FBI Software For Denial Of Service 2

[2ffat]

I just read that the FBI is providing free software to companies to help prevent the recent denial of service problems that has recently plagued Yahoo!, E-Bay, etc. Any idea how well this works? Any &quot;catches&quot; to using government software? Is it only a mattter of time before some one hacks it since it is freely available?<br>
<br>
Post your ideas and thought,please <p>James P. Cottingham<br><a href=mailto:main@ivcusa.com>main@ivcusa.com</a><br><a href=

http://www.ivcusa.com>International

Veneer Co., Inc.</a><br>All opinions are mine alone and do not necessarily reflect those of my employer.

 

[AndyBo]

Just been to have a check at the site (<A HREF="

http://www.fbi.gov/nipc/trinoo.htm"

TARGET="_new">

http://www.fbi.gov/nipc/trinoo.htm</A>)

and, from what I can see, it -appears- to be released without a license. The usual disclaimers are made about fitness for purpose etc.<br>
<br>
The program actually scans your system to see if it can identify any of the currently known Distributed Denial Of Service (DDOS) programs, or the files related to these programs. To quote from the README:<br>
<br>
The destributed denial-of-service tools that are detected by the tool are:<br>
* stacheldraht client<br>
* stacheldraht daemon<br>
* stacheldraht master<br>
* tfn-rush client<br>
* tfn client<br>
* tfn daemon<br>
* tfn2k client<br>
* tfn2k daemon<br>
* trinoo daemon<br>
* trinoo master<br>
<br>
So, it seems quite comprehensive at this moment in time.<br>
<br>
As far as &quot;catches&quot; go, don't know if they'd apply to me, being a UK citizen ;^) However, if there are any catches I guess they'd be the same as we get from standard day-to-day Internet use, as the US government originally funded the development of it...<br>
<br>
In other words, can't find any! <br>
<br>
As to it being hacked, you can bet it will be... In fact, it probably already has. To be sure everything is well, I'd make sure I -only- downloaded the utilities from the address above. I'd then run them on a trusted, non-networked, server to check them out first. But I'm paranoid <br>
<br>
MD5 checksums are provided for each of the available binaries.<br>
<br>
Couple of thoughts, though. Would be -extremely- nice if (a) Source was available, and we could give it some peer review, and (b), if PGP signatures where available. Always trusted PGP more than MD5 for some reason...<br>
<br>
Just my thoughts. Thanks for the heads up on the tool availability.

 

[pmkincaid]

What the FBI is &quot;providing&quot; is software that can be downloaded from any number of security web sites. I doubt they have altered it in any way... However I could be wrong...<br>
<br>
I personally would not get anythinig from them however - not being paranoid, but I would go to sites that are deticated to security and the such. securityfocus.com and cert.org are two of the best places to get information - and not just on what is in the media today - both sites are dedicated to keeping up to date on ALL security issues.<br>
<br>
Both have mailing lists (Bugtraq and CERT advisories) that can help keep you up to date on everything that goes on.<br>
<br>
Keeping up to date and protecting yourself is not just something that you can do when something hits the mainstream like this. There are always script kiddies trying exploits that have been out for ages (ie Bind and portmap exploits have been out forever and my servers still get scanned for those open ports about once a week)<br>
<br>
As for someone getting a hold of it and hacking it, there are PGP signatures and MD5 hashes that are used to verify the integrity of the program. These can tell you if the original program has been altered.<br>
<br>
The key to all of what has been going on the past few days is that there are MANY servers/workstations out there that administrators do not monitor. Yes you can get a program to detect for some of the DoS tools out there, there are other ones to detect BackOrifice and the such.... there are tools for just about everything, but you should not rely on running these programs once in a while - you should be monitoring your logs, open ports, running processes and services...<br>
<br>
Sorry about the rant, but a program to detect Trin00, TFN and 1 or 2 other programs is going to give SysAdmins a false sense of security. Yes it will let you know that you are not affected by the most recent wave of attacks, but you should be more proactive in securing you network and know what is happening on your network. Who is to say that tomorrow someone isn't going to launch some attack somewhere else from a machine on your network that has BackOrifice installed on it...<br>
<br>
There are a million ways for hackers to get into your network, but everyone of them is preventable simply by taking a proactive stance and learning about how to secure your network BEFORE something happens.<br>
<br>
Again, sorry for the rant - the media and government are completely clueless and trying to shut the barndoor after the cows have left (or whatever that saying is) and its starting to get on my nerves... They are not talking to the experts in the security field - and no the experts are not the IT director of a company (I know some IT directors that don't have a clue about computers let alone network security). People from Securityfocus, NTBugTraq and L0pht have not been contacted to help out with all of this...<br>
<br>
OK, I'm done -- sorry...

 

[Alt255]

That wasn't ranting, Pmkincaid, that was making a valid point crystal clear. Thanks for the clarity.