RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
I don't agree with Pascal that this is a filtering problem analogous to
smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
any unique vulnerability directly. It's presence is entirely predicated
on the existence of at least one other, easily exploited vulnerability.
>From the perspective of the system owner, this is just one of several
backdoors that could be installed. Seems to me that the presence of a
known backdoor package should be considered a vulnerability (or at least
I'm really torn on whether or not to split them out, though. My
inclination is to group master and slave by package; i.e., trinoo
master/slave, tfn master/slave, etc.
Scott Blake firstname.lastname@example.org
Security Program Manager +1-508-485-7737 x218
BindView Corporation Cell: +1-508-353-0269
>Reference: ISS:20000209 Denial of Service Attack using the TFN2K
>and Stacheldraht programs
>Reference: BUGTRAQ:19991206 Analysis of trin00
>Reference: BUGTRAQ:19991206 Analysis of Tribe Flood Network
>Reference: BUGTRAQ:19991229 Analysis of "stacheldraht"
>Reference: BUGTRAQ:20000211 DDOS Attack Mitigation
>Reference: BUGTRAQ:20000211 TFN2K - An Analysis
>Reference: BUGTRAQ:20000211 A DDOS proposal.
>A system has a distributed denial of service (DDOS) attack master or
>agent installed, such as Trinoo, Tribal Flood Network (TFN), Tribal
>Flood Network 2000 (TFN2K), or stacheldraht.