UPDATED Version 3.1 Released

During the past few weeks the NIPC has seen multiple reports of intruders installing distributed denial of service tools on various computer systems, to create large networks of hosts capable of launching significant coordinated packet flooding denial of service attacks. Installation has been accomplished primarily through compromises exploiting known sun rpc vulnerabilities. These multiple denial of service tools include TRINOO, and Tribe Flood Network (or TFN & tfn2k), and has been reported on many systems. The NIPC is highly concerned about the scale and significance of these reports, for the following reasons:

Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks.

NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service (DDOS) tools (specific technical instructions are available from CERT-CC, SANS, NIPC, or other sources).

The NIPC is making available on its web site a software application that can be used to detect the presence of these DDOS tools.

Recipients are asked to report significant or suspected criminal activity to their local FBI office or the NIPC Watch/Warning Unit, and to computer emergency response support and other law enforcement agencies, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.

This latest update reflects that NIPC has developed a new release of the software application that will detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo  master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client.  This new version (find_ddosv31) is now available for Solaris on Sparc or Intel platforms and Linux on Intel platforms and will no longer improperly identify itself or any previous version as a DDOS program. 

This executable (find_ddosv31_{platform}.tar.Z) is for Solaris 2.5.1, 2.6, and Solaris 7 on the {Sparc} or {Intel} platforms, and {Linux} on Intel platforms. This file will not work on a Windows-based PC.

Press Release | NIPC Home Page | Back to Advisories, Alerts and Warnings