Author Archives: Daniel S. Abrahamian
Confide In Who
Confide In Who
; CANON INC. CONFIDENTIAL
;
; Canon Inkjet FAX Driver for Microsoft Windows Vista
; Version 1.00
; Copyright CANON INC. 2006 All Rights Reserved
; ***********************************************************
[Version]
Signature=”$Windows NT$”
Class=Printer
ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}
Provider=%Canon%
DriverVer=06/21/2006,6.1.7600.16385
[ControlFlags]
AlwaysExcludeFromSelect=*
[DestinationDirs]
DefaultDestDir = 66000
[Manufacturer]
%Canon%=Canon,NTamd64
[Canon.NTamd64]
“Canon Inkjet MP780 FAX” = Install,CanonMP780_FAX64B0,Canon_Inkjet_MP780_FAX ; Hardware ID
“Canon Inkjet MP790 FAX” = Install,CanonMP790_FAXB5B1,Canon_Inkjet_MP790_FAX ; Hardware ID
“Canon Inkjet MP830 FAX” = Install,CanonMP830_FAXBFEE,Canon_Inkjet_MP830_FAX ; Hardware ID
[Install.NT]
NullPrinterDriver=TRUE
[Strings]
;Non-localizable
Canon=”Canon Inc.”
;Localizable
We Have Two
We Have Two
Signature=”$WINDOWS NT$”
Class=Computer
ClassGuid={4D36E966-E325-11CE-BFC1-08002BE10318}
Provider=%MSFT%
DriverVer=06/21/2006,6.1.7600.16385
[rp_tags_addreg]
HKR,,ResourcePickerTags,0x00000000,”HAL”
[SourceDisksNames]
3426=windows cd
[SourceDisksFiles]
ntkrnlmp.exe = 3426
hal.dll = 3426
[DestinationDirs]
DefaultDestDir = 11
[ControlFlags]
BasicDriverOk=*
[Manufacturer]
%GENDEV_MFG%=GENDEV_SYS,NTamd64
[GENDEV_SYS.NTamd64]
%ACPI_AMD64.DeviceDesc% = ACPI_AMD64_HAL, ACPIAPIC
;****************************************************
; Standard AMD64 HAL. Although there is only one HAL, we have two install
; sections so that we can move from the UP kernel to the MP kernel when
; processors are added to the machine.
[ACPI_AMD64_HAL]
AddReg = rp_tags_addreg
Reboot
[Strings]
;Non-localizable
MSFT = “Microsoft”
;Localizable
;*******************************************
;device descriptions
GENDEV_MFG = “(Standard computers)”
ACPI_AMD64.DeviceDesc = “ACPI x64-based PC”
;Non-localizable
REG_EXPAND_SZ = 0x00020000
REG_DWORD = 0x00010001
Rambler
Rambler – Daniel S. Abrahamian
Gatineau, QC – J8P 2B5
Magog, QC (near Lac Memphremagog & bordering Newport, VT)
St. Valentin, QC
Bedford, QC
Drummondville, CA
Godman-Chester
Kingston
Longueuil
Elgin
Dundee
Prescott
Augusta
Edwardsburgh / Cardinal
Franklin
Havelock
Hemmingford
Hinchinbrooke
Fort Erie
Niagara Falls, Ontario
Welland
Thorold
Thorold South
Niagara-On-The-Lake
St. Georges
Victoriaville
Sherbrooke
Laval
Cornwall
Kaladar
Perth
Ottawa
Montreal
Peterborough
London
Sarnia
Sault Sainte Marie
Fort Frances
Thunder Bay
Montreal River
International Falls, MN
Grand Portage, MN
Port Huron, MI
Colebrook, VT
Port Colborne
St Jean County
Huntington County
Stormont County
Port of Entry
– Hwy 374 (into Quebec / Huntington County / past Shee Woods Road / near Wallace Hill Road)
– Hwy 189 (into Huntington County / past Frontier Road)
– Hwy 10 (Canyon Corners Road / past Bush Road)
– Hwy 16 (past Server Road & Eddy Road)
– Hwy 34 (Hemmingford Road)
– Interstate 87
– Hwy 18 (Meridian Road)
– Hwy 276 (past Rouses Point)
– Hwy 29 (Montgomery Road / past North Burke)
– Hwy 138, Canada (past Trout River)
– Adjacent to Hwy 37 (past Drum Street Road and Fort Covington)
– Hwy 37 (St. Lawrence County / past Haverstock Road)
– Near Robert Moses State Park (Barchart Island)
– Hwy 812 (Ogdensburg Prescott International Bridge)
– Interstate 81 (Wellesley Island – U.S. Customs)
– Interstate 190 (Lewiston Queenston Bridge / Hwy 405, Ontario – Whirlpool Bridge (U.S.) / near Robert Moses Powerplant – adjacent to Lewiston Heights)
– Hwy 384 (Rainbow Bridge / Niagara Reservation State Park)
– Hwy 266 (Peace Bridge)
– Hwy 266 (International Bridge – adjacent to Albright Knox Art Gallery)
Morses Line
.RU = Romania (bucharest.usembassy.gov) / Bucharest, 7-9 Tudor Arghezi St., District 2 / (40) (21) 200-3300
.DE = Germany
.CA = Canada (canada.usembassy.gov)
.AT = Austria
.AU = Australia
.PL = Poland (poland.usembassy.gov) / Warsaw, Aleje Ujazdowskie 29/31 / (48) (22) 504-2000
.NL = Netherlands
.BE = Belgium
.BA = Bosnia & Herzegovina (sarajevo.usembassy.gov) / Sarajevo, Allpasina 43 / (387) (33) 445-700
