IP: NIPC New Year's DDOS Advisory

[Dave Farber <farber () cis upenn edu>]

~~ www.cybertelecom.org ~~

http://www.nipc.gov/warnings/advisories/2000/00-063.htm
ADVISORY 00-063

New Year's DDOS Advisory
December 28, 2000

Based on FBI investigations and other information, the NIPC advises
taking some extra precautions

in computer security over the holiday period to reduce the possibility
of, or damage from, Distributed Denial-of-Service (DDOS) and other cyber
attacks which could occur.

The NIPC believes DDOS attacks could occur over the holiday. Several
security companies have cited the threat of DDOS attacks, and some have
taken place already. Double checking your network's firewall
configuration is one method of preventing or reducing the effects of a
DDOS attack. NIPC recommends the use of our "Find DDOS" utility to
determine if your network has been victimized by implanting of DDOS
Trojans including Trin00, Tribal Flood Net, TFN2K, MStream, Stacheldraht
and Trinity v3. (The tool can be downloaded from
http://www.nipc.gov/warnings/advisories/2000/00-44.htm ). System
administrators should also nipc consider updating their virus
definitions daily and performing thorough scans for viruses and worms.
NT administrators should check for the presence of the SubSeven Trojan,
which would indicate that your system has been penetrated. SubSeven has
also specifically been associated with the proliferation of daemons used
in DDOS attacks. (see NIPC Advisory 00-056). Companies should also
consider having a contingency plan (including a point of contact with
the Internet service provider) and a response team prepared in case of
attack.

There are also a number of actions that every system administrator and
individual computer user can take to increase their computer security
against DDOS attacks, destructive viruses, and intrusions. The first is
to be aware of the problem. Do not open e-mail messages from unknown
senders. Second, do not open attachments, such as documents, screen
savers or pictures, that have been forwarded; these might contain
malicious software, and may have been sent without the consent of the
sender if it is a virus or Trojan Horse. Third, computer users should
verify that their virus definitions are current, and include protection
against such relatively new viruses as Navidad, MTX, Music, and Hybris.
Finally, if individual users of an organization's network are away on
vacation, ensure that they are logged out of the system. If a virus has
been known to hit a system, let users know before they log on and check
their e-mail.

Systems managers and security personnel can take the following steps to
minimize the potential risk during this time.

1.Ensure that full data and system backups are carried out before
stopping work for the holiday  weekend, with copies stored in an
appropriately secure remote location wherever possible.  2.Verify that
the latest security patches are applied to all systems to be left
running over this  period.  3.For Windows systems left running
unattended, obtain and install the latest anti- virus  signature files.
4.Where systems are not being operated, ensure that procedures are in
place to obtain and  install the latest Anti-virus signature files
before commencement of processing at the end of  the holiday weekend.
5.Finally, a number of on-line resources can provide updates and advice
on computer security  issues.

DDOS exploits first gained the attention of computer security
professionals in Fall, 1999. The NIPC developed a tool to detect the
presence of some DDOS programs, and made this tool available to the
public in December 1999, in conjunction with issuing an alert to warn of
the threat of DDOS attack. In February 2000, DDOS attacks against
several prominent e-commerce sites gained national attention. Since that
time, new, more effective DDOS exploits have been developed and used,
though with less visibility and publicity. The NIPC has issued
advisories about these in February, May and October 2000. (NIPC
Advisories 00-035, 00-044, 00-055 and 00-056). Please refer to these
advisories, which can be found at www.nipc.gov/warnings/warnings.htm,
for more information.

Please report any illegal or malicious activities to your local FBI
office or the NIPC, and to your military or civilian computer incident
response group, as appropriate. Incidents may be reported online at
www.nipc.gov/incident/cirr.htm.

  >>> A Service of www.cybertelecom.org <<<



For archives see: http://www.interesting-people.org/