SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 00-034): RE-ISSUE OF NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 99-029) ORIGINALLY ISSUED 12/6/99; 1. BEGINNING ON 7 FEBRUARY 2000, A NUMBER OF HIGH-PROFILE DENIAL OF SERVICE (DOS) ATTACKS TEMPORARILY DISABLED SIGNIFICANT ELECTRONIC COMMERCE INTERNET WEB SITES. THESE CYBER ATTACKS TARGETED COMPANIES SITES LIKE YAHOO.COM, AMAZON.COM, CNN.COM, BUY.COM, EBAY.COM, STAMPS.COM, EXODUS.COM, ETRADE.COM, AND ZDNET.COM; REPORTED VICTIMS HAVE APPARENTLY RECOVERED FROM THE ATTACKS WITHIN A FEW HOURS. PUBLIC REPORTING CITES COORDINATED, DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS ORIGINATING FROM MULTIPLE POINTS ON THE INTERNET. THE FBI IS NOW INVESTIGATING A NUMBER OF THESE ATTACKS; IN VIEW OF THESE EVENTS THE NIPC IS RE-ISSUING ITS ORIGINAL ALERT DESCRIBING THE DDOS EXPLOIT. ADDITIONAL INFORMATION CAN ALSO BE FOUND ON THE NIPC WEB PAGE AT WWW.NIPC.GOV AND AT THE CARNEGIE MELLON COMPUTER EMERGENCY RESPONSE TEAM COORDINATION CENTER (CERT/CC) WEB PAGE AT WWW.CERT.ORG. 2. BEGINNING IN THE FALL OF 1999, THE FBI/NIPC BECAME AWARE OF SEVERAL INSTANCES WHERE INTRUDERS INSTALLED DISTRIBUTED DENIAL OF SERVICE TOOLS ON VARIOUS COMPUTER SYSTEMS TO CREATE LARGE HOST NETWORKS CAPABLE OF LAUNCHING SIGNIFICANT COORDINATED PACKET FLOODING DENIAL OF SERVICE ATTACKS. INSTALLATION WAS ACCOMPLISHED PRIMARILY THROUGH COMPROMISES EXPLOITING KNOWN SUN RPC VULNERABILITIES. THESE MULTIPLE DENIAL OF SERVICE TOOLS INCLUDE TRIN00, TRIBE FLOOD NETWORK (OR TFN), TFN2K, AND STACHELDRAHT, AND WERE REPORTED ON DIFFERENT CIVILIAN, UNIVERSITY AND U.S. GOVERNMENT SYSTEMS. THE FBI CONTINUES INVESTIGATION OF MANY OF THESE INCIDENTS, AND WAS AND IS HIGHLY CONCERNED ABOUT THE SCALE AND SIGNIFICANCE OF THESE INCIDENTS, FOR THE FOLLOWING REASONS: A) MANY OF THE TARGETS ARE UNIVERSITIES OR OTHER SITES WITH HIGH BANDWIDTH INTERNET CONNECTIONS, REPRESENTING A POSSIBLY SIGNIFICANT THREAT TO INTERNET TRAFFIC. B) THE KNOWN CASES INVOLVE REAL AND SUBSTANTIAL FINANCIAL LOSS. C) THE ACTIVITY TIES BACK TO SIGNIFICANT NUMBERS AND LOCATIONS OF DOMESTIC AND OVERSEAS IP ADDRESSES. D) THE TECHNICAL VULNERABILITIES USED TO INSTALL THESE DENIAL OF SERVICE TOOLS ARE WIDESPREAD, WELL-KNOWN AND READILY ACCESSIBLE ON MOST NETWORKED SYSTEMS THROUGHOUT THE INTERNET. E) THE TOOLS APPEAR TO BE UNDERGOING ACTIVE DEVELOPMENT, TESTING AND DEPLOYMENT ON THE INTERNET. F) THE ACTIVITY OFTEN STOPS ONCE SYSTEM OWNERS START FILTERING FOR TRINOO/TFN AND RELATED ACTIVITY. POSSIBLE MOTIVES FOR THIS MALICIOUS ACTIVITY RANGE FROM EXPLOIT DEMONSTRATION, TO EXPLORATION OR RECONNAISSANCE, TO PREPARATION FOR WIDESPREAD DENIAL OF SERVICE ATTACKS. NIPC WAS CONCERNED THAT THESE TOOLS COULD HAVE BEEN PREPARED FOR EMPLOYMENT DURING THE Y2K PERIOD, AND REMAINS CONCERNED THIS ACTIVITY COULD CONTINUE TARGETING OTHER SIGNIFICANT COMMERCIAL, GOVERNMENT OR NATIONAL SITES 3. NIPC REQUESTS THAT ALL COMPUTER NETWORK OWNERS AND ORGANIZATIONS RAPIDLY EXAMINE THEIR SYSTEMS FOR EVIDENCE OF THESE DISTRIBUTED DENIAL OF SERVICE TOOLS, IN ORDER TO BE ABLE TO QUICKLY IMPLEMENT CORRECTIVE MEASURES (SPECIFIC TECHNICAL INSTRUCTIONS ARE AVAILABLE FROM CERT-CC, SANS, NIPC, OR OTHER SOURCES). THESE CHECKS SHOULD BE DONE TO BOTH CHECK AND CLEAR SYSTEMS OF TRINOO/TFN AND RELATED THREATS, AND TO SUPPORT LAW ENFORCEMENT EFFORTS INVESTIGATING THESE EXPLOITS. RECIPIENTS ARE ASKED TO REPORT SIGNIFICANT OR SUSPECTED CRIMINAL ACTIVITY TO THEIR LOCAL FBI OFFICE, NIPC WATCH/WARNING UNIT, COMPUTER EMERGENCY RESPONSE SUPPORT AND OTHER LAW ENFORCEMENT AGENCIES, AS APPROPRIATE. THE NIPC WATCH AND WARNING UNIT CAN BE REACHED AT (202) 323-3204/3205/3206, OR NIPC.WATCH@FBI.GOV. [1]Back to Advisories, Alerts and Warnings References 1. http://www.fbi.gov/nipc/nipcaaw.htm