TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi all, At the risk of joining the discussion late, the attacks seen at the major sites are now being confirmed as the same tools reported by CERT back in November as Distributed Denial of Service (DDOS) tools - Tribe Flood Net and possibly trin00. In fact, it seems the FBI has tracked one offending machine down to the University of California in Santa Barbara campus at a library, I believe. Basically, here's what we found out last November and if you want to skip to the end, I've provided some info/links on how to combat the attack. The attacker first creates an account with an ISP using bogus credit card account information. This is a fairly common method and there are dozens of bogus credit card number generators that can be found at any hacker Website. The attacker uses this initial account to hack a site, usually a university or campus LAN/WAN host. This system is used as an Attack Master Controller Host. The attacker then penetrates other systems through the Master Controller to set up attack agents on clients located on dozens of different networks. Or he may hack through the original ISP account to install his attack agents, then link them to the Master Controller. There can be up to hundreds of these attack agents controlled by a single Master Controller. Systems and networks selected by the attacker are those with high bandwidth capacity with normally open systems architecture, such as large WAN/MAN university networks (sound familiar?). The Master Controller is used to coordinate a systematic, parallel attack from all the attack agents against the unsuspecting victim. Imagine your organization's network attacked by over 250 unrelated systems or networks. Two significant aspects of the attack show this to be a serious toolkit. One, the amount of engineering and thought put into the tool kit make it difficult to determine the actual attacker. When the Master Controller or agents are installed, "RootKit" or "zap" are used to alter all system logs to cover up the installation. In addition, when the Master Controller and agents are communicating, an encrypted channel is created using the "Blowfish" algorithm. This effectively covers up a considerable amount of forensic data that may be used to trace the attacker. In addition, the attacker is often located significantly upstream, so defining the actual attacker is rather difficult, but not impossible. However, imagine trying to convince a System Administrator that his site is launching an attack when his logs show no abnormal activity. In fact, try to convince 250 separate System Administrators! The second significant issue was the amount of publicity surrounding the toolkit -- absolutely none. Anyone familiar with the hacker community knows that any new, sophisticate hack is accompanied by ritual boasting and publicity. At the last DEFCON, Back Orifice 2000 hacker tool was released with the fanfare that would make a marketing executive envious. The hacker community is uncharacteristically silent on this hack, although I haven't visited any site in the past couple of days. Here are some helpful links & information on how to combat a distributed denial of service: CERT reports on tools encountered that utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks. http://www.cert.org/incident_notes/IN-99-07.html CERT working group report on distributed denial of service attacks and examines the use of distributed-system intruder tools and note that current experiences have highlighted the need for better forensic techniques and training, the importance of close cooperation, and a concern for the rapid evolution of intruder tools. http://www.cert.org/reports/dsit_workshop.pdf National Infrastructure Protection Center and their teams developed and distributed a system scanner that searches for trin00 and other distributed denial of service attack tools. http://www.fbi.gov/nipc/trinoo.htm "Handling A Distributed Denial of Service Trojan Infection: Step-by-Step." http://www.sans.org/y2k/DDoS.htm Network scanner that finds trin00 and other distributed denial of service attack tools. http://www.staff.washington.edu/dittrich CenterTrack, the tool that Internet Service Providers will use to find the source of forged IP packets employed in distributed denial of service attacks. http://www.nanog.org/mtg-9910/robert.html Mark Leary, CPP LOGICON 1831 Wiehle Ave, Suite 100 Reston, VA 20190 703.318.1074 x 205
