Date: Fri, 29 Mar 2024 11:10:08 -0400 (EDT) Message-ID: <620755577.49.1711725008653@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_48_1569597678.1711725008651" ------=_Part_48_1569597678.1711725008651 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Original release date: January 3, 2000
Source: CERT/CC and FedCIRC
A complete revision history is at the end of this file.
We continue to receive reports of new developments in denial-of-service = tools. This advisory provides pointers to documents discussing some of the = more recent attacks and methods to detect some of the tools currently in us= e. Many of the denial-of-service tools currently in use depend on the abili= ty of an intruder to compromise systems first. That is, intruders exploit k= nown vulnerabilities to gain access to systems, which they then use to laun= ch further attacks. For information on how to protect your systems, see the= solution section below.
Security is a community effort that requires di= ligence and cooperation from all sites on the Internet.
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has been disc= overed on multiple compromised hosts at several organizations. In addition,= one organization reported what appears to be more than 100 different conne= ctions to various Stacheldraht agents. At the present time, we have not bee= n able to confirm that these are connections to Stacheldraht agents, though= they are consistent with an analysis provided by Dave Dittrich of the Univ= ersity of Washington, available at
Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like toolkit, available= at
The ISS X-Force Security Research Team published information about trin0= 0 and TFN in their D= ecember 7 Advisory, available at
A general discussion of denial-of-service attacks can be found in a CERT/CC Tech T= ip available at
Denial-of-service attacks can severely limit the ability of an organizat= ion to conduct normal business on the Internet. =
S= olutions to this problem fall into a variety of categories.
We urge all sites on the Internet to be aware of the problems pres= ented by denial-of-service attacks. In particular, keep the following point= s in mind:
Security on the = Internet is a community effort. Your security depends on the overall securi= ty of the Internet in general. Likewise, your security (or lack thereof) ca= n cause serious harm to others, even if intruders do no direct harm to your= organization. Similarly, machines that are not part of centralized computi= ng facilities and that may be managed by novice or part-time system adminis= trators or may be unmanaged, can be used by intruders to inflict harm on ot= hers, even if those systems have no strategic value to your organization.= p>
A variety of tools are available to detect, eliminate, and analyze distr= ibuted denial-of-service tools that may be installed on your network.
The National Infrastructure Protection C= enter has recently announced a tool to detect trin00 and TFN on some sy= stems. For more information, see
Part of the analysis done by Dave Dittrich includes a Perl script n= amed gag which can be used to detect stacheldraht agents running on = your local network. See Appendix A of that analysis for more information.= p>
Internet Security Systems released up= dates to some of their tools to aid sites in detecting trin00 and TFN. For = more information, see
We urge all sites to follow sound security practices on all Internet-con= nected systems. For helpful information, please see
For information on responding to intrusions when they do occur, please s= ee
The United States Federal Bureau of Inves= tigation is conducting criminal investigations involving TFN where syst= ems appears to have been compromised. U.S. recipients are encouraged to con= tact their local FBI Offic= e.
We thank Dave Dittrich of the Universi= ty of Washington, Randy Marchany of Virgi= nia Tech, Internet Security systems,= UUNet, the Y2K-ICC, the National Infrastructure = Protection Center, Alan Paller and Steve Northcutt of The SANS Institute, The= MITRE Corporation, Jeff Schiller of The= Massachusetts Institute of Technology, Jim Ellis of Sun Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and Richard Forno of Network Solutions.
Copyright 2000 Carnegie Mellon University.