NIPC Advisory 01-021, "Potential DDoS Attacks"

National Infrastructure Protection Center
"Potential Distributed Denial of Service (DDoS) Attacks"
Advisory 01-021
17 September 2001

The National Infrastructure Protection Center (NIPC) expects an

increase in

Distributed Denial of Service (DDoS) attacks. NIPC Advisory 01-020,
"Increased Cyber Awareness" dated September 14, 2001 warned of

threatened

vigilante hacking activity against organizations associated with the
perceived perpetrators of the September 11, 2001 terror attacks.
On September 12, 2001, a group of hackers named the Dispatchers

claimed they

had already begun network operations against information

infrastructure

components such as routers. The Dispatchers stated they were

targeting the

communications and finance infrastructures. They also predicted that

they

would be prepared for increased operations on or about Tuesday,

September

18, 2001.
There is the opportunity for significant collateral damage to any

computer

network and telecommunications infrastructure that does not have

current

countermeasures in place. The Dispatchers claim to have over 1,000

machines

under their control for the attacks. It is likely that the attackers

will

mask their operations by using the IP addresses and pirated systems of
uninvolved third parties.
System administrators are encouraged to check their systems for zombie

agent

software and ensure they institute best practices such as ingress and

egress

filtering. The NIPC has made available the "Find DDoS" tool to

determine if

your computer has been infected by the most common DDoS agents. The

tool

may be downloaded from the following website:
http://www.nipc.gov/warnings/advisories/2000/00-055.htm.
Additionally, a list of best practices is available from the CERT/CC
website, located at:
The CERT Division | Software Engineering Institute.
Recipients of this advisory are encouraged to report computer

intrusions to

their local FBI office
(http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to the other
appropriate authorities. Incidents may be reported online at
http://www.nipc.gov/incident/cirr.htm. The .NIPC Watch and Warning

Unit