"Reissue of Alert 99-029"
1. Beginning on February 07, 2000, a number of high-profile Denial of Service (DoS) attacks temporarily disabled significant electronic commerce Internet web sites. These cyber attacks targeted companies sites like yahoo.com, amazon.com, cnn.com, buy.com, ebay.com, stamps.com, exodus.com, etrade.com, and zdnet.com; reported victims have apparently recovered from the attacks within a few hours. Public reporting cites coordinated, distributed denial of service (DDoS) attacks originating from multiple points on the Internet. The FBI is now investigating a number of these attacks; in view of these events the NIPC is reissuing its original alert describing the DDoS exploit. Additional information can also be found on the NIPC web page at www.nipc.gov and at the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) web page at www.cert.org.
2. Beginning in the fall of 1999, the FBI/NIPC became aware of several instances where intruders installed distributed denial of service tools on various computer systems to create large host networks capable of launching significant coordinated packet flooding denial of service attacks. Installation was accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. These multiple denial of service tools include TRIN00, Tribe Flood Network (or TFN), TFN2K, and STACHELDRAHT, and were reported on different civilian, university and U.S. government systems. The FBI continues investigation of many of these incidents, and was and is highly concerned about the scale and significance of these incidents, for the following reasons:A) Many of the targets are universities or other sites with high bandwidth Internet connections, representing a possibly significant threat to Internet traffic.
B) the known cases involve real and substantial financial loss.
C) the activity ties back to significant numbers and locations of domestic and overseas IP addresses.
D) the technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.
E) the tools appear to be undergoing active development, testing and deployment on the Internet.
F) the activity often stops once system owners start filtering for TRINOO/TFN and related activity.
Possible motives for this malicious activity
range from exploit demonstration, to exploration or reconnaissance, to preparation
for widespread denial of service attacks. NIPC was concerned that these tools
could have been prepared for employment during the Y2K period, and remains
concerned this activity could continue targeting other significant commercial,
government or national sites