FW: Denial of Service (DoS) Attacks

Allen Mullen amullen at tsl.state.tx.us
Thu Feb 10 15:20:32 EST 2000 

Hi folks, 

Since library web servers (along with others) could potentially be used as
bases for DoS attacks, I thought I'd forward this alert from our state
Department of Information Resources.  There are links to some tools that can
assist you to ensure your servers are clean.

     Allen Mullen - Developer, Networked Services
     Texas State Library and Archives Commission
     Library Resource Sharing
     512/463-5534 (voice)         512/936-2306 (fax)
                     allen.mullen at tsl.state.tx.us
         Take the TRAIL to Texas state government information
        




-----Original Message-----
From: Nena Young [mailto:nena.young at dir.state.tx.us] 
Sent: Thursday, February 10, 2000 1:54 PM
To: irapc at lists.state.tx.us; peso-wg at lists.state.tx.us
Cc: carolyn.purcell at dir.state.tx.us
Subject: Denial of Service (DoS) Attacks


Because of the recent publicity on the DoS attacks to major web sites, I
thought
I might share some info with you on DoS attacks.  I want to keep this brief.

However, if you need to get more in-depth, I've listed some resources at the
bottom.  

NIPC has suggested that one of the motives for these recent attacks may be
preparation for widespread DDoS attacks.  Trinoo (see alert sent to IRAP
list in
December) seems to be a major player here.  They are recommending that
everyone
"rapidly" look at their systems for any evidence of DDOS tools that may be
dormant there.  Some of the resources below will give you info on free DDOS
scanning software.  They are also asking anyone who finds any suspicious
activity report to local FBI Office.  I recommend you report to TxDPS
Computer
Crime Unit and let them handle it.

Tools being used: TFN, TFN2K, Trin00, Stacheldracht, variants.

DoS attacks mostly come in two flavors.

1.  Local attack.  
(Example, a program creates an infinite loop, makes lots of copies of
itself,
continues to open lots of files). 

Defense:
Find the program and kill it.

Find the bad guys:
Standard forensics

2.  Network based attacks.
(Example, Tie up system resources, crash a system, flood a network)

Distributed DoS Attack.  This is network based attacks from many (maybe
hundreds) of attack servers used remotely to send packets.  (This is what
we've
been seeing in paper recently)

Defense:
Make sure all systems patches are up-to-date.  Make sure firewalls are
configured appropriately.  (Blocking packets with spoofed source addresses
will
also help you keep your network resources from being used to launch
attacks.)  

Find the bad guys:
These are not so easy to find.  Might be able to track down the source
address,
but most are false (spoofed) which makes forensics a tough, hard task.
"Needle
in haystack."

Best Defense:
Have a plan, be prepared, know what you will do and how you will respond and
recover.  

Sources:
http://www.sans.org/giac.htm
http://www.cert.org/incident_notes/IN-99-07.html
http://www.fbi.gov/nipc/trinoo.htm
http://www2.fedcirc.gov/advisories/FA-2000-01.html

More information about the Web4lib mailing list