trinoo daemon | trinoo master | |
---|---|---|
socket | ---v | |
bind | v1.07d2+f3+c | |
recvfrom | trinoo %s | |
%s %s %s | l44adsl | |
aIf3YWfOhw.V. | sock | |
PONG | 0nm1VNMXqRMyM | |
*HELLO* | 15:08:41 | |
X.X.X.X | Aug 16 1999 | |
X.X.X.X | trinoo %s [%s:%s] | |
X.X.X.X | bind | |
read | ||
*HELLO* | ||
. . . rest omitted . . . |
Immediately (< 30 days) | Near Term (30-180 days) | Long Term (> 6 months) | |
---|---|---|---|
Protect | Apply anti-spoofing rules at the network boundary. (This makes your site a less appealing target for intruders.) | ||
Detect | Look for evidence of intrusions in logs, etc. | ||
React | Report to a predefined list of contacts, approved by management. |
Immediate | Short Term | Long Term | |
---|---|---|---|
Protect | Establish crisis policy and procedures. | ||
Detect | Establish an incident response team. | Review high-profile target systems. | Automate scanning/patching of high-profile target systems. |
React | Do case-by-case egress filtering. |
Immediate | Short Term | Long Term | |
---|---|---|---|
Protect | Determine chain of command. | ||
Detect | Develop criteria for detecting distributed-systems attacks. | Develop procedures/algorithms for dealing with large amounts of traffic. | Develop procedures/algorithms for handling automated incident reports. |
React | Scope the extent of the attack. |