For Immediate Release
December 30, 1999

Washington D.C.
FBI National Press Office

The FBI today issued the following statement:

Over the last several weeks, the National Infrastructure Protection Center (NIPC) has received multiple reports of the presence of Distributed Denial of Service (DDOS) tools on computer systems in the United States. The NIPC issued alerts about these tools on December 6, 1999 and today (see http://www.nipc.gov). The CERT at Carnegie Mellon has also issued an incident note (IN-99-OT) on November 18, 1999, and an update on December 28, 1999 (see http://www.cert.org/incident_notes/IN-99-07.html). These DDOS tools have also now been reported by the media and published on the Internet. These DDOS tools, such as "trin00" and "Tribe Flood Network" ("tfn"), are capable of generating sufficient network traffic to render the targeted network or computer system inoperable. Installation has been accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. Basically, these tools allow an intruder to have multiple victim systems launch denial of service attacks against other systems that are the ultimate target.

The NIPC has developed a software application that can be used by system administrators to scan their computer systems to determine whether they contain the "trin00" or "tfn" tools and therefore might be used as part of a DDOS attack on another network. The latest version of this detection software can be downloaded from the NIPC Internet Web site (http://www.nipc.gov). The NIPC requests that computer network administrators report the detection of DDOS tools or other apparent criminal activity on their systems to their local FBI Field Office or to the NIPC at nipc.watch@fbi.gov.

NIPC Director Michael Vatis stated: "A central part of the NIPC's mission is to help protect critical computer networks by alerting private industry and government agencies of potential threats before an attack occurs. In this case, we have gone one step further by developing a software application that can be used to detect the presence of a significant hacker tool and neutralize it."

The NIPC commenced its Y2K Command Post at FBIHQ yesterday, and will operate 24 hours a day until January 5. In addition, each FBI Field Office has initiated a Command Post. These Command Posts have been established to facilitate the FBI's detection of and response to any criminal activity, cyber or physical, that might occur during the Millennium rollover period.

The NIPC is a multi-agency organization whose mission is to detect, warn of, respond to, and investigate computer intrusions and other unlawful acts that threaten or target our Nation's critical infrastructures. Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from the FBI, other U.S. government agencies, state and local governments, and the private sector in a partnership to protect our Nation's critical infrastructures. More information on the NIPC is available on the World Wide Web at http://www.nipc.gov.

The following MD5 checksums should be used to validate the files available for downloading:

• MD5 (README-find_ddos) = 4f6269ebb6b695162ccd919c4df9385d
• MD5 (find_ddos.tar.Z) = 4522f64b491664f93eca27283d2f77ba

TRINOO/Tribal Flood Net