5521714 2000-09-27 21:22 /236 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Cracking erfarenhetsutbyte <9439>
Ärende: New Variants of Trinity and Stacheldraht Distributed Denial of
------------------------------------------------------------
Service Tools
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert
September 25, 2000
New Variants of Trinity and Stacheldraht Distributed Denial of
Service Tools
Synopsis:
New versions of Stacheldraht and Trinity distributed denial of
service (DDoS) attack tools have been found in the wild. The new
versions of Stacheldraht include "Stacheldraht 1.666+antigl+yps" and
"Stacheldraht 1.666+smurf+yps". A variant of the Trinity tool called
"entitee" has also been reported.
Impact:
Distributed Denial of Service attacks can bring down a network by
flooding target machines with large amounts of traffic. In February
of this year, several of the Internet's largest Web sites, including
Yahoo, Amazon.com, eBay, and Buy.com were disrupted for extended
periods of time by DDoS tools. These new tools were detected in
corporate networks, as well as in personal computers with high speed
network connections. The prevalence of high speed DSL and cable
modem service magnifies these tools' potential effectiveness.
Description:
For an overview of the original Stacheldraht program, refer to the
X-Force Alert, "Denial of Service Attack using the TFN2K and
Stacheldraht programs", at:
http://xforce.iss.net/alerts/advise43.php.
For more information, Dave Dittrich wrote a detailed analysis, which
can be found at:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt.
In the newer version of the Stacheldraht program, there are several
new commands. The following is complete list of commands in this new
version:
.mtimer .mudp .micmp .msyn .mack .mnul
.mstream .mhavoc .mrandom .mip .mfdns .msort
.showalive .madd .mlist .msadd .msrem .help
setusize .setisize .mdie .sprange .mstop .killall
.showdead .forceit .left .enter
The following commands have been added since the first versions of
Stacheldraht:
.mack Sends a TCP ACK flood.
.mnul Send a NULL flood, which is like a TCP SYN flood, but with TCP flags
set to 0.
.mstream Send a stream attack flood.
(see http://xforce.iss.net/alerts/advise48.php)
mhavoc Send a "HAVOC" flood. This sends mixed ICMP, UDP, SYN, TCP random
flags and IP headers simultaneously.
.mrandom Sends a flood of packets with random TCP headers.
mip Sends a flood of regular IP headers.
.mfdns Sets the source port for floods to port 53.
msadd Add a master server to the list of master servers.
.forceit This will cause a .mstop command to stop all agents from flooding, even
if they are not flooding.
.left Tells you how much time is left before an agent stops flooding.
IRC flooding commands:
.enter Enter the IRC flooding interface.
.part Part a channel.
.join Join a channel.
.msg Send a message flood.
In this version, the user is prompted for a password when building
the binaries. There is no default password; however, there are some
default values used. When running, the agent "td" uses the process
name "(kswapd)". When it spawns child processes, they are named
"httpd". The master server "mserv" uses the process name
"(httpd)". When the master server is communicating with the agent,
ICMP packets are used. Each command is identified by the ICMP ID
header field. In the version obtained by the X-Force, the values are
as follows:
For the network flooding commands and replies:
699 Add an IP address to the list of addresses to be flooded
6666 Send IP header flood
7778 Send Stream attack
9000 Add new master server to the Stacheldraht network
9000 Spoof test reply
9001 Remove master server
9002 Distribute new versions of the agent
9003 Shutdown agent
9004 Set the amount of time to flood
9005 Set the ICMP packet size for ICMP-based floods
9006 Set the UDP packet size for UDP-based floods
9007 Set the port range for SYN floods
9012 Start a UDP flood
9013 Start a SYN flood
9014 Set the port for SYN floods
9015 Stop flooding
9016 Change spoofing mode
9017 Replies from the client
9028 Send Smurf attack
9055 Send ICMP flood
9113 Start an ACK flood
9213 Start a NULL flood
9668 Spoof test
9934 Send Havoc flood
9935 Send random TCP header flood
9936 Send DNS packet flood
For the IRC flooding commands:
1 Join IRC
4 Part Channel
5 Join Channel
6 Message Flood
For an overview of the Trinity DDoS tool, refer to the X-Force Alert,
"Trinity v3 Distributed Denial of Service tool", at:
http://xforce.iss.net/alerts/advise59.php.
At least 8 different versions of Trinity have been found on the
Undernet Internet Relay Chat (IRC) network by the Undernet operators,
each using different a IRC channel. On September 17, 2000, "Rod R00T"
reported a new variant of Trinity, called "entitee", to the INCIDENTS
mailing list at SecurityFocus.com. It is functionally equivalent to
Trinity v3, but it uses different channels, keys, and password.
Trinity v3 responds to commands in the channel with a line beginning
with "(trinity)", while entitee responds with lines beginning with
"(entitee)".
Recommendations:
The Stacheldraht and Trinity signatures in the ISS RealSecure
intrustion detection software are being updated to detect these new
tools. To find a Stacheldraht agent on your computer, use the lsof
command:
[root@unix /root]# lsof | grep raw
td 1217 root 3u raw 2083 00000000:0001->00000000:0000
st=07
[root@unix /root]# lsof -p 1217
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
td 1217 root cwd DIR 8,1 4096 497157 /root/stach+antigl/client
td 1217 root rtd DIR 8,1 4096 2 /
td 1217 root txt REG 8,1 99396 497190 /root/stach+antigl/client/td
td 1217 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so
td 1217 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so
td 1217 root 0u raw 2218 00000000:0001->00000000:0000
st=07
td 1217 root 1u CHR 136,1 3 /dev/pts/1
td 1217 root 2u CHR 136,1 3 /dev/pts/1
td 1217 root 3u raw 2083 00000000:0001->00000000:0000
st=07
To locate a Stacheldraht master server on your computer:
[root@unix stach+antigl]# lsof -i TCP:60001
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN)
[root@unix stach+antigl]# lsof -p 1346
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mserv 1346 root cwd DIR 8,1 4096 497149 /root/stach+antigl
mserv 1346 root rtd DIR 8,1 4096 2 /
mserv 1346 root txt REG 8,1 1356288 497188 /root/stach+antigl/mserv
mserv 1346 root 0u CHR 136,0 2 /dev/pts/0
mserv 1346 root 1u CHR 136,0 2 /dev/pts/0
mserv 1346 root 2u CHR 136,0 2 /dev/pts/0
mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN)
For information on locating Trinity or Entitee on your machine,
please see the X-Force Alert, "Trinity v3 Distributed Denial of
Service tool", at:
http://xforce.iss.net/alerts/advise59.php.
The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2000-0138 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of
security management solutions for the Internet. By providing
industry-leading SAFEsuite security software, remote managed security
services, and strategic consulting and education offerings, ISS is a
trusted security provider to its customers, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security
management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the
largest telecommunications companies and over 35 government
agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international
operations in Asia, Australia, Europe, Latin America and the Middle
East. For more information, visit the Internet Security Systems web
site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to X-Force,
xforce@iss.net of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOc/mgzRfJiV99eG9AQF33wQArffQtWP7L3peeayo7WwL6Dqrj7lW48VA
zNCcUixWIKoBIoh5hty0JGFBUWUL/Cb0Yw3jrYWohwCHenMUvQlHJICrADTSE+Hu
6651ykqbMGS9Og7EL8/FswK0d4nE7HqcvV+AZH37cTXPKiST+feKcbz5S6fJ6W9p
hFUVkMCNcY8=
=Fbeu
-----END PGP SIGNATURE-----
(5521714) ------------------------------------------(Ombruten)