[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)

Scott, you are assuming that the people who have the tools installed
are unwilling.  Let's say theoretically speaking that there is an
underground hacker group (or student association) who is hooked up to
DSL lines (like in university residences) and who thinks that it
would be "cool" to form an "army".  How about a popular civil
movement protesting something, like the WTO last summer?  I think
some people would voluntarily "enlist" their computers in a cause
that would use DDoS attacks.  The rootkit analogy does not hold, yet
the DDoS attacks could be just as effective.  However, if the
university or ISPs implemented egress filtering, the DDoS attacks
could be easily stopped because the people could be held accountable.
The crux of the matter is the anonymity provided by IP spoofing.

You are correct that in most cases, having a DDoS tool installed on
your system is an exposure like rootkit.  Maybe that deserves a CVE
entry.  However, I think that does not capture the nature of the
DDoS, and that an entry about egress filtering is of utmost
importance because it patches a fundamental vulnerability of IPv4.

At 8:18 AM -0500 2/16/2000, Scott Blake wrote:
>I don't agree with Pascal that this is a filtering problem analogous to
>smurf.  Rootkit is a better analogy.  The DDoS software doesn't exploit
>any unique vulnerability directly.  It's presence is entirely predicated
>on the existence of at least one other, easily exploited vulnerability.
>>From the perspective of the system owner, this is just one of several
>backdoors that could be installed.  Seems to me that the presence of a
>known backdoor package should be considered a vulnerability (or at least
>an exposure).
>I'm really torn on whether or not to split them out, though.  My
>inclination is to group master and slave by package; i.e., trinoo
>master/slave, tfn master/slave, etc.

Page Last Updated: May 22, 2007