|
 |
CERT-NL | ||||
| Author/Source | : | Teun Nijssen | Index | : | S-99-52 | |
| Distribution | : | World | Page | : | 1 | |
| Classification | : | External | Version | : | 1 | |
| Subject | : | Denial-of-service: TFN2K and 'Mac attack' | Date | : | 29-Dec-99 | |
|
|
CERT-NL | ||||
| Author/Source | : | Teun Nijssen | Index | : | S-99-52 | |
| Distribution | : | World | Page | : | 1 | |
| Classification | : | External | Version | : | 1 | |
| Subject | : | Denial-of-service: TFN2K and 'Mac attack' | Date | : | 29-Dec-99 | |
By courtesy of CERT Coordination Center we received the following information.
CERT Coordination Center advisory CA-99-17 reports on two newly distributed tools, both designed to bring servers down by flooding them with more traffic than they can hope to handle: Tribe FloodNet 2K and a MAC traffic amplifier.
Like TFN, TFN2K is designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously.
It includes features designed specifically to make TFN2K traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes in a TFN2K network by sending "decoy" packets.MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a "traffic amplifier," and flood victims with traffic. According to [3], an intruder can use this asymmetry to "amplify" traffic by a factor of approximately 37.5, thus enabling an intruder with limited bandwidth to flood a much larger connection.
CERT-NL recommends to read the original advisory, so you can recognise the events when they are used against your site.
Additional information with regards to this vulnerability is placed in the advisory.
The original advisory's URL is:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC
(GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
| Email: | cert-nl@surfnet.nl | ATTENDED REGULARLY ALL DAYS |
| Phone: | +31 302 305 305 | BUSINESS HOURS ONLY |
| Fax: | +31 302 305 329 | BUSINESS HOURS ONLY |
| Snailmail: | SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands |
. |
NOODGEVALLEN: 06 22 92 35 64 ALTIJD
BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING
WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER.
CERT-NL WILL THEN CONTACT YOU.
  |
|
||||||
