Tutorial - Distributed Denial-of-Service Tools

Distributed Denial-of-Service Tools

CAN 2000-0138

Impact

The presence of a distributed denial-of-service tool is a powerful threat to the entire network. It could also be used to attack other networks, and the owner of the infected network could be held responsible. The presence of a distributed denial-of-service tool is also an indication that the system has already been compromised.

Background

Distributed denial-of-service is a type of attack in which a large number of hosts are used to flood a single target with unwanted traffic. The target becomes unusable while it is processing the flood of traffic. An attacker who breaks into many hosts on a network and sets up such a distributed denial-of-service attack can create a threat that is very powerful and difficult to defend against.

The Problem

Trinoo is one such distributed denial-of-service tool. A trinoo network consists of a master host and many broadcast hosts. When an attacker wishes to launch a denial-of-service attack, he or she issues commands to the master host using a TCP connection. The master then communicates with all of the broadcast hosts via UDP, telling them to send a flood of UDP packets to random ports on the specified target host. The flood of UDP packets coming from the broadcast hosts causes denial of service to the target host. An attacker must have prior access to a host in order to install a trinoo master or broadcast, either by breaking in or by some other means.

Tribe Flood Network (TFN) is another distributed denial-of-service tool, consisting of a client host and many daemon hosts. It is similar to trinoo, but communicates using ICMP, and is capable of launching ICMP flood, UDP flood, SYN flood, and Smurf attacks. A newer version of TFN called TFN2K includes many additional features, such as encryption, stealth attacks, denial-of-service attacks designed to crash the target host, and the ability to send shell commands to the daemons.

Stacheldraht, Shaft, mstream, and Trinity are four more distributed denial-of-service tools, which consist of a handler and many agents. Stacheldraht communicates using TCP and ICMP, offers the same attacks as TFN, and features encrypted sessions between the attacker and the handlers. Shaft communicates using UDP, and can launch UDP flood, TCP SYN flood, or ICMP flood attacks. mstream is more primitive than the others, but offers the powerful stream attack (TCP ACK packets using random ports), making it effective even with only a few agents. Trinity is different from the others in that the handlers are actually fixed IRC channels to which the agents connect. It offers a variety of attacks, and also includes a backdoor root shell on TCP port 33270.

Resolution

Although a distributed denial-of-service tool can be easily eradicated from a single system, its presence is an indication of a much bigger problem. The fact that it was installed on one system makes it likely to be installed on many more systems. The entire network should be scanned. Furthermore, the presence of the tool means that the system was probably compromised. Distributed denial-of-service tools are often associated with breakins resulting from vulnerabilities in Tooltalk, Calendar Manager, amd, statd, and mountd, but could have been put on the system no matter how the compromise occurred. An infected system should be taken off the network until all vulnerabilities have been corrected and the system has been inspected for other backdoors and hacker trails.

To eradicate a distributed denial-of-service tool from a single system, kill the process and delete the executable file from the system. The processes have the following names by default, but the intruder could easily have chosen a different name, or could even have hidden the files and processes using a rootkit.

Trinoo: Master: master; Broadcast: ns
TFN: Client: tfn; Daemon: td
Stacheldraht: Handler: mserv; Agent: td
Shaft: Handler: shaftmaster; Agent: shaftnode
mstream: Handler: master; Agent: server
Trinity: Agent: /usr/lib/idle.so; Portshell: /var/spool/uucp/uucico; Alt. Portshell: /var/spool/uucp/fsflush

Where can I read more about this?

More information about trinoo and TFN can be found in the X-Force Alert and in CERT Incident Note 99-07. More information about the Windows version of trinoo can be found in another X-Force Alert. More information about mstream can be found in yet another X-Force Alert. More information about Trinity can also be found in an X-Force Alert.

Developments in the area of distributed denial-of-service tools are reported in CERT Advisories 1999-17 and 2000-01. For detailed technical information, see the papers on trinoo, TFN, stacheldraht, shaft, and mstream.