Denial of Service Attacks - DDOS, SMURF, FRAGGLE, TRINOO
General Background Information:
The "smurf" attack, named after its exploit program, is one of the most
recent in the category of network-level attacks against hosts. A
perpetrator sends a large amount of ICMP echo (ping) traffic at IP
broadcast addresses, all of it having a spoofed source address of a
victim. If the routing device delivering traffic to those broadcast
addresses performs the IP broadcast to layer 2 broadcast function noted
below, most hosts on that IP network will take the ICMP echo request
and reply to it with an echo reply each, multiplying the traffic by the
number of hosts responding. On a multi-access broadcast network, there
could potentially be hundreds of machines to reply to each packet. The
"smurf" attack's cousin is called "fraggle", which uses UDP echo
packets in the same fashion as the ICMP echo packets; it was a simple
re-write of "smurf".
Detailed analysis of DDoS programs
How to keep your site from being the source perpetrators use to attack victims
The
perpetrators of these attacks rely on the ability to source spoofed
packets to the "amplifiers" in order to generate the traffic which
causes the denial of service. In order to stop this, all networks
should perform filtering either at the edge of the network where
customers connect (access layer) or at the edge of the network with
connections to the upstream providers, in order to defeat the
possibility of source-address-spoofed packets from entering from
downstream networks, or leaving for upstream networks.
Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written an RFC pertaining to this topic. See: ftp://ftp.isi.edu/in-notes/rfc2267.txt for more information and examples on this subject.
Additionally, router vendors have added or are currently adding options
to turn off the ability to spoof IP source addresses by checking the
source address of a packet against the routing table to ensure the
return path of the packet is through the interface it was received on.
Cisco has added this feature to the current 11.1CC branch, used by many
NSP's, in an interface command '[no] ip verify unicast reverse-path'.
See the "other vendors" section for 3Com information regarding this
feature.
How to stop being an intermediary
This
attack relies on the router serving a large multi-access broadcast
network to frame an IP broadcast address (such as 10.255.255.255) into
a layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF). RFC 1812,
"Requirements for IP Version 4 Routers", Section 5.3.5, specifies: ---
A router MAY have an option to disable receiving network-prefix-
directed broadcasts on an interface and MUST have an option to disable
forwarding network-prefix-directed broadcasts. These options MUST
default to permit receiving and forwarding network-prefix- directed
broadcasts. --- Generally, with IP providers and IP applications as we
know them today, this behavior should not be needed, and it is
recommended that directed-broadcasts be turned off, to suppress the
effects of this attack.
RFC 2644, a Best Current Practice
RFC by Daniel Senie, updates RFC 1812 to state that router software
must default to denying the forwarding and receipt of directed
broadcasts. Ethernet NIC hardware (MAC-layer hardware, specifically)
will only listen to a select number of addresses in normal operation.
The one MAC address that all devices share in common in normal
operation is the media broadcast, or FF:FF:FF:FF:FF:FF. If a device
receives a packet destined to the broadcast link-layer address, it will
take the packet and send an interrupt for processing by the
higher-layer routines.
To stop your Cisco router from
converting these layer 3 broadcasts into layer 2 broadcasts, use the
"no ip directed-broadcast" interface configuration command. This should
be configured on each interface of all routers. As of Cisco IOS version
12.0, "no ip directed-broadcast" is now the default in order to protect
networks by default. "ip directed-broadcast" will be needed if your
network requires directed broadcasts to be enabled.
