IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 00-063

"New Year's DDoS Advisory"
December 28, 2000

Based on FBI investigations and other information, the NIPC advises taking some extra precautions in computer security over the holiday period to reduce the possibility of, or damage from, Distributed Denial-of-Service (DDoS) and other cyber attacks which could occur.

The NIPC believes DDoS attacks could occur over the holiday. Several security companies have cited the threat of DDoS attacks, and some have taken place already. Double checking your network's firewall configuration is one method of preventing or reducing the effects of a DDoS attack. NIPC recommends the use of our "Find DDoS" utility to determine if your network has been victimized by implanting of DDoS Trojans including Trin00, Tribal Flood Net, TFN2K, MStream, Stacheldraht and Trinity v3. (The tool can be downloaded from http://www.nipc.gov/warnings/advisories/2000/00-44.htm ). System administrators should also consider updating their virus definitions daily and performing thorough scans for viruses and worms. NT administrators should check for the presence of the SubSeven Trojan, which would indicate that your system has been penetrated. SubSeven has also specifically been associated with the proliferation of daemons used in DDoS attacks. (see NIPC Advisory 00-056). Companies should also consider having a contingency plan (including a point of contact with the Internet service provider) and a response team prepared in case of attack.

There are also a number of actions that every system administrator and individual computer user can take to increase their computer security against DDoS attacks, destructive viruses, and intrusions. The first is to be aware of the problem. Do not open e-mail messages from unknown senders. Second, do not open attachments, such as documents, screen savers or pictures, that have been forwarded; these might contain malicious software, and may have been sent without the consent of the sender if it is a virus or Trojan Horse. Third, computer users should verify that their virus definitions are current, and include protection against such relatively new viruses as Navidad, MTX, Music, and Hybris. Finally, if individual users of an organization's network are away on vacation, ensure that they are logged out of the system. If a virus has been known to hit a system, let users know before they log on and check their e-mail.

Systems managers and security personnel can take the following steps to minimize the potential risk during this time.

  1. Ensure that full data and system backups are carried out before stopping work for the holiday weekend, with copies stored in an appropriately secure remote location wherever possible.
  2. Verify that the latest security patches are applied to all systems to be left running over this period.
  3. For Windows systems left running unattended, obtain and install the latest anti- virus signature files.
  4. Where systems are not being operated, ensure that procedures are in place to obtain and install the latest Anti-virus signature files before commencement of processing at the end of the holiday weekend.
  5. Finally, a number of on-line resources can provide updates and advice on computer security issues.

DDoS exploits first gained the attention of computer security professionals in Fall, 1999. The NIPC developed a tool to detect the presence of some DDoS programs, and made this tool available to the public in December 1999, in conjunction with issuing an alert to warn of the threat of DDoS attack. In February 2000, DDoS attacks against several prominent e-commerce sites gained national attention. Since that time, new, more effective DDoS exploits have been developed and used, though with less visibility and publicity. The NIPC has issued advisories about these in February, May and October 2000. (NIPC Advisories 00-035, 00-044, 00-055 and 00-056). Please refer to these advisories, which can be found at www.nipc.gov/warnings/warnings.htm, for more information.

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate. Incidents may be reported online at www.nipc.gov/incident/cirr.htm.