http://www.MVP.Gov.BA
BHTourism.BA
.HR = Croatia
.FR = France
.IT = Italy
.MK = Macedonia (FYROM / Former Yugoslav Republic of Macedonia)
http://www.MontenegroEmbassy.org.MK
http://www.colliseumclub.MK
.co.YU = Jugoslavia
.Si = Slovenia (slovenia.usembassy.gov) / Ljubljana, Presernova 31 / (386) (1) 200-5500
.ES = Spain
.IL = Israel (telaviv.usembassy.gov) / Tel Aviv, 71 Hayarkon Street / (972) (3) 519-7575
.CH = Switzerland
.CZ = Czech Republic (prague.usembassy.gov) / Prague, Trziste 15 / (420) 257-022-000
.co.UK = Great Britain
Serbia = belgrade.usembassy.gov / Belgrade, Kneza Milosa 50 / (381) (11) 361-9344
Slovakia = slovakia.usembassy.gov / Bratislava, Hviezdoslavovo nam. 4 / (421) (2) 5443-3338
State.gov
Travel.state.gov
TSA.gov
DHS.gov
CBP.gov (646) 733-3100
One Penn Plaza
New York, NY 10119
ICE.gov
CCS (Cyber Crimes Section)
CERT.gov
Whitehouse.gov
MyMoney.gov
CIA.gov
FBI.gov
NSA.gov
FCC.gov
FTC.gov
SecretService.gov
IC3.gov
GovBenefits.gov
http://www.gibill.va.gov/
IRS.gov
FederalReserve.gov
SEC.gov
SSA.gov
Social Security Administration
P.O. Box 33018
Baltimore, MD 21290-3018
USCIS.gov
https://egov.immigration.gov/graphics/cris/jsps (processing times for service centers & local USCIS offices)
XML.gov
NCSC = National Customer Service Center (1-800-375-5283)
USCIS Forms Line (800) 870-3676
File USCIS Application
Attention: FBASI
10 West Jackson Boulevard
Chicago, IL 60604
FOIA = Freedom of Information Act / National Records Center (NRC)
FOIA Inquiry = (816) 350-5570
Choice Point / LexisNexis = Background checks
NILC = National Immigration Law Center (http://nilc.org)
DOL.gov
sss.gov (selective service) / (847) 688-6888
EOIR / Executive Office for Immigration Review (immigration court)
EOIR Status Line (800) 898-7180
U.S. Congress
http://www.house.gov
http://www.senate.gov
Department of Justice
GovSpot.com
Census.gov
http://www.immigrationwatch.com (case processing information)
http://www.acf.hhs.gov (Department of Health & Human Services)
http://www.fns.usda.gov (wic)
http://www.state.gov/g/drl/hr (State Department Country Reports)
http://www.ind.homeoffice.gov.uk (country reports)
http://www.unhchr.ch (United Nations Human Rights Commission)
http://www.amnesty.org (Amnesty International)
http://www.hrw.org (Human Rights watch)
http://workforcesecurity.doleta.gov/foreign/ (home page for foreign worker information)
http://www.sba.gov/starting_business/planning/writingplan.html (business plan models)
National Visa Center
Service Centers (N-400 Applications)
– Saint Albans, VT 05479
Vermont Service Center
U.S. Department of Homeland Security
United States Citizenship and Immigration Services (USCIS)
Vermont Service Center (NJ, NY, PA) / (802) 527-4913 / (802) 527-3160
75 Lower Welden Street
Saint Albans, VT 05479-9400
( 64 Gricebrook Road / St. Albans, VT 05748)
– Lincoln, NE 68501 (402) 437-5218
Nebraska Service Center
Attention N-400 Unit
P.O. Box 87400
Lincoln, NE 68501-7400
– Laguna Niguel, CA 92607
California Service Center
Attention N-400 Unit
P.O. Box 10400
Laguna Niguel, CA 92607-0400
– Mesquite, TX 75185
Texas Service Center (214) 381-1423
Attention N-400 Unit
P.O. Box 851204
Mesquite, TX 75185-1204
– Houston, TX 77060
USCIS Houston (281) 774-4629
126 Northpoint
Houston, TX 77060
– Cleveland, OH 44199 (216) 522-4766
A.J.C. Federal Building
1240 East Ninth Street
Room 501
Cleveland, OH 44199
– Albany, NY 12110
USCIS Albany Office (518) 220-2100
1086 Troy-Schenectady Road
Latham, NY 12110
( 130 Delaware Avenue / Buffalo, NY 14202 (716-849-6760 )
– Newark, NJ
Peter Rodino Federal Building
Broad Street
– Bloomington, MN 55438
Minnesota Service Center (612) 313-9020
2901 Metro Drive
Suite 100
Bloomington, MN 55425
– Hennepin County, MN
American Immigration Lawyers Association (202) 216-2400
http://www.aila.org
918 F Street, NW
Washington, D.C. 20004-1400
Asylee Benefits (800) 354-0365
ADIT Processing (USCIS) / (Alien Documentation, identification, and telecommunication system)
Montgomery GI Bill benefits – (888) 442-4551 (www.gibill.va.gov)
