I just wanted to tell you that 'trinoo' has been around for more than half a year, originally developed by 'takeover / war' groups on IRC to launch attacks against users and IRC servers. Since trinoo was never published, I wrote TFN and made it publicly available at some security sites, in hope to make some people aware of the impact of 'distributed DoS'.. Although I haven't greatly worked on tfn after the public release myself, a number of people/groups seem to have made private versions of it with encryption and support for other operating systems and used it for active denial of service. The real big problem is the fact that so many systems are still compromisable at root level with the most commonly used exploits (now I hear that even many Internet2 machines are), and that some people still haven't realized that a root compromise means *total control* over the systems hard- and software.. including denial of service, automated compromising of other machines, remote eavesdropping, virtually everything you (or the intruder) can imagine.. In my opinion, it is not advisable to rely on IDS signatures only, instead systematically secure machines before they are put on the net, and closely examine machines where remote security holes were patched after already being on the net for some time, because it is really a trivial matter to change a lot of the behavior and strings which programs like flood networks use, and this is obviously actively being done. Mixter ________________________ mixterat_private http://1337.tsx.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:26 PDT