LINUX SECURITY --- September 19, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Denial of service attacks are nothing new, but this time Linux is
taking the heat
*********************************************************************
The Latest in DDoS
by Rick Johnson
The dreaded DDoS. It seems that every few weeks, the media buzzes with
tales of a new Distributed Denial of Service attack looming on the
horizon. Behind the attacks on such sites as Yahoo and eBay, the "Tribal
Flood Network" attack is nothing new. TFN allows a single attacker to
control a multitude of compromised computers remotely, using them to
flood unsuspecting networks. However, this time the warnings point
towards Linux, not Windows.
The CERT Incident report states that the majority of compromised hosts
involved in this activity are running Red Hat Linux. Insecure default
configurations in some versions have contributed to the widespread
success of these attacks. In one incident, CERT recorded over 560 hosts
at 220 Internet sites around the world as being part of a single Tribal
Flood Network.
Sites involved in related incidents are finding hosts compromised
through one of these two vulnerabilities. In several cases, hundreds of
compromised hosts have been involved in single incidents. Intruders
appear to be using automated tools to probe for and exploit vulnerable
hosts on a widespread scale. In many cases, sites report receiving
exploit attempts against both rpc.statd and wu-ftpd immediately after
being probed. Evidence also suggests that intruders may be developing
worm-like attack tools based on exploitations of rpc.statd and wu-ftpd.
Worse yet, the holes used to exploit these systems are nothing new. The
following CERT advisories were issued as far back as July.
(http://www.cert.org/advisories/CA-2000-17.html) Input Validation
Problem in rpc.statd
(http://www.cert.org/advisories/CA-2000-13.html) Two Input
Validation Problems in FTPD
Once the server is compromised and a rootkit installed, the Tribal Flood
kit loads -- bringing this system into the fold of soldiers waiting to
awaken and enter the war. Please read the full text of the incident
report (http://www.cert.org/incident_notes/IN-2000-10.html) for details.
Now, I am not blaming Red Hat. While they could do more to ensure the
security of a default configuration, they are not at fault. The blame
rests on the number of system administrators and "amateurs" who
installed Linux servers and have paid little attention to the continued
security of that equipment. Unfortunately, Red Hat being the most
popular distribution for beginners, it often becomes the most neglected
and, therefore, the most exploited.
Even without special intrusion detection tools, it really takes only a
minimum amount of effort to protect a server from these sort of attacks.
Just keeping current with the updates for your distribution will put you
ahead of the pack. Remember, with proper care and feeding, your Linux
server can live a long and healthy life.
Resources
Undercover at Windows 2000 Expo
What vendors had to say about Linux
http://www.linuxworld.com/linuxworld/lw-2000-02/lw-02-win2000.html
DoS attacks: A problem of the information age
Q&A with security guru Dave Dittrich
http://sw.itworld.com/sunworldonline/swol-02-2000/swol-02-interview-ce2.ht
ml
Better described as denials of service than as hacks, the recent attacks
on Web sites will redefine how ecommerce is conducted
http://mithras.itworld.com/articles/hacker/Feat000214security02-ce.html
Sun says fixes in place to stop Solaris attacks
http://www.sunworld.com/sunworldonline/swol-01-2000/f_swol-01-sunspots.htm
l#4
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>