CERT Advisory CA-2000-01 Denial-of-Service Developments

This advisory is being published jointly by the CERT Coordination Center and the Federal Computer Incident Response Capability (FedCIRC).

Original release date: January 3, 2000
Source: CERT/CC and FedCIRC

A complete revision history is at the end of this file.

Systems Affected

• All systems connected to the Internet can be affected by denial-of-service attacks.

I. Description

Continued Reports of Denial-of-Service Problems

We continue to receive reports of new developments in denial-of-service tools. This advisory provides pointers to documents discussing some of the more recent attacks and methods to detect some of the tools currently in use. Many of the denial-of-service tools currently in use depend on the ability of an intruder to compromise systems first. That is, intruders exploit known vulnerabilities to gain access to systems, which they then use to launch further attacks. For information on how to protect your systems, see the solution section below.

Security is a community effort that requires diligence and cooperation from all sites on the Internet.

Recent Denial-of-Service Tools and Developments

One recent report can be found in CERT Advisory CA-99-17.

A distributed denial-of-service tool called "Stacheldraht" has been discovered on multiple compromised hosts at several organizations. In addition, one organization reported what appears to be more than 100 different connections to various Stacheldraht agents. At the present time, we have not been able to confirm that these are connections to Stacheldraht agents, though they are consistent with an analysis provided by Dave Dittrich of the University of Washington, available at

http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like toolkit, available at

http://www.sans.org/y2k/TFN_toolkit.htm

The ISS X-Force Security Research Team published information about trin00 and TFN in their December 7 Advisory, available at

http://xforce.iss.net/alerts/advise40.php3

A general discussion of denial-of-service attacks can be found in a CERT/CC Tech Tip available at

http://www.cert.org/tech_tips/denial_of_service.html

II. Impact

Denial-of-service attacks can severely limit the ability of an organization to conduct normal business on the Internet.

III. Solution

• Security on the Internet is a community effort. Your security depends on the overall security of the Internet in general. Likewise, your security (or lack thereof) can cause serious harm to others, even if intruders do no direct harm to your organization. Similarly, machines that are not part of centralized computing facilities and that may be managed by novice or part-time system administrators or may be unmanaged, can be used by intruders to inflict harm on others, even if those systems have no strategic value to your organization.

• Systems used by intruders to execute denial-of-service attacks are often compromised via well-known vulnerabilities. Keep up-to-date with patches and workarounds on all systems.

• Intruders often use source-address spoofing to conceal their location when executing denial-of-service attacks. We urge all sites to implement ingress filtering to reduce source address spoofing on as many routers as possible. For more information, see RFC2267.

• Because your security is dependent on the overall security of the Internet, we urge you to consider the effects of an extended network or system outage and make appropriate contingency plans where possible.

• Responding to a denial-of-service attack may require the cooperation of multiple parties. We urge all sites to develop the relationships and capabilities described in the results of our recent workshop before you are a victim of a distributed denial-of-service attack. This document is available at

  http://www.cert.org/reports/dsit_workshop.pdf

Detection

A variety of tools are available to detect, eliminate, and analyze distributed denial-of-service tools that may be installed on your network.

The National Infrastructure Protection Center has recently announced a tool to detect trin00 and TFN on some systems. For more information, see

http://www.nipc.gov/warnings/alerts/1999/trinoo.htm

Part of the analysis done by Dave Dittrich includes a Perl script named gag which can be used to detect stacheldraht agents running on your local network. See Appendix A of that analysis for more information.

Internet Security Systems released updates to some of their tools to aid sites in detecting trin00 and TFN. For more information, see

http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt

Prevention

We urge all sites to follow sound security practices on all Internet-connected systems. For helpful information, please see

http://www.cert.org/tech_tips

http://www.sans.org

Response

For information on responding to intrusions when they do occur, please see

http://www.cert.org/nav/recovering.html

http://www.sans.org/newlook/publications/incident_handling.htm

The United States Federal Bureau of Investigation is conducting criminal investigations involving TFN where systems appears to have been compromised. U.S. recipients are encouraged to contact their local FBI Office.

We thank Dave Dittrich of the University of Washington, Randy Marchany of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the National Infrastructure Protection Center, Alan Paller and Steve Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller of The Massachusetts Institute of Technology, Jim Ellis of Sun Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and Richard Forno of Network Solutions.

Copyright 2000 Carnegie Mellon University.