IP: Recent Internet Attacks and Critical Infrastructure Protection

[Dave Farber <farber@cis.upenn.edu>]

>Date: Fri, 11 Feb 2000 17:07:55 -0500
>To: update@cdt.org
>From: Jim Dempsey <jdempsey@cdt.org>
>
>
>Mike O'Neil and I have recently updated our memo on the Administration's 
>critical infrastructure protection (CIP) initiative, to take account of 
>the issuance of the National Plan for Information Systems Protection by 
>the White House on January 7. 
>http://www.cdt.org/policy/terrorism/oneildempseymemo.html
>
>Our memo concludes that the CIP plan relies too heavily on a monitoring 
>system that threatens privacy and other civil liberties and gives too 
>little priority to closing the known vulnerabilities and fundamental 
>security flaws in computer systems.  (Target date for establishment of the 
>FIDNet monitoring system: October 2000.  Target date for fixing "the most 
>significant known vulnerabilities" in critical government computers: May 
>2003.)  And the plan fails to answer many questions, especially about the 
>role and responsibilities of the private sector, which owns and operates 
>most of the computer-dependent critical infrastructures
>
>The Recent Attacks
>
>CDT is concerned that the recent attacks will serve as justification for 
>legislation or other government mandates that will be harmful to civil 
>liberties and the positive aspects of the openness and relative anonymity 
>of the Internet. Already, we have seen suggestions from the Justice 
>Department that legislation may be needed.  Such a course is especially 
>unjustified when there is so much to be done to improve Internet security 
>that would have no negative implications for privacy.
>
>While denial of service is appropriately a crime, the recent attacks 
>highlight  a problem not soluble by criminal investigation and 
>prosecution: basic system security has been ignored far too long.
>
>In terms of developing policy responses, it is important to recognize that 
>the recent distributed denial of service (DDOS) attack methods were 
>well-known and widely reported before they were launched.  Like most 
>attacks, they exploited well-known system vulnerabilities.  And, as with 
>most attacks, there were diagnostic tools that would have allowed systems 
>administrators to determine if their computers had been hijacked for DDOS 
>purposes.
>
>The CERT at Carnegie Mellon issued a DDOS incident note on November 18, 
>1999, and an update on December 28, 1999 (see 
>http://www.cert.org/incident_notes/IN-99-07.html). Apparently following 
>CERT's lead, the FBI's NIPC issued alerts about these tools on December 6, 
>1999 and on December 30, 1999
>http://www.fbi.gov/pressrm/pressrel/pressrel99/prtrinoo.htm;
>http://www.fbi.gov/nipc/trinoo.htm
>
>The timing of these announcements again raises the question of what should 
>be the proper role of the FBI, if any, in vulnerability assessment and 
>information sharing, given the already functioning, non-law enforcement 
>CERTs such as the Carnegie Mellon one.
>
>A quick search indicates that as early as July 22, 1999 CERT warned of 
>denial of service attacks of the type seen earlier this week: 
>http://www.cert.org/incident_notes/IN-99-04.html
>
>CERT's November 18, 1999, was more detailed.  As updated on December 28, 
>the warning noted: "We have received reports of intruders installing 
>distributed denial of service tools. Tools we have encountered utilize 
>distributed technology to create large networks of hosts capable of 
>launching large coordinated packet flooding denial of service attacks.
>
>"We have seen distributed tools installed on hosts that have been 
>compromised due to exploitation of known vulnerabilities. In particular, 
>we have seen vulnerabilities in various RPC services exploited."  The 
>warning specifically named the trinoo and Tribe Flood Network tools, 
>noting, "These tools appear to be undergoing active development, testing, 
>and deployment on the Internet," and went on to discuss solutions.
>
>By the time of the FBI's second alert, the DDOS tools had also been 
>reported by the media.  The San Diego Tribune had the story on November 
>20. USA Today had it on December 7.
>
>I haven't attempted to identify all the warnings and reports.  From a 
>policy perspective, the point is that these attacks used well-known 
>vulnerabilities and well-known methods of attack.  Invasive government 
>measures are no substitute for the community effort needed to build better 
>security.
>
>
>
>
>
>Jim Dempsey
>
>Center for Democracy and Technology
>1634 I Street, NW Suite 1100
>Washington DC, 20006
>voice: 202.637.9800      fax: 202.637.0968
>jdempsey@cdt.org
>
>Use Operation Opt-Out http://opt-out.cdt.org/
>A single place to remove your name
>from profiling, marketing, and research databases.