ISP Security Summit Guidelines Developed to Defeat Internet Service Attacks by DDOS
Organizations
that operate networks connected to the Internet may be serving as
unwitting participants in Denial of Service (DoS) Attacks like those
that hit many organizations in early February, 2000. You can
act now to reduce the chances that your network could be used to damage
other networks if you implement the following two steps. - Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network
- Stop Your Network from Being Used as a Broadcast Amplification Site
These
two steps should be implemented immediately, and detailed instructions
for doing this are provided below. Broad application of these two steps
can significantly reduce the threat posed by DoS Attacks. Step One: Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network Purpose:
To prevent your network from being the source of spoofed (i.e. forged)
communications that are often used in DoS Attacks. Action:
Ensure that your routers and firewalls are configured to forward IP
packets only if those packets have the correct Source IP Address for
your network. The correct Source IP Address(es) would consist of the IP
Network Addresses that have been assigned to your site. It is important
to do this throughout your network, especially at the external
connections to your Internet or upstream provider. Step 1.1: Deny Invalid Source IP Addresses All
organizations connected to the Internet should only allow packets to
leave their network with valid Source IP Addresses that belong to their
network. This will minimize the chance that your network will be the
source of a Spoofed DoS Attack. This will not prevent Distributed DoS
attacks coming from your network with valid source addresses. In
order to implement this you will need to know the IP network blocks
that are in use at your site. If you do not know this information at
this time, then please skip to Step 1.2, and come back to this step
once you have that information. Preventing Spoofed Source IP
Address traffic can be accomplished with filtering on routers,
firewalls, and hosts. Here is a generic example of what the filter
needs to look like. Permit Your Sites Valid Source Addresses to the Internet
Deny All Other Source Addresses
On the router(s) connected to your ISP(s), if the interface
IP address on the link connecting to the ISP is not out of one of your
site's IP blocks, you should also permit packets with the interface IP
address. For detailed instructions on implementing this
filtering please select the platform that you are using from the list
in the "Step One: Detailed Directions" section below. Step 1.2: Deny Private & Reserved Source IP Addresses This step is not necessary if you were able to fully complete Step 1.1. If you are unsure what address space is in use at your site, then you should at least deny Private (RFC 1918) and Reserved Source IP Addresses. The following is a list of source addresses that should be filtered. 0.0.0.0/8 - Historical Broadcast
10.0.0.0/8 - RFC 1918 Private Network
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link Local Networks
172.16.0.0/12 - RFC 1918 Private Network
192.0.2.0/24 - TEST-NET
192.168.0.0/16 - RFC 1918 Private Network
224.0.0.0/4 - Class D Multicast
240.0.0.0/5 - Class E Reserved
248.0.0.0/5 - Unallocated
255.255.255.255/32 - Broadcast
If
you are using Network Address Translation (NAT), you need to make sure
that you perform this filtering between your NAT device and your ISP,
and you should also verify that your NAT device configuration only
translates address used and authorized for your internal address space.
Denying Private and Reserved Source IP Addresses can be
accomplished with filtering on routers, firewalls, and hosts. Please
select the platform that you are using from the list in the "Step One:
Detailed Directions" section below. Step One: Detailed Directions for Egress Filtering Please
select the router, firewall, or host that you use from the list below
for detailed instructions on how to implement Egress Filtering to Stop
Spoofed IP Packets for the particular platform that you are using. Step Two: Stop Your Network from Being Used as a Broadcast Amplification Site Purpose:
To ensure that your network can not be used as a Broadcast
Amplification Site to flood other networks with DoS attacks such as the
"smurf" attack. Action: Configure all of your systems
(routers, workstations, servers, etc.) so that they do not receive or
forward Directed Broadcast traffic. Step 2.1: Disable IP Directed Broadcast on all Systems Detailed directions for doing this are available for the following systems. For all other systems, please go to http://users.quadrunner.com /chuegen/smurf/ where you'll find Craig Huegen's authoritative page containing instructions for many other types of systems. The
following systems have Directed Broadcast disabled by default. However,
these systems may have a way to turn this behavior back on. Please
select the link for your platform for information on making sure that
the system is in the default state, and does not allow directed
broadcasts. For
Windows NT 4.0, the default behavior for answering broadcast packets
was changed in Service Pack 4. The latest Service Packs for NT can be
obtained from Microsoft at http://support.microsoft.com/support/kb/articles/Q152/7/34.ASP Step 2.2: Test your network to determine if it is an amplification site. To
test your network to see if it is acting as an amplification site you
can use the "ping" command to send an ICMP Echo Request packet to the
Network Base IP Address of your network(s) and the Broadcast IP Address
of your network(s). You will need to know your Network Base IP Address and your Broadcast IP Address. You may find the CIDR Table helpful in determining these addresses for your network. From
a machine on the Internet side of your router (i.e. off your site) ping
both the Network Base Address (x.x.x.0 for a /24 aka Class C) and the
Broadcast Address (x.x.x.255 for a /24 aka Class C) of an internal
subnet with a number of machines on it. Please select from the
following list of operating systems for detailed instructions on using
the ping command and analyzing the output to determine if your network
is a Broadcast Amplification site. Another
way to test your network is to go to some of the public web sites that
provide a way to test your network from a remote location. Please
be aware that these sites are operated by independent third parties,
and that you should use them at your own risk. If your site is in
really poor shape it may get added to a "blacklist" that can then be
used by attackers to identify your site as a good broadcast
amplification site. Because of this you are strongly encouraged to self
test with the ping commands listed above first. Step 2.3: Require that Vendors Disable IP Directed Broadcast by Default When
you purchase new systems, require that the vendor disable receipt and
forwarding of directed broadcast packets as specified in RFC 2644. From RFC 2644: A
router MAY have a configuration option to allow it to receive directed
broadcast packets, however this option MUST be disabled by default, and
thus the router MUST NOT receive Network Directed Broadcast packets
unless specifically configured by the end user.
