Distributed Denial-of-Service Tools
CAN 2000-0138
Impact
The presence of a distributed denial-of-service tool is a powerful threat to the
entire network. It could also be used to attack other networks, and the owner of the infected
network could be held responsible. The presence of a distributed denial-of-service
tool is also an indication that the system has already been compromised.
Background
Distributed denial-of-service is a type of attack in which a large number
of hosts are used to flood a single target with unwanted traffic. The target
becomes unusable while it is processing the flood of traffic. An attacker
who breaks into many hosts on a network and sets up such a distributed
denial-of-service attack can create a threat that is very powerful and
difficult to defend against.
The Problem
Trinoo is one such distributed denial-of-service tool. A trinoo network
consists of a master host and many broadcast hosts. When an
attacker wishes to launch a denial-of-service attack, he or she issues
commands to the master host using a TCP connection. The master then communicates with all of
the broadcast hosts via UDP, telling them to send a flood of UDP packets
to random ports on the specified target host. The flood of UDP packets coming
from the broadcast hosts causes denial of service to the target
host. An attacker must have prior access
to a host in order to install a trinoo master or broadcast, either by breaking
in or by some other means.
Tribe Flood Network (TFN) is another distributed denial-of-service tool,
consisting of a client host and many daemon hosts.
It is similar to trinoo, but communicates using ICMP, and is capable of
launching ICMP flood, UDP flood,
SYN flood, and
Smurf attacks. A newer version of TFN called TFN2K includes
many additional features, such as encryption, stealth attacks, denial-of-service
attacks designed to crash the target host, and the ability to send
shell commands to the daemons.
Stacheldraht, Shaft, mstream, and Trinity are four more
distributed denial-of-service tools, which consist of a handler and
many agents. Stacheldraht communicates using TCP and ICMP, offers the same
attacks as TFN, and features encrypted sessions between the attacker and
the handlers. Shaft communicates using UDP, and can launch UDP flood, TCP SYN flood,
or ICMP flood attacks. mstream is more primitive than the others, but
offers the powerful stream attack (TCP ACK packets using random ports),
making it effective even with only a few agents. Trinity is
different from the others in that the handlers are actually
fixed IRC channels to which the agents connect. It offers a
variety of attacks, and also includes a backdoor root shell
on TCP port 33270.
Resolution
Although a distributed denial-of-service tool can be easily eradicated from a
single system, its presence is an indication of a much bigger problem.
The fact that it was installed on one system makes
it likely to be installed on many more systems. The entire network should
be scanned.
Furthermore, the presence of the tool means that the system was probably compromised.
Distributed denial-of-service tools are often associated with breakins resulting from vulnerabilities
in Tooltalk,
Calendar Manager,
amd, statd, and
mountd,
but could have been put on the system no matter how the compromise occurred.
An infected system should be taken off the network until all vulnerabilities
have been corrected and the system has been inspected for other backdoors and
hacker trails.
To eradicate a distributed denial-of-service tool from a single system,
kill the process and delete the executable file from the system. The
processes have the following names by default, but the intruder could
easily have chosen a different name, or could even have hidden the
files and processes using a rootkit.
- Trinoo
- Master: master
- Broadcast: ns
- TFN
- Client: tfn
- Daemon: td
- Stacheldraht
- Handler: mserv
- Agent: td
- Shaft
- Handler: shaftmaster
- Agent: shaftnode
- mstream
- Handler: master
- Agent: server
- Trinity
- Agent: /usr/lib/idle.so
- Portshell: /var/spool/uucp/uucico
- Alt. Portshell: /var/spool/uucp/fsflush
Where can I read more about this?
More information about trinoo and TFN can be found in the
X-Force
Alert and in
CERT Incident Note 99-07. More information about the Windows
version of trinoo can be found in another
X-Force Alert. More information about mstream can be found
in yet another X-Force
Alert. More information about Trinity can also be found in
an X-Force Alert.
Developments in the area
of distributed denial-of-service tools are reported in
CERT Advisories
1999-17 and
2000-01. For detailed technical information, see the
papers on
trinoo,
TFN,
stacheldraht,
shaft, and
mstream.