|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Excellent response, Pascal, thanks. I hadn't thought of people volunteering, but that's certainly a plausible scenario. Part of my motivation/thinking was a desire to stay away from making this into only yet another use for spoofed IP packets. I wholeheartedly agree that egress filtering essential, but am reluctant to single out the recent DDoS events as the reason for it. I'd prefer to split out egress filtering as a seperate CVE entry (on the theory that not using egress filtering constitutes an exposure -- at least to liability), rather than tying it to these entries. ----- Scott Blake blake@bos.bindview.com Security Program Manager +1-508-485-7737 x218 BindView Corporation Cell: +1-508-353-0269 >-----Original Message----- >From: owner-cve-editorial-board-list@lists.mitre.org >[mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of >Pascal Meunier >Sent: Wednesday, February 16, 2000 9:29 AM >To: cve-editorial-board-list@lists.mitre.org >Subject: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate) > > >Scott, you are assuming that the people who have the tools installed >are unwilling. Let's say theoretically speaking that there is an >underground hacker group (or student association) who is hooked up to >DSL lines (like in university residences) and who thinks that it >would be "cool" to form an "army". How about a popular civil >movement protesting something, like the WTO last summer? I think >some people would voluntarily "enlist" their computers in a cause >that would use DDoS attacks. The rootkit analogy does not hold, yet >the DDoS attacks could be just as effective. However, if the >university or ISPs implemented egress filtering, the DDoS attacks >could be easily stopped because the people could be held accountable. >The crux of the matter is the anonymity provided by IP spoofing. > >You are correct that in most cases, having a DDoS tool installed on >your system is an exposure like rootkit. Maybe that deserves a CVE >entry. However, I think that does not capture the nature of the >DDoS, and that an entry about egress filtering is of utmost >importance because it patches a fundamental vulnerability of IPv4. > > >At 8:18 AM -0500 2/16/2000, Scott Blake wrote: >>I don't agree with Pascal that this is a filtering problem analogous to >>smurf. Rootkit is a better analogy. The DDoS software doesn't exploit >>any unique vulnerability directly. It's presence is entirely predicated >>on the existence of at least one other, easily exploited vulnerability. >>>From the perspective of the system owner, this is just one of several >>backdoors that could be installed. Seems to me that the presence of a >>known backdoor package should be considered a vulnerability (or at least >>an exposure). >> >>I'm really torn on whether or not to split them out, though. My >>inclination is to group master and slave by package; i.e., trinoo >>master/slave, tfn master/slave, etc. >> >>REVIEWING >
|
||||