A
router MAY have an option to enable receiving network-prefix- directed
broadcasts on an interface and MAY have an option to enable forwarding
network-prefix-directed broadcasts. These options MUST default to
blocking receipt and blocking forwarding of network-prefix-directed
broadcasts.
Based on this you should be asking
your vendors to ship systems with Directed Broadcast disabled by
default. At the very least the vendor should provide a mechanism to
disable Directed Broadcasts. Some vendors already disalbe IP
directed broadcast by default in the latest versions of their software,
but many do not. Please help educate these other vendors by pointing
them to RFC 2644.
How to Prevent DDOS attacks
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
http://cio.cisco.com/warp/public/707/4.html
Defining Strategies to Protect Against UDP Diagnostic Port DoS Attacks
http://cio.cisco.com/warp/public/707/3.html
Cisco command documention to turn off directed broadcasts http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtn1/csipadr.htm#xtocid748113
3Com command documentation to turn off directed broadcasts http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/ip4.htm#190
3Com command documentation to disable source spoofing http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/firewal3.htm#1823
ICSA's Backgrounders and DDOS resource links
Paul Ferguson's
http://www.denialinfo.com/ Dave Dittrich'
http://www.washington.edu/People/dad/ Cisco Newsflash on the DDoS Issue
http://www.cisco.com/warp/public/707/newsflash.html Cisco White Paper on Rate Limiting
http://www.cisco.com/univercd/cc/td/doc/product/software/
ios120/12cgcr/qos_c/qcpart4/qcpolts.htm
ISP-oriented paper on traceback
http://www.cs.washington.edu/homes/savage/traceback.html Steve Bellovin's NANOG presentation on DDOS Attacks
http://www.research.att.com/~smb/talks/nanog-dos/index.htm Fred Cohen's papers
Managing Network Security
http://all.net/journal/netsec/0004.html
A Note On Distributed Coordinated Attacks
http://www.all.net/books/dca/top.html HIP Protocol Proposals written by R. Moskowitz, ICSA.net:
A Note On Distributed Coordinated Attacks
http://www.ietf.org/internet-drafts/draft-moskowitz-hip-arch-01.txt Host Identity Payload
http://www.ietf.org/internet-drafts/draft-moskowitz-hip-01.txt Host Identity Payload Implementation
http://www.ietf.org/internet-drafts/draft-moskowitz-hip-impl-00.txt Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html RFCs:
RFC 2644 Changing the Default for Directed Broadcasts in Routers
ftp://ftp.isi.edu/in-notes/rfc2644.txt RFC 2267 Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing
ftp://ftp.isi.edu/in-notes/rfc2267.txt SANS Global Incident Analysis Center
http://www.sans.org/giac.htm
CERT Links
CA-2000-02 Denial-of-Service Developments
http://www.cert.org/advisories/CA-2000-01.html CERT Advisory CA-99-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Distributed Denial of Service Tools
http://www.cert.org/incident_notes/IN-99-07.html
Results of the Distributed-Systems Intruder Tools Workshop http://www.cert.org/reports/dsit_workshop.pdf
Denial of Service Attack using the trin00 and
Tribe Flood Network programs
http://xforce.iss.net/alerts/advise40.php3 As New Year nears, threat of Net attack program mounts
http://news.cnet.com/news/0-1003-200-1504709.html Jan 10, 2000 - Alert: Distributed Denial of Service (DDoS)
http://www2.axent.com/swat/news/ddos.htm The
Security Best Practice is a baseline of policies and procedures to
support the implementation of effective security measures by small and
intermediate level ISP's. Comments on this draft document are welcome: isp@icsa.net http://www.icsa.net/html/communities/ispsec/downloads/
Best_Practices_v6. rev.rtf Alliance for Internet Security Meets in Washington
March 16, 2000
The Alliance for Internet Security held a special meeting of Internet
Service Providers, ISPsec consortia members, and industry leaders
committed to the widespread adoption of security measures to address
Internet security problems.
