-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




CERT Advisory CA-2000-01 Denial-of-Service Developments

This advisory is being published jointly by the CERT Coordination Center and
the Federal Computer Incident Response Capability (FedCIRC).

   Original release date: January 3, 2000
   Source: CERT/CC and FedCIRC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * All systems connected to the Internet can be affected by
       denial-of-service attacks.
       
I. Description

Continued Reports of Denial-of-Service Problems

   We continue to receive reports of new developments in
   denial-of-service tools. This advisory provides pointers to documents
   discussing some of the more recent attacks and methods to detect some
   of the tools currently in use. Many of the denial-of-service tools
   currently in use depend on the ability of an intruder to compromise
   systems first. That is, intruders exploit known vulnerabilities to
   gain access to systems, which they then use to launch further attacks.
   For information on how to protect your systems, see the solution
   section below.
   
   Security is a community effort that requires diligence and cooperation
   from all sites on the Internet.
   
Recent Denial-of-Service Tools and Developments

   One recent report can be found in CERT Advisory CA-99-17.
   
   A distributed denial-of-service tool called "Stacheldraht" has been
   discovered on multiple compromised hosts at several organizations. In
   addition, one organization reported what appears to be more than 100
   different connections to various Stacheldraht agents. At the present
   time, we have not been able to confirm that these are connections to
   Stacheldraht agents, though they are consistent with an analysis
   provided by Dave Dittrich of the University of Washington, available
   at
   
   http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
          
   Also, Randy Marchany of Virginia Tech released an analysis of a
   TFN-like toolkit, available at
   
   http://www.sans.org/y2k/TFN_toolkit.htm
          
   The ISS X-Force Security Research Team published information about
   trin00 and TFN in their December 7 Advisory, available at
   
   http://xforce.iss.net/alerts/advise40.php3
          
   A general discussion of denial-of-service attacks can be found in a
   CERT/CC Tech Tip available at
   
   http://www.cert.org/tech_tips/denial_of_service.html
          
II. Impact

   Denial-of-service attacks can severely limit the ability of an
   organization to conduct normal business on the Internet.
   
III. Solution

   Solutions to this problem fall into a variety of categories.
   
Awareness

   We urge all sites on the Internet to be aware of the problems
   presented by denial-of-service attacks. In particular, keep the
   following points in mind:
     * Security on the Internet is a community effort. Your security
       depends on the overall security of the Internet in general.
       Likewise, your security (or lack thereof) can cause serious harm
       to others, even if intruders do no direct harm to your
       organization. Similarly, machines that are not part of centralized
       computing facilities and that may be managed by novice or
       part-time system administrators or may be unmanaged, can be used
       by intruders to inflict harm on others, even if those systems have
       no strategic value to your organization.
     * Systems used by intruders to execute denial-of-service attacks are
       often compromised via well-known vulnerabilities. Keep up-to-date
       with patches and workarounds on all systems.
     * Intruders often use source-address spoofing to conceal their
       location when executing denial-of-service attacks. We urge all
       sites to implement ingress filtering to reduce source address
       spoofing on as many routers as possible. For more information, see
       RFC2267.
     * Because your security is dependent on the overall security of the
       Internet, we urge you to consider the effects of an extended
       network or system outage and make appropriate contingency plans
       where possible.
     * Responding to a denial-of-service attack may require the
       cooperation of multiple parties. We urge all sites to develop the
       relationships and capabilities described in the results of our
       recent workshop before you are a victim of a distributed
       denial-of-service attack. This document is available at
       
        http://www.cert.org/reports/dsit_workshop.pdf
                
Detection

   A variety of tools are available to detect, eliminate, and analyze
   distributed denial-of-service tools that may be installed on your
   network.
   
   The National Infrastructure Protection Center has recently announced a
   tool to detect trin00 and TFN on some systems. For more information,
   see
   
   http://www.fbi.gov/nipc/trinoo.htm
          
   Part of the analysis done by Dave Dittrich includes a Perl script
   named gag which can be used to detect stacheldraht agents running on
   your local network. See Appendix A of that analysis for more
   information.
   
   Internet Security Systems released updates to some of their tools to
   aid sites in detecting trin00 and TFN. For more information, see
   
   http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
          22899199.plt
          
Prevention

   We urge all sites to follow sound security practices on all
   Internet-connected systems. For helpful information, please see
   
   http://www.cert.org/security-improvement
          http://www.sans.org
          
Response

   For information on responding to intrusions when they do occur, please
   see
   
   http://www.cert.org/nav/recovering.html
          http://www.sans.org/newlook/publications/incident_handling.htm
          
   The United States Federal Bureau of Investigation is conducting
   criminal investigations involving TFN where systems appears to have
   been compromised. U.S. recipients are encouraged to contact their
   local FBI Office.
     _________________________________________________________________
   
   We thank Dave Dittrich of the University of Washington, Randy Marchany
   of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
   National Infrastructure Protection Center, Alan Paller and Steve
   Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
   of The Massachusetts Institute of Technology, Jim Ellis of Sun
   Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
   Richard Forno of Network Solutions.
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2000-01.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   Copyright 2000 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in
   
   http://www.cert.org/legal_stuff.html
       
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Revision History

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOHEdfFr9kb5qlZHQEQLb0wCfamz6K9wLBAx6lBIo7Ph9x5E3ESwAnArG
KhrLvJmknyRwOF2k/mq3e8LK
=v8LK
-----END PGP SIGNATURE-----