Veteran’s Affairs Office = 1-877-572-7232 ( veterans.affairs@apollogrp.edu )
University of Phoenix
Attn: Veterans Affairs
4615 E. Elwood St
Phoenix, AZ 85040
Joshua Flint (Josh.Flint@phoenix.edu)
University of Phoenix
Military Division, Online Campus
4045 South River Point Parkway
CF-M310
Joshua Flint ((800) 366-9699 / ext. 713-4019 | Fax (602) 759-4931))
University of Phoenix, Online Campus
3157 East Elwood Street
CF-K307
Phoenix, AZ, 85034
Brent Morgan
IKN = 9023-186145
VA Regional Office
P.O. BOX 8888
Muskogee, OK 74402-8888
http://www.cic.gc.ca/ = Citizenship & Immigration, Canada (www.ci.gc.ca)
CBSA = Canadian Border Services Agency
U.S. Embassy – Canada
490 Sussex Drive, K1n 1G8
Ottawa, Ontario, CA
(613) 238-5335
Facsimile = (613) 688-3082
U.S. Consulates General
– Calgary, Alberta
10th Floor
615 Macleod Trail SE
(403) 266-8962
– Montreal, Quebec
1155 St. Alexander Street (514) 398-9695
Canadian Embassy
501 Pennsylvania Avenue
20001 (202) 682-1740
WHTI-Compliant documents for border crossing
Frequent travellers = “Nexus trusted traveller program” (allows for expedited border crossing / inspection)
Daniel S. Abrahamian
Rambler
SAM – Security Accounts Manager
SAM – Security Accounts Manager
CMI-CreateHive{C4E7BA2B-68E8-499C-B1A1371AC8D717C7}
P e r f o r m a n c e M o n i t o r U s e r s
M e m b e r s o f t h i s g r o u p c a n a c c e s s p e r f o r m a n c e c o u n t e r d a t a
l o c a l l y a n d r e m o t e l y
(S-1-5-21-2426286085-332982260-2691753013)
C : \ P r o g r a m D a t a \ M i c r o s o f t \ U s e r A c c o u n t P i c t u r e s \ D e f a u l t
P i c t u r e s \ u s e r t i le
C : \ P r o g r a m D a t a \ M i c r o s o f t \ U s e r A c c o u n t P i c t u r e s \ D e f a u l t
P i c t u r e s \ u s e r t i l e
O w n e r D A N I E L
m r d a n i e l
A d m i n i s t r a t o r s
A d m i n i s t r a t o r s h a v e c o m p l e t e a n d u n r e s t r i c t e d a c c e s s t o t h e
c o m p u t e r / d o m a i n
Builtin
Aliases
P e r f o r m a n c e M o n i t o r U s e r s
M e m b e r s o f t h i s g r o u p c a n a c c e s s p e r f o r m a n c e c o u n t e r d a t a
l o c a l l y a n d r e m o t e l y
N o n e O r d i n a r y u s e r s
G u e s t s h a v e t h e s a m e a c c e s s a s m e m b e r s o f t h e U s e r s g r o u p b y d e f a u l t , e x c e p t f o r t h e G u e s t a c c o u n t w h i c h i s f u r t h e r
r e s t r i c t e d
Administrator
G u e s t B u i l t – i n a c c o u n t f o r g u e s t a c c e s s t o t h e
c o m p u t e r / d o m a i n P e r f o r m a n c e M o n i t o r U s e r s M e m b e r s o f t h i s g r o u p c a n a c c e s s p e r f o r m a n c e c o u n t e r d a t a l o c a l l y a n d r e m o t e l y P e r f o r m a n c e L o g U s e r s M e m b e r s o f t h i s g r o u p m a y s c h e d u l e l o g g i n g o f p e r f o r m a n c e c o u n t e r s , e n a b l e t r a c e p r o v i d e r s , a n d c o l l e c t e v e n t t r a c e s b o t h l o c a l l y a n d v i a r e m o t e a c c e s s t o t h i s c o m p u t e r I I S _ I U S R S B u i l t – i n g r o u p u s e d b y I n t e r n e t I n f o r m a t i o n S e r v i c e s .
E v e n t L o g R e a d e r s M e m b e r s o f t h i s g r o u p c a n r e a d e v e n t l o g s
f r o m l o c a l m a c h i n e
A d m i n i s t r a t o r s h a v e c o m p l e t e a n d u n r e s t r i c t e d a c c e s s t o t h e c o m p u t e r / d o m a i n a n d c a n r u n m o s t a p p l i c a t i o n s A d m i n i s t r a t o r f B u i l t – i n a c c o u n t f o r a d m i n i s t e r i n g t h e c o m p u t e r / d o m a i n
U s e r s a r e p r e v e n t e d f r o m m a k i n g a c c i d e n t a l o r
i n t e n t i o n a l s y s t e m – w i d e c h a n g e s a n d c a n r u n m o s t a p p l i c a t i o n s
: \ P r o g r a m D a t a \ M i c r o s o f t \ U s e r A c c o u n t P i c t u r e s \
D e f a u l t P i c t u r e s \ u s e r t i l e 2 0 . b m p
Daniel S. Abrahamian
System32/Security Accounts Manager (SAM)
Sets definitions, permissions, and parameters for local and remote network users.
