This advisory is being published jointly by the CERT Coordination Center and
the Federal Computer Incident Response Capability (FedCIRC).
Original release date: January 3, 2000
Source: CERT/CC and FedCIRC
A complete revision history is at the end of this file.
Systems Affected
* All systems connected to the Internet can be affected by
denial-of-service attacks.
I. Description
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in
denial-of-service tools. This advisory provides pointers to documents
discussing some of the more recent attacks and methods to detect some
of the tools currently in use. Many of the denial-of-service tools
currently in use depend on the ability of an intruder to compromise
systems first. That is, intruders exploit known vulnerabilities to
gain access to systems, which they then use to launch further attacks.
For information on how to protect your systems, see the solution
section below.
Security is a community effort that requires diligence and cooperation
from all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations. In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents. At the present
time, we have not been able to confirm that these are connections to
Stacheldraht agents, though they are consistent with an analysis
provided by Dave Dittrich of the University of Washington, available
at
Denial-of-service attacks can severely limit the ability of an
organization to conduct normal business on the Internet.
III. Solution
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems
presented by denial-of-service attacks. In particular, keep the
following points in mind:
* Security on the Internet is a community effort. Your security
depends on the overall security of the Internet in general.
Likewise, your security (or lack thereof) can cause serious harm
to others, even if intruders do no direct harm to your
organization. Similarly, machines that are not part of centralized
computing facilities and that may be managed by novice or
part-time system administrators or may be unmanaged, can be used
by intruders to inflict harm on others, even if those systems have
no strategic value to your organization.
* Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date
with patches and workarounds on all systems.
* Intruders often use source-address spoofing to conceal their
location when executing denial-of-service attacks. We urge all
sites to implement ingress filtering to reduce source address
spoofing on as many routers as possible. For more information, see
RFC2267.
* Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended
network or system outage and make appropriate contingency plans
where possible.
* Responding to a denial-of-service attack may require the
cooperation of multiple parties. We urge all sites to develop the
relationships and capabilities described in the results of our
recent workshop before you are a victim of a distributed
denial-of-service attack. This document is available at
Part of the analysis done by Dave Dittrich includes a Perl script
named gag which can be used to detect stacheldraht agents running on
your local network. See Appendix A of that analysis for more
information.
Internet Security Systems released updates to some of their tools to
aid sites in detecting trin00 and TFN. For more information, see
The United States Federal Bureau of Investigation is conducting
criminal investigations involving TFN where systems appears to have
been compromised. U.S. recipients are encouraged to contact their
local FBI Office.
_________________________________________________________________
We thank Dave Dittrich of the University of Washington, Randy Marchany
of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the
National Infrastructure Protection Center, Alan Paller and Steve
Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller
of The Massachusetts Institute of Technology, Jim Ellis of Sun
Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and
Richard Forno of Network Solutions.
______________________________________________________________________
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
