Users on Guard Against New Denial of Service Tool

Several information technology managers said they've gone on guard to protect their systems against the Trinity distributed denial-of-service attack tool, which came to light earlier this week as a vehicle for using Internet Relay Chat channels to unleash floods of IP packets from compromised Linux servers.

Like other distributed denial-of-service (DDOS) tools that were used last February in attacks on Web sites owned by eBay Inc., ETrade Group Inc., CNN and Yahoo Inc., Trinity first must be covertly installed on a compromised server running the open-source Linux operating system. The system can then be remotely controlled, together with a network of other machines that have been similarly compromised, to launch packet floods against targeted Web servers.

But users and security analysts familiar with the Trinity tool said it's more sophisticated than predecessors such as Tribal Flood Network and Trin00 because it allows attackers to control the hacked machines through Internet Relay Chat (IRC) channels or America Online Inc.'s ICQ online chat service.

Matt Fahrner, manager of the network development group at Burlington Coat Factory Warehouse Inc. in Burlington, N.J., said the discount clothing retailer doesn't allow IRC traffic through its firewall. But he added that Burlington Coat -- which has installed more than 1,000 Linux-based PCs and servers -- is constantly on the alert for unneeded or default services that are built into software products and could pose potential security risks.

"You're better off turning on services as you need them," Fahrner said. To protect against potential attacks, he advised other users not to configure "anything you don't need on Linux boxes" and to be vigilant about maintaining a strong firewall. In the case of Trinity, Fahrner added, users should check their outbound IRC traffic and make sure they don't have connections to IRC chat sites so malicious crackers "can't initiate an attack even if they have compromised you."

According to Chris Rouland, director of a security SWAT team at Internet Security Systems (ISS) Inc., an Atlanta-based security software vendor, at least 400 Linux computers with IP addresses indicating they may be located mainly in the U.S., Romania and Australia have already been compromised by several versions of the Trinity tool.

With earlier DDOS tools, Rouland said, attackers have to keep lists of all the machines they've broken into. But systems compromised by Trinity report back to an attacker via agents that appear in a single chat room, he added. ISS has posted an advisory on its Web site detailing how Trinity works and what users can do to protect themselves against attacks.

Rouland said Trinity attacks illustrate a larger concern about open-source operating systems such as Linux, which can end up in the hands of inexperienced system administrators who aren't qualified to install and run the software. And he warned that it's only a matter of time before malicious attackers revise Trinity so it can target other types of systems.

Kevin Schmidt, a network programmer at the University of California at Santa Barbara (UCSB) -- which discovered that some of its machines were compromised and then used in a DDOS attack against CNN's Web site earlier this year -- said attackers using tools such as Trinity can hide their identities by relaying IRC traffic through compromised systems.

UCSB is defending itself against Trinity infiltrations by scanning its network to detect new Linux installations and to determine which ports are being used on machines for new services that could present a security risk. "We can review network traffic to see if any hosts have a connection to hosts communicating with the Trinity program," said Schmidt, who manages a network of several thousand Linux machines.

Some of those computers have IRC access, but systems that connect to chat services without an appropriate reason for doing so would raise red flags for the university's IT department, Schmidt said. Even so, he noted that the current version of the Trinity tool is still being developed and enhanced, which could pose new threats for users such as UCSB. "We are not done with this yet," Schmidt said.

According to Rouland, the most common exploit used to place Trinity on a Linux machine relies on a remote buffer overflow technique to compromise the Linux rpc.stadt, a component of the software's network file system. ISS first learned of Trinity when the tool was recently brought to the attention of the Forum of Incident Response Teams -- an umbrella organization for security notification groups such as CERT -- by an unidentified educational institution that found some of its computers had been compromised.

Join the newsletter!

Error: Please check your email address.

More about America OnlineCERT AustraliaCNNeBayETRADE AustraliaICQInternet Security SystemsISS GroupNetwork DevelopmentSecurity SystemsYahoo

Show Comments
[]