent attacks and methods to detect some
of the tools currently in use. Many of the denial-of-service tools
currently in use depend on the ability of an intruder to compromise
systems first. That is, intruders exploit known vulnerabilities to
gain access to systems, which they then use to launch further attacks.
For information on how to protect your systems, see the solution
section below.
Security is a community effort that requires diligence and cooperation
from all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations. In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents. At the present
time, we have not been able to confirm that these are connections to
Stacheldraht agents, though they are consistent with an analysis
provided by Dave Dittrich of the University of Washington, available
at
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Also, Randy Marchany of Virginia Tech released an analysis of a
TFN-like toolkit, available at
http://www.sans.org/y2k/TFN_toolkit.htm
The ISS X-Force Security Research Team published information about
trin00 and TFN in their December 7 Advisory, available at
http://xforce.iss.net/alerts/advise40.php3
A general discussion of denial-of-service attacks can be found in a
CERT/CC Tech Tip available at
http://www.cert.org/tech_tips/denial_of_service.html
II. Impact
Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.
III. Solution
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:
* Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general.
Likewise, your security (or lack thereof) can cause serious harm
to others, even if intruders do no direct harm to your
organization. Similarly, machines that are not part of centralized
computing facilities and that may be managed by novice or
part-time system administrators or may be unmanaged, can be used
by intruders to inflict harm on others, even if those systems have
no strategic value to your organization.
* Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.
* Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all
sites to implement ingress filtering to reduce source address
spoofing on as many routers as possible. For more information, see
RFC2267.
* Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans
where possible.
* Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our
recent workshop before you are a victim of a distributed
denial-of-service attack. This document is available at
http://www.cert.org/reports/dsit_workshop.pdf
Detection
A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your
network.
The National Infrastructure Protection Center has recently announced a
tool to detect trin00 and TFN on some systems. For more information,
see
http://www.fbi.gov/nipc/trinoo.htm
Part of the analysis done by Dave Dittrich includes a Perl script
named gag which can be used to detect stacheldraht agents running on
your local network. See Appendix A of that analysis for more
information.
Internet Security Systems released updates to some of their tools to
aid sites in detecting trin00 and TFN. For more information, see
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
22899199.plt
Prevention
We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see
http://www.cert.org/security-improvementhttp://www.sans.org
Response
For information on responding to intrusions when they do occur, please
see
http://www.cert.org/nav/recovering.htmlhttp://www.sans.org/newlook/publications/incident_handling.htm
The United States Federal Bureau of Investigation is conducting
criminal investigations involving TFN where systems appears to have
been compromised. U.S. recipients are encouraged to contact their
local FBI Office.
_________________________________________________________________
We thank Dave Dittrich of the University of Washington, Randy Marchany
of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
National Infrastructure Protection Center, Alan Paller and Steve
Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
of The Massachusetts Institute of Technology, Jim Ellis of Sun
Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
Richard Forno of Network Solutions.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to [email protected] and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Revision History
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOHEdfFr9kb5qlZHQEQLb0wCfamz6K9wLBAx6lBIo7Ph9x5E3ESwAnArG
KhrLvJmknyRwOF2k/mq3e8LK
=v8LK
-----END PGP SIGNATURE-----