RE: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)

["Scott Blake" <blake@BOS.BINDVIEW.COM>]

Excellent response, Pascal, thanks.  I hadn't thought of people
volunteering, but that's certainly a plausible scenario.  Part of my
motivation/thinking was a desire to stay away from making this into only
yet another use for spoofed IP packets.  I wholeheartedly agree that
egress filtering essential, but am reluctant to single out the recent DDoS
events as the reason for it.

I'd prefer to split out egress filtering as a seperate CVE entry (on the
theory that not using egress filtering constitutes an exposure -- at least
to liability), rather than tying it to these entries.

-----
Scott Blake                                   blake@bos.bindview.com
Security Program Manager                        +1-508-485-7737 x218
BindView Corporation                           Cell: +1-508-353-0269


>-----Original Message-----
>From: owner-cve-editorial-board-list@lists.mitre.org
>[mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of
>Pascal Meunier
>Sent: Wednesday, February 16, 2000 9:29 AM
>To: cve-editorial-board-list@lists.mitre.org
>Subject: Rootkit RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
>
>
>Scott, you are assuming that the people who have the tools installed
>are unwilling.  Let's say theoretically speaking that there is an
>underground hacker group (or student association) who is hooked up to
>DSL lines (like in university residences) and who thinks that it
>would be "cool" to form an "army".  How about a popular civil
>movement protesting something, like the WTO last summer?  I think
>some people would voluntarily "enlist" their computers in a cause
>that would use DDoS attacks.  The rootkit analogy does not hold, yet
>the DDoS attacks could be just as effective.  However, if the
>university or ISPs implemented egress filtering, the DDoS attacks
>could be easily stopped because the people could be held accountable.
>The crux of the matter is the anonymity provided by IP spoofing.
>
>You are correct that in most cases, having a DDoS tool installed on
>your system is an exposure like rootkit.  Maybe that deserves a CVE
>entry.  However, I think that does not capture the nature of the
>DDoS, and that an entry about egress filtering is of utmost
>importance because it patches a fundamental vulnerability of IPv4.
>
>
>At 8:18 AM -0500 2/16/2000, Scott Blake wrote:
>>I don't agree with Pascal that this is a filtering problem analogous to
>>smurf.  Rootkit is a better analogy.  The DDoS software doesn't exploit
>>any unique vulnerability directly.  It's presence is entirely predicated
>>on the existence of at least one other, easily exploited vulnerability.
>>>From the perspective of the system owner, this is just one of several
>>backdoors that could be installed.  Seems to me that the presence of a
>>known backdoor package should be considered a vulnerability (or at least
>>an exposure).
>>
>>I'm really torn on whether or not to split them out, though.  My
>>inclination is to group master and slave by package; i.e., trinoo
>>master/slave, tfn master/slave, etc.
>>
>>REVIEWING
>