Intrusion Detection Links
Intrusion Detection Links
(http://www.securelist.com/en/descriptions/Email-Flooder.Win32.Stealm.a)
http://www.keylogger.org/monitoring-free-software-review/
www.cirt.net/cgi-bin/passwd.pl
www.regnow.com
http://hide-ip-soft.com/download.htm
http://password-viewer.softpedia.com/
http://www2.faronics.com
www.sourceforge.net
www.infobel.com
www.freality.com/find.htm
www.anywho.com
www.zabasearch.com
http://mesa.rrzn.uni-hannover.de/
www.portprotector.com
http://cookiecentral.com/
http://www.debryansk.ru/~kamkov/
Browser Cache Index viewer is a freeware tool usefull for reading the contents
of Url cache index.dat files (they are files where Windows Internet Explorer
store information about your browsing activity, such as cookies and internet
addresses).
BCIView lets you view URIs and last access time stored in index.dat files.
The program exports lists to the XML file.
www.http://openbsd.org/
https://mosaicsecurity.com/categories/74-endpoint-security-hostbased-intrusion-detection-system
– Every cell phone contains both a unique electronic serial number (ESN) & and mobile identification number (MIN).
www.securelogix.com (modem security)
http://www.citi.umich.edu/u/provos/systrace/ (systemtrace)
http://cvsweb.netbsd.org/bsdweb.cgi/src/bin/systrace/Attic/
http://www.secureroot.com/topsites/
http://www.windowsecurity.com/pages/links.asp
http://www.securitywizardry.com/
Federal Agencies: (http://www.usa.gov/Agencies/Federal/All_Agencies/index.shtml )
Feeder – generator of IP addresses for scanning. Angry IP Scanner provides various kinds of
Feeders: IP Range, Random, and IP List File. You can select a feeder using the combo box next to the Start button.
Fetcher – gathers specific information about a host, e.g. ping time, hostname, open ports.
Feeders usually represent columns in the scanning results list. You can select additional fetchers by choosing “Tools->Select fetchers” from the menu.
Main terminology (continued):
Hosts. You can choose between them in the Preferences dialog.
ICMP echo – is the standard method used by the ‘ping’ program. This one requires administrator or root privileges on most platforms. Note that some firewall software disables sending of ICMP echo reply packets, making alive hosts appear like dead.
UDP – sends UDP packets (datagrams) to one of the host’s ports and sees if there is any response (either positive or negative). This is non-standard, but works without special privileges.
TCP – tries to connect to port 80 (http) on the host. This may work better than UDP for some networks, but usually it is worse.
UDP and TCP pinging most often doesn’t properly detect routers or other network equipment.
TTL (time to live) – this fetcher works only with ICMP pinging method. Its initial value is usually 64 or 128, and the difference represents the distance to the host in number of nodes it has travelled.
Alive host – is the host, responding to pinging. These are blue in the results list.
Dead host – is the host, not responding to pinging (red in the list). However, it may still have ports open (if firewall blocks pings). In order to scan these hosts fully, check “scan dead hosts” in the Tools->Preferences dialog.
Open port – a TCP port, responding to connection attempts. Hosts with open ports are green in the results list.
Filtered port – a TCP port, not responding that it is closed (no RST packet). These ports are usually specifically blocked by firewalls for some reason.
http://www.nwd-wc.usace.army.mil/TMT/
www.google.com/search?sourceid=chrome&ie=UTF-8&q=site%3Aarmy.mil+intitle%3Aindex.of+apache
Daniel S. Abrahamian
Intrusion Detection Links
IMAGEAGENT
IMAGEAGENT
C:\Users\Owner\Documents\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9SN2DWZY
file:///C:/Users/Owner/Documents/Local/Microsoft/Windows/Temporary%20Internet%20Files/Low/Content.IE5/9SN2DWZY/Signin[2].htm
file:///C:/Users/Owner/Documents/Local/Microsoft/Windows/Temporary%20Internet%20Files/Low/Content.IE5/9SN2DWZY/movies[5].htm
membership wrapper:
YAHOO.i13n.beacon_server = “pclick.internal.yahoo.com”;
var ins = new YAHOO.i13n.Track(rapidConf);
ins.init();
intelligentlogin:
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1<mpl=default<mplcache=2&from=login
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1<mpl=default<mplcache=2&from=login
file:///C:/Users/Owner/Documents/Local/Microsoft/Windows/Temporary%20Internet%20Files/Low/Content.IE5/9SN2DWZY/mail[2].htm
{ “data”:{ “profile”:{ “country”:”US”, “os”:”windows”, “returning”:”false”, “skypeVersion”:”5.3.0.120″, “skypeOs”:”windows” }, “surferinfo”:{ “IP”:”96.242.241.71″, “keywords”:”” } } }
file:///C:/Users/Owner/Documents/Local/Microsoft/Windows/Temporary%20Internet%20Files/Low/Content.IE5/9SN2DWZY/ads[5].htm
C:\Users\Owner\Documents\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LinBCF2.xml
<xsl:stylesheet xmlns:xsl=”http://www.w3.org/1999/XSL/Transform” version=”1.0″>
<xsl:output method=”html” doctype-system=”http://www.w3.org/TR/html4/strict.dtd” doctype-public=”-//W3C//DTD HTML 4.01//EN” />
C:\Users\Owner\Desktop\DOMStore\78W92Z91\www.wegmans[1].xml
<root />
C:\Users\Owner\Desktop\DOMStore\FSSPWMVG\cim.meebo[1].xml
<root>
<item name=”cacheVersions” value=”{“1299881878”:{“src”:{“http://s.meebocdn.net/cim/script/sandbox_v89_cim_10_3_13.en.js?1299881878″:true},”lastUsed”:1300055008590}}” ltime=”1191163616″ htime=”30138829″ />
<item name=”meebo-cim” value=”{“sessionId”:”22f8017ea9ff7f534efe”,”data”:{“channel”:385,”pageLoads”:[750]},”sessionData”:{“ad-start-time”:1300054208383,”mindset”:{},”tc”:”{\”ac15\”:\”1\”,\”pc2\”:\”1\”,\”pc3\”:\”1\”,\”ac19\”:\”1\”,\”ac3\”:\”1\”,\”ac1\”:\”1\”,\”ac7\”:\”1\”,\”pc4\”:\”1\”,\”ic10\”:\”1\”}”,”ad-position”:5}}” ltime=”1199733616″ htime=”30138829″ />
<item name=”bc” value=”18e88b1244991541c42f” ltime=”1191363616″ htime=”30138829″ />
<item name=”http://s.meebocdn.net/cim/script/sandbox_v89_cim_10_3_13.en.js?1299881878” value=”var _gLang={noPass:”Please provide a password. “,noName:”Please provide a username. “,connectWithFB:”Connect with Facebook”,offlineGoOnline:”You are offline. Go online”,offlineSignInTo:”Sign in to %1 to chat”,connectViaMeebo:”Connect via Meebo”};
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later.
