<H4>This advisory is being published jointly by the CERT Coordination
Center and the Federal Computer Incident Response Capability
(FedCIRC).</H4>

<p>Original release date: January 3, 2000<BR>
Source: CERT/CC and FedCIRC<BR>

<P>A complete revision history is at the end of this file. 

<H3>Systems Affected</H3>
<UL>
<LI>All systems connected to the Internet can be affected by
denial-of-service attacks. 

</UL>

<H2>I. Description</H2>

<H4>Continued Reports of Denial-of-Service Problems</H4>

<P>We continue to receive reports of new developments in
denial-of-service tools.  This advisory provides pointers to documents
discussing some of the more recent attacks and methods to detect some
of the tools currently in use. 


Many of the denial-of-service tools 
currently in use depend on the ability of an intruder to compromise
systems first. That is, intruders exploit known vulnerabilities to gain access
to systems, which they then use to launch further attacks. For
information on how to protect your systems, see the <A
HREF="#solutions">solution section</a> below.


<P>Security is a <A HREF="#commeff">community effort</a> that requires
diligence and cooperation from all sites on the Internet.

<H4>Recent Denial-of-Service Tools and Developments</H4>

<p>One recent report can be found in <A
HREF="http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html">CERT Advisory
CA-99-17</a>. 

<p>A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations.  In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents.  At the present
time, we have not been able to confirm that these are
connections to Stacheldraht agents, though they are consistent with an
analysis provided by Dave Dittrich of the University of Washington,
available at

<DL><DD>
<A HREF="http://staff.washington.edu/dittrich/misc/stacheldraht.analysis">
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis</A>
</DL>



<p>Also, Randy Marchany of Virginia Tech released an
<A HREF="http://www.sans.org/y2k/TFN_toolkit.htm">analysis</A>
of a TFN-like toolkit, available at

<DL><DD>
<A HREF="http://www.sans.org/y2k/TFN_toolkit.htm">
http://www.sans.org/y2k/TFN_toolkit.htm</A>
</DL>

<p> The ISS X-Force Security Research Team published information about
trin00 and TFN in their <A HREF="http://xforce.iss.net/alerts/advise40.php3">December 7 Advisory</a>, available at 

<DL>
<DD>
<A
HREF="http://xforce.iss.net/alerts/advise40.php3">http://xforce.iss.net/alerts/advise40.php3</a>
</DL>


<P>A general discussion of denial-of-service attacks can be found in a
<A HREF="http://www.cert.org/tech_tips/denial_of_service.html">CERT/CC Tech Tip</A>
available at 

<DL>
<DD>
<A HREF="http://www.cert.org/tech_tips/denial_of_service.html">
http://www.cert.org/tech_tips/denial_of_service.html</A>
</DL>

<H2>II. Impact</H2>

<P>Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.

<A NAME="solutions">
<H2>III. Solution</H2>

<P>Solutions to this problem fall into a variety of categories.

<H4>Awareness</H4>

<P>We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:

<UL>
<A NAME="commeff">

<LI><P>Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general. Likewise,
your security (or lack thereof) can cause serious harm to others, even
if intruders do no direct harm to your organization. Similarly,
machines that are not part of centralized computing facilities and
that may be managed by novice or part-time system administrators or
may be unmanaged, can be used by intruders to inflict harm on others,
even if those systems have no strategic value to your organization.

<P><LI>Systems used by intruders to execute denial-of-service attacks
are often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.

<P><LI>Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all sites
to implement ingress filtering to reduce source address spoofing on as
many routers as possible. For more information, see
<A HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt">RFC2267</a>.

<P><LI>Because your security is dependent on the overall security of
the Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans where
possible.

<P><LI>Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our recent
workshop <i>before</i> you are a victim of a distributed
denial-of-service attack. This document is available at

<P>
<DL><DD>
<A HREF="http://www.cert.org/reports/dsit_workshop.pdf">
http://www.cert.org/reports/dsit_workshop.pdf</A>
</DL>

</UL>

<H4>Detection</H4>

<P>A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your
network. 

<P>The <A HREF="http://www.nipc.gov">National Infrastructure
Protection Center</a> has recently announced a tool to detect trin00
and TFN on some systems. For more information, see 

<DL><DD>
<A HREF="http://www.nipc.gov/warnings/alerts/1999/trinoo.htm">
http://www.nipc.gov/warnings/alerts/1999/trinoo.htm</A>
</DL>

<p>Part of the <A
HREF="http://staff.washington.edu/dittrich/misc/stacheldraht.analysis">analysis</a>
done by Dave Dittrich includes a Perl script named <i>gag</i> which
can be used to detect stacheldraht agents running on your local
network. See Appendix A of that analysis for more information. 

<p><A HREF="http://www.iss.net">Internet Security Systems</a> released
updates to some of their tools to aid sites in detecting trin00 and
TFN. For more information, see

<dl><dd> <A
HREF="http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt">
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt</a>
</dl>

<H4>Prevention</H4>

<P>We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see

<DL><DD>
<A
HREF="http://www.cert.org/tech_tips/">http://www.cert.org/tech_tips</a>
<dd>
<A HREF="http://www.sans.org">http://www.sans.org</a>
</DL>

<H4>Response</H4> 

<P>For information on responding to intrusions when they do occur,
please see

<dl><dd>
<A
HREF="http://www.cert.org/nav/recovering.html">http://www.cert.org/nav/recovering.html</a>
<dd>
<a
HREF="http://www.sans.org/newlook/publications/incident_handling.htm">
http://www.sans.org/newlook/publications/incident_handling.htm</a>
<dd>
</dl>

<P>The United States <A HREF="http://www.fbi.gov">Federal Bureau of
Investigation</a> is conducting criminal investigations involving TFN
where systems appears to have been compromised. U.S. recipients are
encouraged to contact <A
HREF="http://www.fbi.gov/contact/fo/fo.htm">their local FBI
Office</a>. 

<HR NOSHADE>

<P>We thank Dave Dittrich of the <A
HREF="http://washington.edu">University of Washington</a>, 
Randy Marchany of <a href="http://www.vt.edu">Virginia Tech</a>, 
<A HREF="http://www.iss.net">Internet Security systems</a>,
<A HREF="http://www.uu.net">UUNet</a>, 
the <A HREF="http://www.y2k.gov"</a>Y2K-ICC</a>,
the <A HREF="http://www.nipc.gov">National Infrastructure Protection
Center</a>, 
Alan Paller and Steve Northcutt of <A
HREF="http://www.sans.org">The SANS Institute</a>, 
<A HREF="http://www.mitre.org">The MITRE Corporation</a>, 
Jeff Schiller of <A HREF="http://www.mit.edu">The Massachusetts
Institute of Technology</a>, 
Jim Ellis of <A
HREF="http://www.sun.com">Sun Microsystems</a>, 
Vern Paxson of <A HREF="http://www.lbl.gov">Lawrence Berkeley National
Lab</a>, and Richard Forno of <A HREF="http://www.networksolutions.com">Network
Solutions</a>. 



<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 2000 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
</PRE>