4640072 2000-01-05 03:01 /263 rader/ Postmaster
Mottagare: Bugtraq (import) <9154>
Ärende: Fw: [CERT Advisory CA-2000-01]
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000104204656.A87@crypto.org.il>
Date: Tue, 4 Jan 2000 20:46:56 +0200
Reply-To: Guy Cohen <guy@CRYPTO.ORG.IL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Guy Cohen <guy@CRYPTO.ORG.IL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
----- Forwarded message from CERT Advisory <cert-advisory@cert.org> -----
Date: Mon, 3 Jan 2000 18:12:38 -0500 (EST)
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2000-01
Reply-To: cert-advisory-request@cert.org
Organization: CERT(R) Coordination Center - +1 412-268-7090
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT Advisory CA-2000-01 Denial-of-Service Developments
This advisory is being published jointly by the CERT Coordination
Center and the Federal Computer Incident Response Capability
(FedCIRC).
Original release date: January 3, 2000
Source: CERT/CC and FedCIRC
A complete revision history is at the end of this file.
Systems Affected
* All systems connected to the Internet can be affected by
denial-of-service attacks.
I. Description
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in
denial-of-service tools. This advisory provides pointers to
documents discussing some of the more recent attacks and methods
to detect some of the tools currently in use. Many of the
denial-of-service tools currently in use depend on the ability of
an intruder to compromise systems first. That is, intruders
exploit known vulnerabilities to gain access to systems, which
they then use to launch further attacks. For information on how
to protect your systems, see the solution section below.
Security is a community effort that requires diligence and
cooperation from all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has
been discovered on multiple compromised hosts at several
organizations. In addition, one organization reported what appears
to be more than 100 different connections to various Stacheldraht
agents. At the present time, we have not been able to confirm that
these are connections to Stacheldraht agents, though they are
consistent with an analysis provided by Dave Dittrich of the
University of Washington, available at
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Also, Randy Marchany of Virginia Tech released an analysis of a
TFN-like toolkit, available at
http://www.sans.org/y2k/TFN_toolkit.htm
The ISS X-Force Security Research Team published information about
trin00 and TFN in their December 7 Advisory, available at
http://xforce.iss.net/alerts/advise40.php3
A general discussion of denial-of-service attacks can be found in a
CERT/CC Tech Tip available at
http://www.cert.org/tech_tips/denial_of_service.html
II. Impact
Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.
III. Solution
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:
* Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general.
Likewise, your security (or lack thereof) can cause serious harm
to others, even if intruders do no direct harm to your
organization. Similarly, machines that are not part of centralized
computing facilities and that may be managed by novice or
part-time system administrators or may be unmanaged, can be used
by intruders to inflict harm on others, even if those systems have
no strategic value to your organization.
* Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.
* Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all
sites to implement ingress filtering to reduce source address
spoofing on as many routers as possible. For more information, see
RFC2267.
* Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans
where possible.
* Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our
recent workshop before you are a victim of a distributed
denial-of-service attack. This document is available at
http://www.cert.org/reports/dsit_workshop.pdf
Detection
A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your
network.
The National Infrastructure Protection Center has recently
announced a tool to detect trin00 and TFN on some systems. For
more information, see
http://www.fbi.gov/nipc/trinoo.htm
Part of the analysis done by Dave Dittrich includes a Perl script
named gag which can be used to detect stacheldraht agents running
on your local network. See Appendix A of that analysis for more
information.
Internet Security Systems released updates to some of their tools
to aid sites in detecting trin00 and TFN. For more information, see
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
22899199.plt
Prevention
We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see
http://www.cert.org/security-improvement
http://www.sans.org
Response
For information on responding to intrusions when they do occur,
please see
http://www.cert.org/nav/recovering.html
http://www.sans.org/newlook/publications/incident_handling.htm
The United States Federal Bureau of Investigation is conducting
criminal investigations involving TFN where systems appears to have
been compromised. U.S. recipients are encouraged to contact their
local FBI Office.
_________________________________________________________________
We thank Dave Dittrich of the University of Washington, Randy
Marchany of Virginia Tech, Internet Security systems, UUNet, the
Y2K-ICC, the National Infrastructure Protection Center, Alan
Paller and Steve Northcutt of The SANS Institute, The MITRE
Corporation, Jeff Schiller of The Massachusetts Institute of
Technology, Jim Ellis of Sun Microsystems, Vern Paxson of Lawrence
Berkeley National Lab, and Richard Forno of Network Solutions.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Revision History
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOHEdfFr9kb5qlZHQEQLb0wCfamz6K9wLBAx6lBIo7Ph9x5E3ESwAnArG
KhrLvJmknyRwOF2k/mq3e8LK
=v8LK
-----END PGP SIGNATURE-----
----- End forwarded message -----
(4640072) ------------------------------------------(Ombruten)