——————————————————————————–
Only one top level element is allowed in an XML document. Error processing resource ‘file:///C:/Users/Owner/Downloads/diage…
<xml xmlns:s=”uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882″
-^
MpCmdRun: Command Line: “c:\program files\windows defender\MpCmdRun.exe” SpyNetService -RestrictPrivileges -AccessKey F1A3AE27-DF7E-0A37-5273-F4257F76F7B8 -Reinvoke
Start Time: Sun Jul 03 2011 11:43:10
Start: SpyNet Service
Start: Handling SpyNet Report
Time Info – Sun Jul 03 2011 11:43:27 End : Handling SpyNet Report
Time Info – Sun Jul 03 2011 11:46:10 End: SpyNet Service
MpCmdRun: End Time: Sun Jul 03 2011 11:46:10
http://identifile.faronics.com/ShowInfo.aspx?FH=2AE2A6B863616B61CCB550FC1A145AE025896DE1&FN=MpCmdRun.exe
Summary
Report created: Sun, 03 Jul 2011 12:01 PM
Selected file name: MpCmdRun.exe
SHA-1 hash: 2AE2A6B863616B61CCB550FC1A145AE025896DE1
Total number of products: 0
http://www.processlibrary.com/directory/files/msascui/27073/
Client UrlCache MMF Ver 5.2
Daniel S. Abrahamian
Imageagent
CERT.gov
CERT.GOV
Understanding Distributed-Denial-of-Service Attacks
Overview
One of the most significant cyber threats to businesses, local and federal government agencies is the Distributed-Denial-of-Service attack (DDoS). A Distributed Denial of Service attack (DDoS) occurs when an attacker commands a number of computers to send numerous requests to a target computer. The overwhelming flood of requests to the website or computer network can cause it to shut down or fail to handle the requests of legitimate users, much like a rush hour traffic jam on the freeway. This type of attack can completely disrupt an organization’s operations until the network is able to be restored. Understanding the basic concept and methods of a DDoS attack can help operators of both large and small networks mitigate the severity of the attack.
The DDoS Threat
DDoS attacks are easy to carry out and they can often garner widespread media attention, making them a popular tool for anyone wishing to interfere with an organization’s web-based and even e-mail services. Attackers often employ “botnets,” or networks of compromised computers to use as soldiers in a DDoS attack. Criminal software or “crimeware” has become increasingly available on cyber black markets that can enable a potential adversary to rent a botnet to execute a DDoS attack. Most recently the group Anonymous encourages it’s followers to use DDoS software that members can install on their own computers to participate in a DDoS attack, essentially voluntarily participating in cause to disrupt an organizations internet operations.
The goal of a DDoS attack is usually to limit, disrupt, or prevent access to a particular network resource or web service. While the worst case scenario of a DDoS is a failure of the operating system and a crash of the computer system, some common symptoms of a DDoS are:
• A particular web or e-mail resource becoming unavailable
• Slow network performance
• Inability to access some network resources
UNCLASSIFIED Page 2 of 3
Best Practices
The best defense for any attack or emergency is to have a plan and this also applies to cyber attacks. A basic understanding of DDoS attack concepts, a list of potential responses and a few key phone numbers will prepare the administrators of even the smallest networks to lessen the damage of a DDoS.
• Assess your organization’s risk for a DDoS. If your organization relies heavily on web-based services consider the potential impact to your operations if hit by a DDoS.
• Develop a checklist of actions to take the event of a DDoS and have contact information for your Internet Service Provider ISP and your web hosting providers readily available. If you use a web host for your services, be familiar with their DDoS mitigation polices and plans.
• Be familiar with the services your ISP might offer to mitigate a DDoS such as, temporarily increasing your bandwidth, switching your IP address, and blocking attacking IP addresses.