For the full story click here
Other Resources for Information about DDOS attacks
CERTŪ (Computer Emergency Response Team at CMU)
http://www.cert.org/ Cisco Systems: Distributed Denial of Service (DDoS) News Flash, February 9, 2000
http://www.cisco.com/warp/public/707/newsflash.html Cisco Systems: Internet Security Advisories
http://www.cisco.com/warp/public/707/advisory.html Cisco Systems: Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html Cisco Systems Product Security Incident Response (PSIRT)
http://www.cisco.com/warp/public/707/sec_incident_response.shtml Cisco Systems: "Essential IOS" - Features Every ISP Should Consider
http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip Cisco Flow Logs and Intrusion Detection at the Ohio State University
http://www.usenix.org/publications/login/1999-9/osu.html Craig Huegen's very useful web page on minimizing the effects of DoS attacks:
http://users.quadrunner.com/chuegen/smurf.cgi Dave Dittrich's (University of Washington) analysis of the recent DDoS attack tools
http://www.washington.edu/People/dad/ "Documenting Special Use IPv4 Address Blocks that have been registered with IANA",
draft-manning-dsua-03.txt, Bill Manning, 1 May 2000. DoD CERT Online
http://www.assist.mil/ Federal Computer Incident Response Capability (FedCIRC)
http://www.fedcirc.gov/ ICSA.net (International Computer Security Association)
http://www.icsa.net/ JMU WinTrin00 report
http://www.jmu.edu/info-security/engineering/issues/wintrino.htm Know your enemy: Script Kiddies
http://www.enteract.com/~lspitz/enemy.html Mitre's Cyber Resource Centre
http://www.mitre.org/research/cyber/ netscan.org
http://www.netscan.org/ Network World Fusion Research: Denial of Service attack resources
http://www.nwfusion.com/research/dos.html Packet Storm
http://packetstorm.securify.com/ Smurf Amplifier Registry (SAR)
http://www.powertech.no/smurf/ RFC1918: "Address Allocation for Private Internets", Y. Rekhter, B. Moskowitz,
D. Karrenberg, G. J. de Groot, E. Lear, February 1996.
http://www.ietf.org/rfc/rfc1918.txt RFC1948: "Defending Against Sequence Number Attacks", S. Bellovin, May 1996.
http://www.ietf.org/rfc/rfc1948.txt RFC2196: "Site Security Handbook", B. Fraser, September 1997.
http://www.ietf.org/rfc/rfc2196.txt RFC2350 (BCP21): "Expectations for Computer Security Incident Response", N. Brownlee,
E. Guttman, June 1998.
http://www.ietf.org/rfc/rfc2350.txt RFC2644 (BCP34): "Changing the Default for Directed Broadcasts in Routers",
D. Senie, August 1999.
http://www.ietf.org/rfc/rfc2644.txt RFC2827 (BCP38): "Network Ingress Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing", P. Ferguson, D. Senie, May 2000.
