IP: Recent Internet Attacks and Critical Infrastructure Protection

[Dave Farber <farber () cis upenn edu>]

> Date: Fri, 11 Feb 2000 17:07:55 -0500
> To: update () cdt org
> From: Jim Dempsey <jdempsey () cdt org>
>
>
> Mike O'Neil and I have recently updated our memo on the Administration's 
> critical infrastructure protection (CIP) initiative, to take account of 
> the issuance of the National Plan for Information Systems Protection by 
> the White House on January 7. 
> http://www.cdt.org/policy/terrorism/oneildempseymemo.html
>
> Our memo concludes that the CIP plan relies too heavily on a monitoring 
> system that threatens privacy and other civil liberties and gives too 
> little priority to closing the known vulnerabilities and fundamental 
> security flaws in computer systems.  (Target date for establishment of the 
> FIDNet monitoring system: October 2000.  Target date for fixing "the most 
> significant known vulnerabilities" in critical government computers: May 
> 2003.)  And the plan fails to answer many questions, especially about the 
> role and responsibilities of the private sector, which owns and operates 
> most of the computer-dependent critical infrastructures
>
> The Recent Attacks
>
> CDT is concerned that the recent attacks will serve as justification for 
> legislation or other government mandates that will be harmful to civil 
> liberties and the positive aspects of the openness and relative anonymity 
> of the Internet. Already, we have seen suggestions from the Justice 
> Department that legislation may be needed.  Such a course is especially 
> unjustified when there is so much to be done to improve Internet security 
> that would have no negative implications for privacy.
>
> While denial of service is appropriately a crime, the recent attacks 
> highlight  a problem not soluble by criminal investigation and 
> prosecution: basic system security has been ignored far too long.
>
> In terms of developing policy responses, it is important to recognize that 
> the recent distributed denial of service (DDOS) attack methods were 
> well-known and widely reported before they were launched.  Like most 
> attacks, they exploited well-known system vulnerabilities.  And, as with 
> most attacks, there were diagnostic tools that would have allowed systems 
> administrators to determine if their computers had been hijacked for DDOS 
> purposes.
>
> The CERT at Carnegie Mellon issued a DDOS incident note on November 18, 
> 1999, and an update on December 28, 1999 (see 
> http://www.cert.org/incident_notes/IN-99-07.html). Apparently following 
> CERT's lead, the FBI's NIPC issued alerts about these tools on December 6, 
> 1999 and on December 30, 1999
> http://www.fbi.gov/pressrm/pressrel/pressrel99/prtrinoo.htm;
> http://www.fbi.gov/nipc/trinoo.htm
>
> The timing of these announcements again raises the question of what should 
> be the proper role of the FBI, if any, in vulnerability assessment and 
> information sharing, given the already functioning, non-law enforcement 
> CERTs such as the Carnegie Mellon one.
>
> A quick search indicates that as early as July 22, 1999 CERT warned of 
> denial of service attacks of the type seen earlier this week: 
> http://www.cert.org/incident_notes/IN-99-04.html
>
> CERT's November 18, 1999, was more detailed.  As updated on December 28, 
> the warning noted: "We have received reports of intruders installing 
> distributed denial of service tools. Tools we have encountered utilize 
> distributed technology to create large networks of hosts capable of 
> launching large coordinated packet flooding denial of service attacks.
>
> "We have seen distributed tools installed on hosts that have been 
> compromised due to exploitation of known vulnerabilities. In particular, 
> we have seen vulnerabilities in various RPC services exploited."  The 
> warning specifically named the trinoo and Tribe Flood Network tools, 
> noting, "These tools appear to be undergoing active development, testing, 
> and deployment on the Internet," and went on to discuss solutions.
>
> By the time of the FBI's second alert, the DDOS tools had also been 
> reported by the media.  The San Diego Tribune had the story on November 
> 20. USA Today had it on December 7.
>
> I haven't attempted to identify all the warnings and reports.  From a 
> policy perspective, the point is that these attacks used well-known 
> vulnerabilities and well-known methods of attack.  Invasive government 
> measures are no substitute for the community effort needed to build better 
> security.
>
>
>
>
>
> Jim Dempsey
>
> Center for Democracy and Technology
> 1634 I Street, NW Suite 1100
> Washington DC, 20006
> voice: 202.637.9800      fax: 202.637.0968
> jdempsey () cdt org
>
> Use Operation Opt-Out http://opt-out.cdt.org/
> A single place to remove your name
> from profiling, marketing, and research databases.