• Understand your normal amounts of daily network traffic as well as the performance of your system. Many types of DDoS attacks may not actually bring the site down but can significantly reduce service. Properly configured performance monitoring can be a major help in detecting an attack early.
• Separate or compartmentalize critical services:
o Separate public and private services
o Separate intranet, extranet, and internet services
o Create single purpose servers for each service such as HTTP, FTP, and DNS
• Review US-CERT cyber Security Tip Understanding Denial of Service Attacks
UNCLASSIFIED Page 3 of 3
Please contact US-CERT at (888) 282-0870 or soc@us-cert.gov if you have any questions.
UNCLASSIFIED Page 3 of 3
Please contact US-CERT at (888) 282-0870 or soc@us-cert.gov if you have any questions.
Document FAQ
What is a TIP? A Technical Information Paper (TIP) is issued for a topic that is more informational in nature, describing an analysis technique, case study, or general cybersecurity issue. Depending on the topic, this product may be published to the public website.
If this document is labeled as UNCLASSIFIED can I distribute it to other people?
Yes, this document is intended for broad distribution to individuals and organizations interested in increasing their overall cybersecurity posture.
Can I edit this document to include additional information?
This document is not to be edited, changed or modified in any way by recipients. All comments or questions related to this document should be directed to the US-CERT Security Operations Center at
1-888-282-0870 or soc@us-cert.gov
——————————————————————————– Session starts at: 04:18:41, 02/Jul/2011
04:18:41 DBG Application starts
04:18:42 Registration Key installation failed for ” ()
04:18:42 DBG no user key retrieved
04:18:42 User is member of Administrators group.
04:18:43 Application ‘Active@ UNDELETE 7.4 [DEMO]’ starts. Version: 7.4.014
04:18:44 DBG Low Resolution
04:19:06 Local system uses a local area network to connect to the Internet. Local system has RAS installed.
04:19:06 OK Internet Available. On-Line help and Software Update can be used
04:19:06 Starting initialization…
04:19:06 Opening recovery kernel …
04:19:06 Analyzing devices …
04:19:06 Analyzing device Hard Disk 0 (C:,D:)
04:19:06 Analyzing volume SYSTEM
04:19:08 Analyzing volume Local Disk (C:)
04:19:10 Analyzing volume RECOVERY (D:)
04:19:10 Analyzing volume HP_TOOLS
04:19:11 Analyzing device CDRom Drive 0 (E:)
04:19:11 … opening recovery kernel complete.
04:19:11 Reading Data Storage Info…
04:19:11 DBG System Information:
Operating System: Windows 7
Build: 7600
Version (Service Pack): (Build 7600)
Number of Processors: 2
Processor type: x86
04:19:11 … reading Data Storage Info complete.
04:19:11 DBG Initialize application modules…
04:19:11 DBG … done
04:19:11 OK Initialization complete.
04:19:27 OK Ready
04:25:09 DBG PC Hardware Info:
Destination File Name: C:\Users\Owner\Documents\hddinfo_02_07_11-04_24_47.xml
Created at: 02/07/2011 04:25:09
04:25:29 OK Info file ‘C:\Users\Owner\Documents\hddinfo_02_07_11-04_24_47.xml’ has been saved successfully!
04:25:29 OK Hardware Info file has been created!
——————————————————————————– Session starts at: 23:53:57, 11/Jul/2011
23:53:57 DBG Application starts
23:53:57 Registration Key installation failed for ” ()
23:53:57 DBG no user key retrieved
23:53:57 User is member of Administrators group.
23:53:58 Application ‘Active@ UNDELETE 7.4 [DEMO]’ starts. Version: 7.4.014
23:53:58 DBG Low Resolution
23:54:06 Local system uses a local area network to connect to the Internet. Local system has RAS installed.
23:54:06 OK Internet Available. On-Line help and Software Update can be used
23:54:06 Starting initialization…
23:54:06 Opening recovery kernel …
23:54:07 Analyzing devices …
23:54:07 Analyzing device Hard Disk 0 (C:,D:,T:)
23:54:07 Analyzing volume Daniel Mounted
23:54:07 Analyzing volume Local Disk (C:)
23:54:09 Analyzing volume RECOVERY (D:)
23:54:09 Analyzing volume MOUNTDANIEL (T:) 23:54:09 Analyzing device CDRom Drive 0 (E:)
23:54:09 … opening recovery kernel complete.
23:54:09 Reading Data Storage Info…
23:54:09 DBG System Information:
Operating System: Windows 7
Build: 7600
Version (Service Pack): (Build 7600)
Number of Processors: 2
Processor type: x86
23:54:09 … reading Data Storage Info complete.
23:54:09 DBG Initialize application modules…
23:54:09 DBG … done
23:54:09 OK Initialization complete.
23:54:21 OK Ready
23:58:51 DBG Disk Image general options
Disk Image Name: SAMSUNG HM321HI (80h)
Disk Image Description: Raw Disk Image
Save to: C:\Users\Owner\
Compression Level: Good [Fast]
Use chunks: Yes
Use disk lock: Yes
Image bounds: Entire disk
Chunk size: 4.37 GB
Disk Image Geometry:
LBA mode: Yes
Cylinders: 38913
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
First Sector: 0
Number of Sectors: 625142448
23:58:51 Error locking drive 1:
23:58:58 DBG Err respond: 4
23:59:00 Error locking drive C:
23:59:03 DBG Err respond: 1
23:59:03 WRNG Disk Image creation terminated by user.
