mailing list archives
Re: Analysis of Tribe Flood Network
From: mixter () NEWYORKOFFICE COM (Mixter)
Date: Thu, 9 Dec 1999 06:20:23 +0100
I just wanted to tell you that 'trinoo' has been around for
more than half a year, originally developed by 'takeover / war'
groups on IRC to launch attacks against users and IRC servers.
Since trinoo was never published, I wrote TFN and made it publicly
available at some security sites, in hope to make some people aware
of the impact of 'distributed DoS'..
Although I haven't greatly worked on tfn after the public release myself,
a number of people/groups seem to have made private versions of it with
encryption and support for other operating systems and used it for
active denial of service.
The real big problem is the fact that so many systems are still compromisable
at root level with the most commonly used exploits (now I hear that even many
Internet2 machines are), and that some people still haven't realized that a
root compromise means *total control* over the systems hard- and software..
including denial of service, automated compromising of other machines, remote
eavesdropping, virtually everything you (or the intruder) can imagine..
In my opinion, it is not advisable to rely on IDS signatures only,
instead systematically secure machines before they are put on the net, and
closely examine machines where remote security holes were patched after
already being on the net for some time, because it is really a trivial
matter to change a lot of the behavior and strings which programs like
flood networks use, and this is obviously actively being done.
mixter () newyorkoffice com
From the SCO Security Page Alfred Huger (Dec 06)
w00giving #8] Solaris 2.7's snoop Aleph One (Dec 07)