Original release date: December 28, 1999<BR>
Last Updated: March 3, 2000<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>
<UL>
<LI>All systems connected to the Internet can be affected by
denial-of-service attacks. Tools that run on a variety of UNIX and
UNIX-like systems and Windows NT systems have recently been released
to facilitate denial-of-service attacks. Additionally, some MacOS
systems can be used as traffic amplifiers to conduct a
denial-of-service attack.
</UL>

<H2>I. Description</H2>

<H4>New Distributed Denial-of-Service Tools</H4>
<p>
Recently, new techniques for executing denial-of-service attacks have
been made public. A tool similar to Tribe FloodNet (TFN), called Tribe
FloodNet 2K (TFN2K) was released. Tribe FloodNet is described in
<a HREF="http://www.cert.org/incident_notes/IN-99-07.html#tfn">http://www.cert.org/incident_notes/IN-99-07.html#tfn</A>.

<p>Like TFN, TFN2K is designed to launch coordinated denial-of-service
attacks from many sources against one or more targets
simultaneously. It includes features designed specifically to make
TFN2K traffic difficult to recognize and filter, to remotely execute
commands, to obfuscate the true source of the traffic, to transport
TFN2K traffic over multiple transport protocols including UDP, TCP,
and ICMP, and features to confuse attempts to locate other nodes in a
TFN2K network by sending "decoy" packets.

<p>TFN2K is designed to work on various UNIX and UNIX-like systems and
Windows NT. 

<p>TFN2K obfuscates the true source of attacks by spoofing IP
addresses. In networks that employ ingress filtering as described in
<A HREF="#Ref1">[1]</a>, TFN2K can forge packets that appear to come from neighboring
machines.

<p>Like TFN, TFN2K can flood networks by sending large amounts of data to
the victim machine. Unlike TFN, TFN2K includes attacks designed to
crash or introduce instabilities in systems by sending malformed or
invalid packets. Some attacks like this are described in 

<DL>
<dd>
<a
HREF="http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html">
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html</a>
<dd>
<A HREF="http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html">
http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html</a>
</dl>

<p>Also like TFN, TFN2K uses a client-server architecture in which a
single client, under the control of an attacker, issues commands
simultaneously to a set of TFN2K servers. The servers then conduct the
denial-of-service attacks against the victim(s). Installing the server
requires that an intruder first compromise a machine by different
means. 



<H4>Asymmetric traffic from MacOS 9</H4>

<p>MacOS 9 can be abused by an intruder to generate a large volume of
traffic directed at a victim in response to a small amount of traffic
produced by an intruder. This allows an intruder to use MacOS 9 as a
"traffic amplifier," and flood victims with traffic. According to <A
HREF="#Ref3">[3]</a>, an intruder can use this asymmetry to "amplify"
traffic by a factor of approximately 37.5, thus enabling an intruder
with limited bandwidth to flood a much larger connection. This is
similar in effect and structure to a "smurf" attack, described in

<dl>
<dd>
<A HREF="http://www.cert.org/advisories/CA-98.01.smurf.html">
http://www.cert.org/advisories/CA-98.01.smurf.html</a>
</dl>

<p>Unlike a smurf attack, however, it is not necessary to use a
directed broadcast to achieve traffic amplification. 

<H2>II. Impact</H2>

<P>Intruders can flood networks with overwhelming amounts of traffic
or cause machines to crash or otherwise become unstable. 

<H2>III. Solution</H2>

<p>The problem of distributed denial-of-service attacks is discussed at
length in <A HREF="#Ref2">[2]</a>, available at 

<DL>
<dd>
<A HREF="http://www.cert.org/reports/dsit_workshop.pdf">
http://www.cert.org/reports/dsit_workshop.pdf</a>
</dl>

<p>Managers, system administrators, Internet Service Providers (ISPs)
and Computer Security Incident Response Teams (CSIRTs) are encouraged
to read this document to gain a broader understanding of the problem.

<H4>For the ultimate victim of distributed denial-of-service
attacks</H4> 

<p>Preparation is crucial. The victim of a distributed
denial-of-service attack has little recourse using currently available
technology to respond to an attack in progress. According to <A HREF="#Ref2">[2]</a>: 

<dl>
<dd>
<p><i>The impact upon your site and operations is dictated by the
(in)security of other sites and the ability of of a remote attackers
to implant the tools and subsequently to control and direct multiple
systems worldwide to launch an attack.</i>
</dl>

Sites are strongly encouraged to develop the relationships and
capabilities described in <A HREF="#Ref2">[2]</a> <i>before</i> you are a victim of a distributed
denial-of-service attack. 

