Fw: [CERT Advisory CA-2000-01]

From: Guy Cohen (guyat_private)
Date: Tue Jan 04 2000 - 10:46:56 PST

  • Next message: Edwin Gonzalez: "Re: Hotmail security hole - injecting JavaScript using <IMG" 

    ----- Forwarded message from CERT Advisory <cert-advisoryat_private> -----

Date: Mon, 3 Jan 2000 18:12:38 -0500 (EST)
From: CERT Advisory <cert-advisoryat_private>
To: cert-advisoryat_private
Subject: CERT Advisory CA-2000-01
Reply-To: cert-advisory-requestat_private
Organization: CERT(R) Coordination Center -  +1 412-268-7090



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




CERT Advisory CA-2000-01 Denial-of-Service Developments

This advisory is being published jointly by the CERT Coordination Center and
the Federal Computer Incident Response Capability (FedCIRC).

   Original release date: January 3, 2000
   Source: CERT/CC and FedCIRC

   A complete revision history is at the end of this file.

Systems Affected

     * All systems connected to the Internet can be affected by
       denial-of-service attacks.

I. Description

Continued Reports of Denial-of-Service Problems

   We continue to receive reports of new developments in
   denial-of-service tools. This advisory provides pointers to documents
   discussing some of the more recent attacks and methods to detect some
   of the tools currently in use. Many of the denial-of-service tools
   currently in use depend on the ability of an intruder to compromise
   systems first. That is, intruders exploit known vulnerabilities to
   gain access to systems, which they then use to launch further attacks.
   For information on how to protect your systems, see the solution
   section below.

   Security is a community effort that requires diligence and cooperation
   from all sites on the Internet.

Recent Denial-of-Service Tools and Developments

   One recent report can be found in CERT Advisory CA-99-17.

   A distributed denial-of-service tool called "Stacheldraht" has been
   discovered on multiple compromised hosts at several organizations. In
   addition, one organization reported what appears to be more than 100
   different connections to various Stacheldraht agents. At the present
   time, we have not been able to confirm that these are connections to
   Stacheldraht agents, though they are consistent with an analysis
   provided by Dave Dittrich of the University of Washington, available
   at

   http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

   Also, Randy Marchany of Virginia Tech released an analysis of a
   TFN-like toolkit, available at

   http://www.sans.org/y2k/TFN_toolkit.htm

   The ISS X-Force Security Research Team published information about
   trin00 and TFN in their December 7 Advisory, available at

   http://xforce.iss.net/alerts/advise40.php3

   A general discussion of denial-of-service attacks can be found in a
   CERT/CC Tech Tip available at

   http://www.cert.org/tech_tips/denial_of_service.html

II. Impact

   Denial-of-service attacks can severely limit the ability of an
   organization to conduct normal business on the Internet.

III. Solution

   Solutions to this problem fall into a variety of categories.

Awareness

   We urge all sites on the Internet to be aware of the problems
   presented by denial-of-service attacks. In particular, keep the
   following points in mind:
     * Security on the Internet is a community effort. Your security
       depends on the overall security of the Internet in general.
       Likewise, your security (or lack thereof) can cause serious harm
       to others, even if intruders do no direct harm to your
       organization. Similarly, machines that are not part of centralized
       computing facilities and that may be managed by novice or
       part-time system administrators or may be unmanaged, can be used
       by intruders to inflict harm on others, even if those systems have
       no strategic value to your organization.
     * Systems used by intruders to execute denial-of-service attacks are
       often compromised via well-known vulnerabilities. Keep up-to-date
       with patches and workarounds on all systems.
     * Intruders often use source-address spoofing to conceal their
       location when executing denial-of-service attacks. We urge all
       sites to implement ingress filtering to reduce source address
       spoofing on as many routers as possible. For more information, see
       RFC2267.
     * Because your security is dependent on the overall security of the
       Internet, we urge you to consider the effects of an extended
       network or system outage and make appropriate contingency plans
       where possible.
     * Responding to a denial-of-service attack may require the
       cooperation of multiple parties. We urge all sites to develop the
       relationships and capabilities described in the results of our
       recent workshop before you are a victim of a distributed
       denial-of-service attack. This document is available at

        http://www.cert.org/reports/dsit_workshop.pdf

Detection

   A variety of tools are available to detect, eliminate, and analyze
   distributed denial-of-service tools that may be installed on your
   network.

   The National Infrastructure Protection Center has recently announced a
   tool to detect trin00 and TFN on some systems. For more information,
   see

   http://www.fbi.gov/nipc/trinoo.htm

   Part of the analysis done by Dave Dittrich includes a Perl script
   named gag which can be used to detect stacheldraht agents running on
   your local network. See Appendix A of that analysis for more
   information.

   Internet Security Systems released updates to some of their tools to
   aid sites in detecting trin00 and TFN. For more information, see

   http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
          22899199.plt

Prevention

   We urge all sites to follow sound security practices on all
   Internet-connected systems. For helpful information, please see

   http://www.cert.org/security-improvement
          http://www.sans.org

Response

   For information on responding to intrusions when they do occur, please
   see

   http://www.cert.org/nav/recovering.html
          http://www.sans.org/newlook/publications/incident_handling.htm

   The United States Federal Bureau of Investigation is conducting
   criminal investigations involving TFN where systems appears to have
   been compromised. U.S. recipients are encouraged to contact their
   local FBI Office.
     _________________________________________________________________

   We thank Dave Dittrich of the University of Washington, Randy Marchany
   of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
   National Infrastructure Protection Center, Alan Paller and Steve
   Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
   of The Massachusetts Institute of Technology, Jim Ellis of Sun
   Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
   Richard Forno of Network Solutions.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2000-01.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: certat_private
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-requestat_private and include SUBSCRIBE
   your-email-address in the subject of your message.

   Copyright 2000 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in

   http://www.cert.org/legal_stuff.html

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Revision History

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOHEdfFr9kb5qlZHQEQLb0wCfamz6K9wLBAx6lBIo7Ph9x5E3ESwAnArG
KhrLvJmknyRwOF2k/mq3e8LK
=v8LK
-----END PGP SIGNATURE-----

----- End forwarded message -----

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:58 PDT