LINUX SECURITY --- November 21, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters -------------------------------------------------------------------------- ------ HIGHLIGHTS * DDOS attacks may drop down everyone's chimney this holiday season, making security everybody's job, not just the system administrator's -------------------------------------------------------------------------- ------ Christmas Hack and Security Negligence By Rick Johnson Yes, the holidays are fast approaching. Turkey, Mistletoe and DDOS attacks. It is that time of the year again. The Internet Security Systems' (ISS) X-Force team has issued a release warning that certain unscrupulous groups on the Internet are planning online attacks roughly around Christmas. The attacks, if they actually occur, will take the form of distributed denial of service (DDOS) events. Once started, they have the potential to effectively shut down virtually any Web site on the Internet. A few of the most popular tools for this attack are known as "Trinoo," "Stacheldraht" and "TFN2K." However, others are frequently showing up on the scene. While site administrators can't do much to prevent these attacks from starting, they are not completely helpless. Talking with those prepared for such an attack (or have even been a victim) uncovers a common thread of preventative measures. The most important measure is knowing the average activity and limitations of your network and server farm. With a documented load and traffic history, your Emergency Response Team (you do have one right?) can quickly identify unreasonable variances in the standard operating environment. After that, forming an alliance with your upstream provider can (always a good practice) is especially helpful in the event of a DDOS attack. The upstream provider, with their ability to deny traffic, will be an invaluable ally defending against offending hosts and contacting the providers who own the attacking networks. Once the first party crasher of the holiday season arrives, a larger question begs to be answered: How does it happen? The media supplies us images of a server farm controlled by a lunatic hovering over the doomsday button, but the real answer is even worse. In reality, many lunatics exist with multiple, independent servers spread throughout the world. Worse yet, these servers are owned by your average system administrator or even a newbie. Once again, I blame, not on the criminal for they will always be there, but instead the "victim" as the root cause. Despite hearing the warnings about applying security patches, they still neglect their responsibility to the rest of the Internet community. Sure, maybe they never heard of updates, but ignorance is no excuse. With Linux becoming the "project of choice" for computer geeks and copies of the OS verging on inclusion in your box of cereal, it is inevitable that vulnerable systems will keep going live. Frankly, I have quit expecting people to grasp the concept of security on their own. If I find a vulnerable server one during my daily adventures, I take the time to email the owner or their provider, recommend the appropriate actions, and suggest an avenue for receiving update information. Granted, helping one user in the community isn't much, but imagine if we all did the same? About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. -------------------------------------------------------------------------- ------ ADDITIONAL RESOURCES Internet Security Systems http://www.iss.net/index.php Battling a DDoS attack http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,,1_2338.html When DDoS attacks become IRCsome http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,,1_2827.html Trinity DDoS attack tool uses relay chat Linux zombies said to be sited http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_2405, 00.html University researcher traces response to DDOS attacks http://www.itworld.com/jsw/linsec_nl/swol-08-2000/swol-0822-ddos.html -------------------------------------------------------------------------- ------
<<attachment: winmail.dat>>