SEARCH ZDNET







Solaris Denial Of Service Attacks On The Rise
By Steven J. Vaughan-Nichols, ZDNet
Jan 05, 2000

A new and deadlier style of denial of service attack is targeting government Internet sites.

During the last few months, at least several hundred Solaris systems have been infected with Trojan- horse programs using such programs as trinoo, the Tribe Flood Network (TFN), TFN2000 and/or stacheldraht (German for barbed wire). Once in place, these programs then launch coordinated denial of service (DoS) attacks from the infected systems, which overwhelm other sites with sheer traffic volume. Now, these attacks seem to be increasing.

Because of this, the Computer Emergency Response Team, the SANS Institute and the FBI's National Infrastructure Protection Center (NIPC) have all issued warnings about these attacks.

What Is A DoS Attack?

What exactly is a DoS attack? Unlike cracking, where the idea is to break into a system for information, DoS attacks don't try to break into anything, but instead simply "deny" anybody else from using the system. Think of it, as the phone salesman from hell tying up your phone line for hours and you won't be far off.

How bad are these attacks? According to Alan Paller, Director of Research for the SANS Institute an international community of system administrators and analysts, these attacks can deliver up to 2.4 billion packets in 10 minutes on a target site. That's more than enough to bury any system regardless of its security, traffic control or firewalls.

Paller explains, "There's nothing here is new in the attacks compontentry. What is new is the automation of all of parts of the process--its packaging and distribution." (SIC)

In the past, denial of service attacks came from one system attacking another making it relatively easy to block. These multiple-system, cooperative attacks, however, are much harder to stop.

While Paller says he believes that less than 1 percent of all Solaris systems on the Internet are infected, he also believes that the potential damage they can cause far outweighs the simple number of infected systems. That's because there are two victims from these new generation Trojan programs: the infected Solaris systems that deliver the denial of service attacks and the swamped target systems. For example, Paller tells of a hospital where an emergency room couldn't be used because some of its vital Solaris-controlled equipment was being used to deliver a DoS attack on another site.

Anatomy Of A Dual Attack

As Paller points out, it's important to understand that there are two sides of the Solaris DoS problems. On the one hand, there's the Trojan planting programs. These programs rapidly have been evolved from relatively simple programs like "trinoo," one of the first distributed denial of service tools, to the more recent and effective stacheldraht, to the latest of these nasties, TFT2000.

Regardless of the names, they all work the same. Using Solaris remote procedure call (RPC) security vulnerabilities, the Trojans crack their way in and establish themselves in Solaris systems and start spreading themselves to other Solaris systems. In this invasion stage, the Trojans don't do anything except plant more copies of themselves and their DoS attack programs.

Once established in a large number of systems-based on analysis of existing source code, this could be up to just over 1,000 Solaris boxes--the Trojans move on to stage two of their attack. In this phase, the Trojans' remote controller orders the DoS programs to make their host Solaris systems launch attacks on other Internet sites.

At this point, the Solaris systems are--to even a naive administrator--in trouble. Instead of doing normal work, they will be devoting their power to blasting another Internet site with one or more DoS attacks. The remote Trojan controller can take his pick on how to deliver his blow from such popular DoS attacks as SYN, ICMP and UDP floods.

The victims of such an attack really have no choice but to close their Internet connection down, possibly bring down their overloaded systems, and weather the DoS storm. Attempting to stay up during such an overwhelming network assault simply leads to system network failures.

Adding insult to injury, these attacks, unlike the vast majority of common computer security troubles, are under the remote control of the person who set the Trojan attack off in the first place. The Trojan controller can decide exactly how and when his chosen victims will be subjected to an attack. Because the most recent Trojans use encryption and other mechanisms to conceal their controller's trail it can be very difficult to determine who is behind a particular Trojan network and its attacks.

For the best current technical analysis of how the Trojans work, see David Dittrich's "The 'stacheldraht' distributed denial of service attack tool."

Counterattack

Security groups, like SANS, are working on methods of detected and defeating the Trojans. Sun also is hard at work on the problem, but it officials claim that the solution is already in hand.

According to a Sun spokesman, Sun believes "we have addressed the RPC vulnerabilities that have been identified by SANS. Sun takes security very seriously and we have issued the appropriate patches to take care of these problems."

These patches, along with other Solaris patches, can be found at SunSolve.

It is Sun's viewpoint that a properly patched Solaris system cannot be infected by the current generation of Trojans. If there are new variations out there, Sun officials say they want to know about them as soon as possible so that appropriate fixes can be issued.

In the meantime, Solaris administrators can check to see if they've already been infected using several different methods. The NIPC's find_ddosV2 runs on Solaris 2.5.1, 2.6, and Solaris 7 and can detect all known versions of the Trojan programs. Another similar program that also can scan multiple computers, instead of needing to be installed on each suspect system, is the just-released SickenScan.

In the meantime, firewall and intrusion detection systems software vendors are working on signature file defenses to attempted Trojan infections. Once created, these will be available as free program updates.

Once found on a Solaris box, Paller recommends that the system be taken off the network and a backup made immediately to preserve a record of the infection. Next, infected sites should inform NIPC and SANS. After that, administrators and integrators will need to restore the Solaris systems with a known good copy of the operating system and immediately upgrade it with the most recent Solaris security patches before placing it back on the Internet.

How Big a Deal Is It?

For the broader Internet, the latest Trojans bring up the ugly question of "cyber warfare." Officials at several government agencies, who spoke on the condition of anonymity, were willing to admit that some of their systems have been subject to these new style DoS attacks and that they've seen more of these attacks in the last few weeks.

Still, not everyone is convinced. Space Rogue, a principal at white hat hacker and computer security firm L0pht Heavy Industries, says that while, "I've seen a lot of hype and a lot of fear, uncertainty and doubt [about the reported rise of Solaris Trojan/DoS attacks], but no upsurge, really."

Additional reporting by Deborah Gage, Sm@rt Reseller

See Also:
The biggest computer bugs of 1999!
Security holes found in pension insurer
Sun sets Solaris 8 debut for February
Sun Boots Solaris on Itanium Hardware
Security holes will slow the growth of e-commerce
Sun Asks IBM To Preload Solaris
Solaris Integrators Revisited
Linux Meets Solaris

For magazine subscription savings, risk-free trial issues, newsletters, and more, click here!


Copyright (c) 1999 ZDNet. All rights reserved. Reproduction in whole or in part in any form or medium without express permission of ZDNet is prohibited. ZDNet and the ZDNet logo are trademarks of Ziff-Davis Publishing Company.