- Trinoo
- TFN
- Stacheldraht
- Shaft
- TFN2K
- mstream
- UDP packet flood attack
- No source address forgery
- Some bugs, but full control features
TFN
- Some bugs, limited control features
- UDP packet flood attack ("trinoo emulation")
- TCP SYN flood attack
- ICMP Echo flood attack
- Smurf attack
- Either randomizes all 32 bits of IP source address, or just the last 8 bits
- TFN2K
- Same attacks as TFN, but can randomly do them all at once
- Encryption added to improve security of the DDoS network
- Control traffic uses UDP/TCP/ICMP
- Same source address forgery features as TFN
- Stacheldraht/StacheldrahtV4
- Some bugs, full control features
- Same basic attacks as TFN
- Same source address forgery features as TFN/TFN2K
- Stacheldraht v2.666
- Fewer bugs than original
- Same basic attacks as Stacheldraht
- Adds TCP ACK flood attack
- Adds TCP NUL (no flags) flood attack
- Adds Smurf attack with pre-compiled list of 16,702 amplifiers
- Same source address forgery features as stacheldraht/TFN/TFN2K
- shaft
- Some bugs, but full control features
- Adds statistics
- UDP flood attack
- TCP SYN flood attack
- ICMP flood attack
- Randomize all three attacks
- mstream
- Many bugs, with very limited control features
- TCP ACK flood (very efficient)
- Randomizes all 32 bits of IP address
All of the DDOS tools follow this sequence.
Mass-intrusion Phase - automated tools identify potential systems with weaknesses; then root compromise them and install the DDOS software on them. These are the primary victims.
DDOS Attack Phase - The compromised systems are used to run massive DOS against a victim site.
There is an initial mass-intrusion phase, in which automated tools are used to remotely root compromise large numbers (i.e., in the several hundred to several thousand ranges) and the distributed denial of service agents are installed on these compromised systems. These are primary victims (of system compromise.) None of these distributed denial of service tools has any features that facilitate compromising systems, and those groups who wrote them hold these automated tools closely.
The mass-intrusion phase is followed by the actual denial of service attack phase, in which these compromised systems which constitute the handlers and agents of the distributed attack network are used to wage massive denial of service attacks against one or more sites. These are secondary victims (of denial of service).
- Trinoo (TrinOO) was the first DDOS tool to be discovered.
- Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC services: statd, cmsd, ttdbserverd.
- Trinoo daemons were UDP based, password protected remote command shells running on compromised systems.DDOS Structure
- The attacker controls one or more master servers by password protected remote command shells.
- The master systems control multiple daemon sysyems. Trinoo calls the daemons "Beast" hosts.
- Daemons fire packets at the target specified by the attacker.
A typical installation might go something like this.A stolen account is set up as a repository for pre-compiled versions of scanning tools, attack (i.e. buffer overrun exploit) tools, root kits and sniffers, trinoo daemon and master programs, lists of vulnerable hosts and previously compromised hosts, etc. This would normally be a large system with many users, one with little administrative oversight, and on a high-bandwidth connection for rapid file transfer.A scan is performed of large ranges of network blocks to identify potential targets. Targets would include systems running various services known to have remotely exploitable buffer overflow security bugs, such as wu-ftpd, RPC services for "cmsd", "statd", "ttdbserverd", "amd", etc. Operating systems being targeted appear to be primarily Sun Solaris 2.x and Linux (due to the ready availability of network sniffers and "root kits" for concealing back doors, etc.), but stolen accounts on any architecture can be used for caching tools and log files.A list of vulnerable systems is then used to create a script that performs the exploit, sets up a command shell running under the root account that listens on a TCP port (commonly 1524/tcp, the "ingreslock" service port), and connects to this port to confirm the success of the exploit. In some cases, an electronic mail message is sent to an account at a free web based email service to confirm which systems have been compromised. The result is a list of "owned" systems ready for setting up back doors, sniffers, or the trinoo daemons or masters.From this list of compromised systems, subsets with the desired architecture are chosen for the trinoo network. Pre-compiled binaries of the trinoo daemon are created and stored on a stolen account somewhere on the Internet.A script is then run which takes this list of "owned" systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. Even more subtle ways of having trinoo daemons/masters lie in wait for execution at a given time are easy to envision (e.g., UDP or ICMP based client/server shells, such as LOKI, programs that wake up periodically and open a listening TCP or UDP port, etc.)The result of this automation is the ability for attackers to set up the denial of service network, on widely dispersed systems whose true owners don't even know are out of their control, in a very short time frame.Optionally, a "root kit" is installed on the system to hide the presence of programs, files, and network connections. This is more important on the master system, since these systems are key to the trinoo network. (It should be noted that in many cases, masters have been set up on Internet Service Providers' primary name server hosts, which would normally have extremely high packet traffic and large numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected. (The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity.)Root kits would also be used on systems running sniffers that, along with programs like "hunt" (TCP/IP session hijacking tool) are used to burrow further into other networks directly, rather than through remote buffer overrun exploits (e.g., to find sites to set up new file repositories, etc.)- Trinoo is a DDOS attack tool. It uses the following TCP Ports:
Attacker to master: 27665/tcp Master to daemon: 27444/udp Daemon to master: 31335/udp
- Daemons reside on the systems that launch that the attack, and masters control the daemon systems.
- Since Trinoo uses TCP, it can be easily detected and disabled.
Hacking Tool: Trinoo The trinoo distributed denial-of-service system consists of 3 parts:The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described later in this section.)The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:- - mtimer:Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.- - dos:Performs a Denial of Service attack on a machine. The attack used is explained below. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.- - mdie:Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known (the password is unknown as of this writing), but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.- - mping:Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".- - mdos:This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".- - msize:This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.
No comments:
Post a Comment