Interesting People mailing list archives
IP: Recent Internet Attacks and Critical Infrastructure Protection
From: Dave Farber <farber () cis upenn edu>
Date: Fri, 11 Feb 2000 17:24:57 -0500
Date: Fri, 11 Feb 2000 17:07:55 -0500 To: update () cdt org From: Jim Dempsey <jdempsey () cdt org> Mike O'Neil and I have recently updated our memo on the Administration's critical infrastructure protection (CIP) initiative, to take account of the issuance of the National Plan for Information Systems Protection by the White House on January 7. http://www.cdt.org/policy/terrorism/oneildempseymemo.html Our memo concludes that the CIP plan relies too heavily on a monitoring system that threatens privacy and other civil liberties and gives too little priority to closing the known vulnerabilities and fundamental security flaws in computer systems. (Target date for establishment of the FIDNet monitoring system: October 2000. Target date for fixing "the most significant known vulnerabilities" in critical government computers: May 2003.) And the plan fails to answer many questions, especially about the role and responsibilities of the private sector, which owns and operates most of the computer-dependent critical infrastructures The Recent Attacks CDT is concerned that the recent attacks will serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the openness and relative anonymity of the Internet. Already, we have seen suggestions from the Justice Department that legislation may be needed. Such a course is especially unjustified when there is so much to be done to improve Internet security that would have no negative implications for privacy. While denial of service is appropriately a crime, the recent attacks highlight a problem not soluble by criminal investigation and prosecution: basic system security has been ignored far too long. In terms of developing policy responses, it is important to recognize that the recent distributed denial of service (DDOS) attack methods were well-known and widely reported before they were launched. Like most attacks, they exploited well-known system vulnerabilities. And, as with most attacks, there were diagnostic tools that would have allowed systems administrators to determine if their computers had been hijacked for DDOS purposes. The CERT at Carnegie Mellon issued a DDOS incident note on November 18, 1999, and an update on December 28, 1999 (see http://www.cert.org/incident_notes/IN-99-07.html). Apparently following CERT's lead, the FBI's NIPC issued alerts about these tools on December 6, 1999 and on December 30, 1999 http://www.fbi.gov/pressrm/pressrel/pressrel99/prtrinoo.htm; http://www.fbi.gov/nipc/trinoo.htm The timing of these announcements again raises the question of what should be the proper role of the FBI, if any, in vulnerability assessment and information sharing, given the already functioning, non-law enforcement CERTs such as the Carnegie Mellon one. A quick search indicates that as early as July 22, 1999 CERT warned of denial of service attacks of the type seen earlier this week: http://www.cert.org/incident_notes/IN-99-04.html CERT's November 18, 1999, was more detailed. As updated on December 28, the warning noted: "We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks. "We have seen distributed tools installed on hosts that have been compromised due to exploitation of known vulnerabilities. In particular, we have seen vulnerabilities in various RPC services exploited." The warning specifically named the trinoo and Tribe Flood Network tools, noting, "These tools appear to be undergoing active development, testing, and deployment on the Internet," and went on to discuss solutions. By the time of the FBI's second alert, the DDOS tools had also been reported by the media. The San Diego Tribune had the story on November 20. USA Today had it on December 7. I haven't attempted to identify all the warnings and reports. From a policy perspective, the point is that these attacks used well-known vulnerabilities and well-known methods of attack. Invasive government measures are no substitute for the community effort needed to build better security. Jim Dempsey Center for Democracy and Technology 1634 I Street, NW Suite 1100 Washington DC, 20006 voice: 202.637.9800 fax: 202.637.0968 jdempsey () cdt org Use Operation Opt-Out http://opt-out.cdt.org/ A single place to remove your name from profiling, marketing, and research databases.
Current thread:
- IP: Recent Internet Attacks and Critical Infrastructure Protection Dave Farber (Feb 11)