<H4>For all Internet Sites</h4>

<p>System and network administrators are strongly encouraged to follow
the guidelines listed in <A HREF="#Ref2">[2]</a>. In addition, sites
are encouraged to implement ingress filtering as described in
<A HREF="#Ref1">[1]</a>. CERT/CC recommends implementing such filtering on as many routers
as practical. This method is not foolproof, as mentioned in <A HREF="#Ref1">[1]</a>:

<dl>
<dd>
<i>While the filtering method discussed in this document does
   absolutely nothing to protect against flooding attacks which
   originate from valid prefixes (IP addresses), it will prohibit an
   attacker within the originating network from launching an attack of
   this nature using forged source addresses that do not conform to
   ingress filtering rules.</i>
</dl>

<p> Because TFN2K implements features designed specifically to take
advantage of the granularity of ingress filtering rules, the method
described in <A HREF="#Ref1">[1]</a> means that sites may only be able
to determine the network or subnet from which an attack originated.

<p>Sites using manageable hubs or switches that can track which IP
addresses have been seen at a particular port or which can restrict
which MAC addresses can be used on a particular port may be able to
further identify which machine(s) is responsible for TFN2K
traffic. For further information, consult the documentation for your
particular hub or switch.

<p>The widespread use of this type of filtering can significantly
reduce the ability of intruders to use spoofed packets to compromise
or disrupt systems. 

<H4> Preventing your site from being used by intruders</H4>

<p>TFN2K and similar tools rely on the ability of intruders to install
the client. Preventing your system from being used to install the
client will help prevent intruders from using your systems to launch
denial-of-service attacks (in addition to whatever damage they may
cause to your systems). 

<p>Popular recent attacks can be found at 

<dl>
<dd>
<A HREF="http://www.cert.org/current/current_activity.html">
http://www.cert.org/current/current_activity.html</a>
</dl>

<p>Sites are encouraged to regularly visit this page and address any
issues found there. 

<H4>For the "Mac Attack" </H4>

<p>Apple has developed a patch, as described in Appendix A. Please see
the information there. 

<p>Appendix A contains information provided by vendors for this
       advisory. We will update the appendix as we receive or develop
       more information. If you do not see your vendor's name in
       Appendix A, the CERT/CC did not hear from that vendor. Please
       contact your vendor directly.

<H2> Appendix A. Vendor Information</H2>

<H4> <A HREF="http://www.apple.com">Apple Computer</a></H4>

<p>OT Tuner 1.0 switches off an option in Open Transport that would
cause a Macintosh to respond to certain small network packets with a
large Internet Control Message Protocol (ICMP) packet. This update
prevents Macintosh computers from being the cause of certain types of
Denial of Service (DOS) issues.

<p>The update is available from our software update server at

<dl>
<dd>
<A HREF="http://asu.info.apple.com/swupdates.nsf/artnum/n11560">
http://asu.info.apple.com/swupdates.nsf/artnum/n11560</a>
</dl>

<p>In addition, it will soon be available via the automatic update feature that is part of Mac OS 9.


<H3>References</H3>
<A NAME=Ref1></a>
[1] <A
HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt">RFC2267,
Network Ingress Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing
</A>,
P. Ferguson, D. Senie, The Internet Society, January, 1998, 
available at <A
HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt">http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt</a>
<br><br>

<A NAME=Ref2></a> [2] <A
HREF="http://www.cert.org/reports/dsit_workshop.pdf">Results of the
Distributed-Systems Intruder Tools Workshop</a>, The CERT Coordination
Center, December, 1999, available at <A
HREF="http://www.cert.org/reports/dsit_workshop.pdf">http://www.cert.org/reports/dsit_workshop.pdf</a>
<br><br>

<A NAME=Ref3></a>

[3] <A HREF="http://www.csc.gatech.edu/~copeland">The "Mac Attack," a Scheme for Blocking Internet
Connections</a>, John A. Copeland, December, 1999, available at <A HREF="http://www.csc.gatech.edu/~copeland">http://www.csc.gatech.edu/~copeland</a>. 
 Temporary alternate URL: <A HREF="http://people.atl.mediaone.net/jacopeland">http://people.atl.mediaone.net/jacopeland</a>

<HR NOSHADE>

The CERT Coordination Center thanks Jeff Schiller of the Massachusetts
Institute of Technology, Professor John Copeland and Jim Hendricks of
the Georgia Institute of Technology, Jim Ellis of Sun Microsystems,
Wietse Venema of IBM, Rick Forno of Network Solutions, Inc., Dave
Dittrich of the University of Washington, Steve Bellovin of AT&T, Jim
Duncan and John Bashinski of Cisco Systems, and
<A HREF="http://www.macintouch.com">MacInTouch</a> for input and
technical assistance used in the construction of this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
December 28, 1999: Initial release
December 28, 1999: Added information regarding a patch from Apple
March 3, 2000: Updated link to apple web page.
</PRE>