23:59:03 OK Execution has been completed with errors
00:02:14 OK Partition Virtual Copy created on SAMSUNG HM321HI (80h) at 2048 length 407544
00:02:25 Verifying drive information
00:02:25 Verifying drive Daniel Mounted #0 (2:)
00:02:25 $MFT will be verified beyond the existed bounds (256) up to 25472 records
00:02:25 Drive verification has been completed
00:03:05 DBG Search in: 2:;
General Search Criteria:
Looking for: *.*;
Recursive search in subdirectories: Yes
Case sensitive search: No
Search among deleted only: No
Search among existing only: No
File Date Criteria:
Date Type: Accessed
Date Range: 07/01/2011 00:02:25 – 07/12/2011 00:02:25
File Size Criteria: Any size
File Attributes Criteria: Any file attribute
00:03:05 Search started on 2:\
00:03:05 Search completed [found 42 items]
00:03:05 OK Search has been completed. [Total 0 items found].
Review search results and repeat Search with another options if necessary.
00:03:08 OK Filtering has been completed. Found 0 items.
00:03:21 OK $MFT Mirror has been assigned as an Active Table for Logical Drive ‘Daniel Mounted 0 (2) [virtual]’.
00:04:13 DBG Logical Drive Scan options:
Drive to scan: 2:;
Scan type: Low
Ignore R/W errors: Yes
Show results In Document View: No
Autosave scan results: Yes
Path to save scan results: C:\Users\Owner
Low Level scan: No
00:04:13 Scanning…
00:04:13 Verifying drive information
00:04:13 Verifying drive Daniel Mounted #0 (2:)
00:04:13 $MFT will be verified beyond the existed bounds (256) up to 25472 records
00:04:13 Drive verification has been completed
00:04:13 DBG Drive Scan returns 0
00:04:13 Saving 2: Scan Result to ‘C:\Users\Owner\Drive_2_2011-07-12_12041.scaninfo’.
00:04:13 Analyzing Scan results…
00:04:13 Populating Logical Drive ‘Daniel Mounted 0 (2) [virtual]’ content…
00:04:13 OK Logical Drive scan has been completed.
You can save the Scan Results to avoid re-scanning later. See help for details.
00:04:36 Setting check state for Files and Folders…
00:04:52 Setting check state for Files and Folders…
00:04:53 Setting check state for Files and Folders…
00:06:05 DBG Recovering selected Files and Folders
Destination path: ‘ C:\Users\Owner\AppID’
Allow recovering to the same drive: No
Create original file(s) path: No
Overwrite mode: Generate unique file name
File naming options: Use original file names
Recover files locally: Yes
Invalid file name symbols will be replaced with: _
Number of Files or Folders to recover: 4
00:06:05 REG Unable to recover folder ‘$TxfLog’ due to size limit (64.0 KB) for the Unregistered Version.
00:06:22 OK Execution has been completed with errors
00:06:22 OK Recovery process completed.
Recovered 0 item(s) total.
00:11:53 DBG Search in: 2:\…\$TxfLog; 2:\…\System Volume Information;
Daniel S. Abrahamian
CERT.gov
www.cert.gov
Analyzing Volume
Analyzing volume MOUNTDANIEL (T:)
Microsoft DiskPart version 6.1.7600
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: MININT-US44ETE
Disk ### Status Size Free Dyn Gpt
——– ————- ——- ——- — —
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 0 is now the selected disk.
Disk ID: D2ED6EA8
Type : SATA
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1100)#ATA(C00T00L00)
Current Read-only State : No
Read-only : No
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No
Volume ### Ltr Label Fs Type Size Status Info
———- — ———– —– ———- ——- ——— ——–
Volume 1 C Partition 199 MB Healthy
D:\$DNL\
D:\Mounted Daniel\
Volume 2 D Partition 280 GB Healthy
Volume 3 E Partition 17 GB Healthy
Volume 4 F Partition 103 MB Healthy
D:\!DNL\
D:\Daniel Mounted\
Volume ### Ltr Label Fs Type Size Status Info
———- — ———– —– ———- ——- ——— ——–
Volume 0 G DVD-ROM 0 B No Media
Volume 1 C Partition 199 MB Healthy
D:\$DNL\
D:\Mounted Daniel\
Volume 2 D Partition 280 GB Healthy
Volume 3 E Partition 17 GB Healthy
Volume 4 F Partition 103 MB Healthy
D:\!DNL\
D:\Daniel Mounted\
Volume 5 H Removable 0 B No Media
Issued To Issued By Expiration Date Intended Purposes Friendly Name Status Certificate Template
Daniel S. Abrahamian
Daniel S. Abrahamian 7/2/2016 <All> <None>
Microsoft Windows Microsoft Windows Verification PCA 5/14/2012 Code Signing, Windows System Component Verification
Enforce password history
Enforce Password History – Properties
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.
This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.
Default:
24 on domain controllers.
0 on stand-alone servers.
Note: By default, member computers follow the configuration of their domain controllers.
To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.
