[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)

I don't agree with Pascal that this is a filtering problem analogous to
smurf.  Rootkit is a better analogy.  The DDoS software doesn't exploit
any unique vulnerability directly.  It's presence is entirely predicated
on the existence of at least one other, easily exploited vulnerability.
>From the perspective of the system owner, this is just one of several
backdoors that could be installed.  Seems to me that the presence of a
known backdoor package should be considered a vulnerability (or at least
an exposure).

I'm really torn on whether or not to split them out, though.  My
inclination is to group master and slave by package; i.e., trinoo
master/slave, tfn master/slave, etc.


Scott Blake                                   blake@bos.bindview.com
Security Program Manager                        +1-508-485-7737 x218
BindView Corporation                           Cell: +1-508-353-0269

>Candidate: CAN-2000-0138
>Proposed: 20000215
>Assigned: 20000209
>Category: MP
>Reference: CERT:CA-2000-01
>Reference: CERT:IN-99-04
>Reference: SUN:00193
>Reference: ISS:20000209 Denial of Service Attack using the TFN2K
>and Stacheldraht programs
>Reference: BUGTRAQ:19991206 Analysis of trin00
>Reference: BUGTRAQ:19991206 Analysis of Tribe Flood Network
>Reference: BUGTRAQ:19991229 Analysis of "stacheldraht"
>Reference: BUGTRAQ:20000211 DDOS Attack Mitigation
>Reference: BUGTRAQ:20000211 TFN2K - An Analysis
>Reference: BUGTRAQ:20000211 A DDOS proposal.
>A system has a distributed denial of service (DDOS) attack master or
>agent installed, such as Trinoo, Tribal Flood Network (TFN), Tribal
>Flood Network 2000 (TFN2K), or stacheldraht.

Page Last Updated or Reviewed: May 22, 2007