New Denial-Of-Service Tool Looms

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Tuesday, September 5, 2000

New Denial-Of-Service Tool Looms

A powerful new distributed denial-of-service tool, dubbed Trinity v3, has surfaced in more than 400 hosts, possibly threatening a new wave of denial-of-service attacks, according to Internet Security Systems Inc.'s X-Force research team. Trinity v3 is not a virus, so hackers have to break in and install the tool on the Linux system they wish to make a zombie for an attack. "Four hundred zombies is certainly enough to bring down a large E-commerce site, if they don't have the appropriate intrusion-detection tools in place," says X-Force director Chris Rouland.

Distributed denial-of-service attacks can bring down a network or Web site by flooding servers and targeting machines with more traffic than the systems can handle, essentially shutting out all valid requests to the systems. In February, a few big-name sites, including Amazon.com, Buy.com, eBay, and Yahoo, were shut down by denial-of-service tools similar to Trinity.

According to X-Force, Trinity is controlled by Internet Relay Chat, and in the version examined by X-Force, the agent binary is installed on a Linux system at /usr/lib/idle.so. When idle.so is started, it connects to an Undernet IRC server on port 6667. Since Trinity doesn't "listen" on any ports, it's difficult to detect the tool's activity unless system managers are looking for suspicious IRC traffic. According to X-Force, any system a Trinity agent resides on may be completely compromised.

More information can be found http://xforce.iss.net/.

http://www.informationweek.com/story/IWK20000905S0006

-- Martin Thompson (mthom1927@aol.com), September 06, 2000


Moderation questions? read the FAQ