Audit Account Management Properties
Audit account management
This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:
A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Default values on Client editions:
User Account Management: Success
Computer Account Management: No Auditing
Security Group Management: Success
Distribution Group Management: No Auditing
Application Group Management: No Auditing
Other Account Management Events: No Auditing
Default values on Server editions:
User Account Management: Success
Computer Account Management: Success
Security Group Management: Success
Distribution Group Management: No Auditing
Application Group Management: No Auditing
Other Account Management Events: No Auditing
Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see http://go.microsoft.com/fwlink/?LinkId=140969.
Log File: C:\Windows\System32\config\systemprofile\Documents\Security\Logs\danandatabase.log
System Devices
SystemDevices
[Serial]
Item Value
[Parallel]
Item Value
[Storage]
[Drives]
Item Value
Drive C:
Description Local Fixed Disk
Compressed No
File System NTFS
Size 68.00 GB (73,014,439,936 bytes)
Free Space 40.11 GB (43,070,230,528 bytes)
Volume Name
Volume Serial Number A601FB3C
Drive D:
Description CD-ROM Disc
Drive E:
Description Removable Disk
[Disks]
Item Value
Description Disk drive
Manufacturer (Standard disk drives)
Model Hitachi HTS725025A9A364 ATA Device
Bytes/Sector 512
Media Loaded Yes
Media Type Fixed hard disk
Partitions 1
SCSI Bus 0
SCSI Logical Unit 0
SCSI Port 0
SCSI Target ID 0
Sectors/Track 63
Size 232.88 GB (250,056,737,280 bytes)
Total Cylinders 30,401
Total Sectors 488,392,065
Total Tracks 7,752,255
Tracks/Cylinder 255
Partition Disk #0, Partition #0
Partition Size 68.00 GB (73,014,444,032 bytes)
Partition Starting Offset 209,715,200 bytes
Description Disk drive
Manufacturer (Standard disk drives)
Model Generic- Multi-Card USB Device
Bytes/Sector Not Available
Media Loaded Yes
Media Type Not Available
Partitions 0
SCSI Bus Not Available
SCSI Logical Unit Not Available
SCSI Port Not Available
SCSI Target ID Not Available
Sectors/Track Not Available
Size Not Available
Total Cylinders Not Available
Total Sectors Not Available
Total Tracks Not Available
Tracks/Cylinder Not Available
[SCSI]
Item Value
[IDE]
Item Value
Name Standard AHCI 1.0 Serial ATA Controller
Manufacturer Standard AHCI 1.0 Serial ATA Controller
Status OK
PNP Device ID PCI\VEN_1002&DEV_4391&SUBSYS_1444103C&REV_00\3&2411E6FE&1&88
I/O Port 0x00004038-0x0000403F
I/O Port 0x0000404C-0x0000404F
I/O Port 0x00004030-0x00004037
I/O Port 0x00004048-0x0000404B
I/O Port 0x00004010-0x0000401F
Memory Address 0x90408000-0x904083FF
IRQ Channel IRQ 19
Driver c:\windows\system32\drivers\msahci.sys (6.1.7600.16593, 29.38 KB (30,080 bytes), 7/14/2010 8:14 AM)
Name ATA Channel 0
Manufacturer (Standard IDE ATA/ATAPI controllers)
Status OK
PNP Device ID PCIIDE\IDECHANNEL\4&35893B01&0&0
Driver c:\windows\system32\drivers\atapi.sys (6.1.7600.16385, 23.56 KB (24,128 bytes), 7/13/2009 4:19 PM)
Name ATA Channel 1
Manufacturer (Standard IDE ATA/ATAPI controllers)
Status OK
PNP Device ID PCIIDE\IDECHANNEL\4&35893B01&0&1
Driver c:\windows\system32\drivers\atapi.sys (6.1.7600.16385, 23.56 KB (24,128 bytes), 7/13/2009 4:19 PM)
[Printing]
Name Driver Port Name Server Name
Microsoft XPS Document Writer Microsoft XPS Document Writer XPSPort: Not Available
Fax Microsoft Shared Fax Driver SHRFAX: Not Available
[Problem Devices]
Device PNP Device ID Error Code
Network Controller PCI\VEN_14E4&DEV_4727&SUBSYS_145C103C&REV_01\4&B907D39&0&0028 The drivers for this device are not installed.
[USB]
Device PNP Device ID
Standard Enhanced PCI to USB Host Controller PCI\VEN_1002&DEV_4396&SUBSYS_1444103C&REV_00\3&2411E6FE&1&92
Standard Enhanced PCI to USB Host Controller PCI\VEN_1002&DEV_4396&SUBSYS_1444103C&REV_00\3&2411E6FE&1&9A
Standard Enhanced PCI to USB Host Controller PCI\VEN_1002&DEV_4396&SUBSYS_1444103C&REV_00\3&2411E6FE&1&B2
Standard OpenHCD USB Host Controller PCI\VEN_1002&DEV_4397&SUBSYS_1444103C&REV_00\3&2411E6FE&1&90
Standard OpenHCD USB Host Controller PCI\VEN_1002&DEV_4397&SUBSYS_1444103C&REV_00\3&2411E6FE&1&98
Standard OpenHCD USB Host Controller PCI\VEN_1002&DEV_4397&SUBSYS_1444103C&REV_00\3&2411E6FE&1&B0
Standard OpenHCD USB Host Controller PCI\VEN_1002&DEV_4399&SUBSYS_1444103C&REV_00\3&2411E6FE&1&A5
Sign In
SignIn
” “))}}function q(){return r.navigator?r.navigator.userAgent:d}function
Adaptive Defiance 