RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Excellent response, Pascal, thanks. I hadn't thought of people
volunteering, but that's certainly a plausible scenario. Part of my
motivation/thinking was a desire to stay away from making this into only
yet another use for spoofed IP packets. I wholeheartedly agree that
egress filtering essential, but am reluctant to single out the recent DDoS
events as the reason for it.
I'd prefer to split out egress filtering as a seperate CVE entry (on the
theory that not using egress filtering constitutes an exposure -- at least
to liability), rather than tying it to these entries.
Scott Blake firstname.lastname@example.org
Security Program Manager +1-508-485-7737 x218
BindView Corporation Cell: +1-508-353-0269
>[mailto:email@example.com]On Behalf Of
>Sent: Wednesday, February 16, 2000 9:29 AM
>Subject: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
>Scott, you are assuming that the people who have the tools installed
>are unwilling. Let's say theoretically speaking that there is an
>underground hacker group (or student association) who is hooked up to
>DSL lines (like in university residences) and who thinks that it
>would be "cool" to form an "army". How about a popular civil
>movement protesting something, like the WTO last summer? I think
>some people would voluntarily "enlist" their computers in a cause
>that would use DDoS attacks. The rootkit analogy does not hold, yet
>the DDoS attacks could be just as effective. However, if the
>university or ISPs implemented egress filtering, the DDoS attacks
>could be easily stopped because the people could be held accountable.
>The crux of the matter is the anonymity provided by IP spoofing.
>You are correct that in most cases, having a DDoS tool installed on
>your system is an exposure like rootkit. Maybe that deserves a CVE
>entry. However, I think that does not capture the nature of the
>DDoS, and that an entry about egress filtering is of utmost
>importance because it patches a fundamental vulnerability of IPv4.
>At 8:18 AM -0500 2/16/2000, Scott Blake wrote:
>>I don't agree with Pascal that this is a filtering problem analogous to
>>smurf. Rootkit is a better analogy. The DDoS software doesn't exploit
>>any unique vulnerability directly. It's presence is entirely predicated
>>on the existence of at least one other, easily exploited vulnerability.
>>>From the perspective of the system owner, this is just one of several
>>backdoors that could be installed. Seems to me that the presence of a
>>known backdoor package should be considered a vulnerability (or at least
>>I'm really torn on whether or not to split them out, though. My
>>inclination is to group master and slave by package; i.e., trinoo
>>master/slave, tfn master/slave, etc.