[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- To: <cve-editorial-board-list@lists.mitre.org>
- Subject: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- From: Pascal Meunier <pmeunier@purdue.edu>
- Date: Wed, 16 Feb 2000 09:28:35 -0500
- Delivery-Date: Wed Feb 16 09:32:48 2000
- In-Reply-To: <000801bf7880$53a4a7b0$eb85e9c0@blackship.bos.bindview.com>
- References: <000801bf7880$53a4a7b0$eb85e9c0@blackship.bos.bindview.com>
- Sender: owner-cve-editorial-board-list@lists.mitre.org
Scott, you are assuming that the people who have the tools installed are unwilling. Let's say theoretically speaking that there is an underground hacker group (or student association) who is hooked up to DSL lines (like in university residences) and who thinks that it would be "cool" to form an "army". How about a popular civil movement protesting something, like the WTO last summer? I think some people would voluntarily "enlist" their computers in a cause that would use DDoS attacks. The rootkit analogy does not hold, yet the DDoS attacks could be just as effective. However, if the university or ISPs implemented egress filtering, the DDoS attacks could be easily stopped because the people could be held accountable. The crux of the matter is the anonymity provided by IP spoofing. You are correct that in most cases, having a DDoS tool installed on your system is an exposure like rootkit. Maybe that deserves a CVE entry. However, I think that does not capture the nature of the DDoS, and that an entry about egress filtering is of utmost importance because it patches a fundamental vulnerability of IPv4. At 8:18 AM -0500 2/16/2000, Scott Blake wrote: >I don't agree with Pascal that this is a filtering problem analogous to >smurf. Rootkit is a better analogy. The DDoS software doesn't exploit >any unique vulnerability directly. It's presence is entirely predicated >on the existence of at least one other, easily exploited vulnerability. >>From the perspective of the system owner, this is just one of several >backdoors that could be installed. Seems to me that the presence of a >known backdoor package should be considered a vulnerability (or at least >an exposure). > >I'm really torn on whether or not to split them out, though. My >inclination is to group master and slave by package; i.e., trinoo >master/slave, tfn master/slave, etc. > >REVIEWING
- Follow-Ups:
- RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- From: "Scott Blake" <blake@BOS.BINDVIEW.COM>
- Re: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- From: Aleph One <aleph1@underground.org>
- RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- References:
- RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- From: "Scott Blake" <blake@BOS.BINDVIEW.COM>
- RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- Prev by Date: DDoS as a VPN Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- Next by Date: RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- Prev by thread: RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- Next by thread: RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
- Index(es):
