Re: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Both excellent points, however, I'd like to add that even if people
volunteer to host the tools, Trinoo and company allow the controlling
attacker to hide activities, which counts as an exposure under
On Wed, Feb 16, 2000 at 10:42:48AM -0500, Scott Blake wrote:
| Excellent response, Pascal, thanks. I hadn't thought of people
| volunteering, but that's certainly a plausible scenario. Part of my
| motivation/thinking was a desire to stay away from making this into only
| yet another use for spoofed IP packets. I wholeheartedly agree that
| egress filtering essential, but am reluctant to single out the recent DDoS
| events as the reason for it.
| I'd prefer to split out egress filtering as a seperate CVE entry (on the
| theory that not using egress filtering constitutes an exposure -- at least
| to liability), rather than tying it to these entries.
| Scott Blake firstname.lastname@example.org
| Security Program Manager +1-508-485-7737 x218
| BindView Corporation Cell: +1-508-353-0269
| >-----Original Message-----
| >From: email@example.com
| >[mailto:firstname.lastname@example.org]On Behalf Of
| >Pascal Meunier
| >Sent: Wednesday, February 16, 2000 9:29 AM
| >To: email@example.com
| >Subject: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
| >Scott, you are assuming that the people who have the tools installed
| >are unwilling. Let's say theoretically speaking that there is an
| >underground hacker group (or student association) who is hooked up to
| >DSL lines (like in university residences) and who thinks that it
| >would be "cool" to form an "army". How about a popular civil
| >movement protesting something, like the WTO last summer? I think
| >some people would voluntarily "enlist" their computers in a cause
| >that would use DDoS attacks. The rootkit analogy does not hold, yet
| >the DDoS attacks could be just as effective. However, if the
| >university or ISPs implemented egress filtering, the DDoS attacks
| >could be easily stopped because the people could be held accountable.
| >The crux of the matter is the anonymity provided by IP spoofing.
| >You are correct that in most cases, having a DDoS tool installed on
| >your system is an exposure like rootkit. Maybe that deserves a CVE
| >entry. However, I think that does not capture the nature of the
| >DDoS, and that an entry about egress filtering is of utmost
| >importance because it patches a fundamental vulnerability of IPv4.
| >At 8:18 AM -0500 2/16/2000, Scott Blake wrote:
| >>I don't agree with Pascal that this is a filtering problem analogous to
| >>smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
| >>any unique vulnerability directly. It's presence is entirely predicated
| >>on the existence of at least one other, easily exploited vulnerability.
| >>>From the perspective of the system owner, this is just one of several
| >>backdoors that could be installed. Seems to me that the presence of a
| >>known backdoor package should be considered a vulnerability (or at least
| >>an exposure).
| >>I'm really torn on whether or not to split them out, though. My
| >>inclination is to group master and slave by package; i.e., trinoo
| >>master/slave, tfn master/slave, etc.
Tired of co-workers slowing you down? Leave them behind.