RE: Your counsel on defeating DDOS Attacks
> -----Original Message-----
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> To comment on something that David LeBlanc suggested...
> >> c. Sun users should ensure that rpc traffic is allowed only from
> >>management systems.
> >I would not get into specific vendor actions here. We could make the
> >document very large if we get into details like this.
> In this particular case, I would disagree. Approximately half of the
> CERT advisories published in 1999 deal with serious vulnerabilities in
> RPC services. Most of the CERT activity summaries in the past year
> state that those vulnerabilities were being extensively exploited.
> The SANS GIAC reports indicate that attackers regularly attempt to
> access RPC services.
My reasoning here is that it is often recommended that someone restrict
ports 137-139 TCP and UDP for NT, and that there were a couple of commonly
exploited holes in IIS in the last year. If we're going to go into specific
actions to protect against common exploits exposed by the various vendors,
we could probably come up with a very long list. (<joke> didn't we just go
over 500 in the list? <g>)
I agree with you that RPC has historically been and remains a popular way of
compromising many UNIX machines, but I'd advise against getting into vendor
specifics in this particular document. I also know that it is currently a
popular way to gain access used to install some of the DDoS tools, but
again, this could change very, very rapidly. For one thing, most of the
DDoS tools do not currently run on NT, but I've personally ported a lot of
UNIX code to NT, and I don't think there are any technical reasons that DDoS
tools cannot run on NT. Not that I plan on porting any of the attack
I'm also not sure it is fair to single out any one vendor in a document of
this type, and this could be just the problem of the day. My $0.02, and I
don't feel strongly enough about it to argue further - I think reasonable
people could easily come to different conclusions on this point.