| trinoo daemon | trinoo master | |
|---|---|---|
| socket | ---v | |
| bind | v1.07d2+f3+c | |
| recvfrom | trinoo %s | |
| %s %s %s | l44adsl | |
| aIf3YWfOhw.V. | sock | |
| PONG | 0nm1VNMXqRMyM | |
| *HELLO* | 15:08:41 | |
| X.X.X.X | Aug 16 1999 | |
| X.X.X.X | trinoo %s [%s:%s] | |
| X.X.X.X | bind | |
| read | ||
| *HELLO* | ||
| . . . rest omitted . . . |
| Immediately (< 30 days) | Near Term (30-180 days) | Long Term (> 6 months) | |
|---|---|---|---|
| Protect | Apply anti-spoofing rules at the network boundary. (This makes your site a less appealing target for intruders.) | ||
| Detect | Look for evidence of intrusions in logs, etc. | ||
| React | Report to a predefined list of contacts, approved by management. |
| Immediate | Short Term | Long Term | |
|---|---|---|---|
| Protect | Establish crisis policy and procedures. | ||
| Detect | Establish an incident response team. | Review high-profile target systems. | Automate scanning/patching of high-profile target systems. |
| React | Do case-by-case egress filtering. |
| Immediate | Short Term | Long Term | |
|---|---|---|---|
| Protect | Determine chain of command. | ||
| Detect | Develop criteria for detecting distributed-systems attacks. | Develop procedures/algorithms for dealing with large amounts of traffic. | Develop procedures/algorithms for handling automated incident reports. |
| React | Scope the extent of the attack. |