Corrections to San Diego Union Tribune article
- There were over 100 Sun Solaris systems compromised at the UW
in August which are believed to be associated with trinoo/TFN
activity, but only 27 were still under the attacker's control
and were used in the attack on the University of Minnesota in
August (the rest had already been found, taken off the network,
and cleaned up).
- The "problem" with determining who is the "victim" and who is
the "attacker" is a function of the distributed denial of
service attacks being a two-phase attack. It all depends
on how you look at it:
- A large number of systems are first compromised to be
used as handlers and agents in a distributed network.
These are "victims" of remote root compromise, by an
"attacker" who breaks in to them. The ease
of compromising thousands of systems is the fundamental
problem with distributed attacks.
- Once a distributed DoS network has been set up, it is used
to attack one or more sites who are now "victims" of the
denial of service, and see the previously compromised
systems as the "attackers".
- The trinoo and TFN programs themselves only make efforts
to conceal communication between the attackers, the handler
systems, and the agent systems. On the computers that
are running the handlers and agents, standard "root
are used to conceal the attackers' login session,
running programs, files, and network
connections from the administrators of the systems. This is just
another part of the initial intrusions that set up
the distributed network and doesn't have anything directly
to do with trinoo or TFN.
Dave Dittrich <firstname.lastname@example.org>
Last modified: Fri Dec 24 13:36:43 1999