(Obsoletes RFC 2267)
http://www.ietf.org/rfc/rfc2827.txt The SANS Institute: "Handling A Distributed Denial of Service Trojan Infection: Step-by-Step."
http://www.sans.org/y2k/DDoS.htm "Security Expectations for Internet Service Providers", draft-ietf-grip-isp-expectations-03.txt,
T. Killalea, February 2000.
http://www.ietf.org/internet-drafts/draft-ietf-grip-isp-expectations-03.txt "Security Checklist for Internet Service Provider (ISP) Consumers", draft-ietf-grip-user-02.txt,
T. Hansen, June 1999.
http://www.ietf.org/internet-drafts/draft-ietf-grip-user-02.txt "Site Security Handbook Addendum for ISP's", draft-ietf-grip-ssh-add-00.txt, T. Debeaupuis,
August 1999.
http://www.ietf.org/internet-drafts/draft-ietf-grip-ssh-add-00.txt SecurityFocus.com
http://www.securityfocus.com/
Pertinent mailing lists:
The North American Network Operators Group
http://www.nanog.org/mailinglist.html Cisco NSP (Network Service Provider) list, hosted by Nether.Net
To subscribe to this list, send a message to cisco-nsp-request@puck.nether.net, with "subscribe"
in the message body. Cisco User's Mailing List, a.k.a. "Cisco@Spot"
The Cisco mailing list is maintained by David Wood of the University of Colorado.
To subscribe to this list, send your request to cisco-request@spot.colorado.edu, with
"subscribe" in the message body. Searchable archives of this mailing list can be found
at http://www.nexial.com/mailinglists/ The CERTŪ Advisory Mailing List
http://www.cert.org/contact_cert/certmaillist.html The Firewalls Digest mailing list
http://lists.gnac.net/firewalls/
Originally hosted for many years by Great Circle Associates, it is now hosted by Global Networking and
Computing. Searchable archives of this mailing list can also be found at http://www.nexial.com/mailinglists/ BUGTRAQ
To subscribe to this list, send your request to listserv@lists.securityfocus.com, with "subscribe bugtraq" in
the message body.
Downloadable Programs and Information related to DDOS attacks
| File Name | File Size | Last Modified | | blitznet.tgz | 8055 | Dec 9 12:33:31 1999 | | Blitznet launches a distributed syn flood attack with spoofed source IP, without logging. By Phreeon | | btodd-whitepaper.txt | 27752 | Feb 22 11:57:16 2000 | | Distributed
Denial of Service Attacks have recently emerged as one of the most
newsworthy, if not the greatest, weaknesses of the Internet. This paper
attempts to explain how they work, why they are hard to combat today,
and what will need to happen if they are to be brought under control.
Plain text format, PS and HTML available at the homepage, here. By Bennett Todd | | cisco-newsflash.htm | 12786 | Feb 10 16:14:05 2000 | | Cisco
Newsflash - Distributed Denial of Service. Contains information to help
you understand how DDoS attacks are orchestrated, recognise programs
used to launch DDoS attacks, and apply measures to prevent the attacks
(including anti-spoofing commands, egress filtering, RPF and CEF,
ACL's, rate limiting for SYN packets). Also contains information on
gathering forensic information if you suspect an attack, and learning
more about host security. | | ddos-routing.txt | 5652 | Feb 24 13:51:32 2000 | | Distributed
Deniel Of Service attacks - A proposal based on routing. This paper
describes a technique that -hopefully- can be used to defeat the recent
DDOS attacks. The solution presented here is bases on routing. It
requires a certain amount of extra network infrastructure. By Fernando P. Schapachnik | | ddos-thought.txt | 5999 | Mar 10 00:14:38 2000 | | Some
thoughts on the solutions to Distributed Attack Technology -
Distribited ownership tools [DOT] exist that scan numerous hosts for
vunerabilities that allow agents to be installed automatically.
Potential solutions include more host based security, fixing ipv4,
legislation, and fighting fire with fire. By The Cat | | ddosping.zip | 9335 | Mar 27 18:27:02 2000 | | DDoSPing
v1.03 is a Win 9x/NT GUI scanner for the DDoS agents Wintrinoo, Trinoo,
Stacheldraht and TFN. Changes: Added buttons to switch between Windows
and UNIX default configurations for Trinoo. Homepage here. By Robin Keir | | DDSA_Defense.htm | 16369 | Feb 16 14:57:36 2000 | | Distributed
Denial of Service Defense Tactics - This paper details some practical
strategies that can be used by system administrators to help protect
themselves from distributed denial of service attacks as well as
protect themselves from becoming unwitting attack nodes against other
companies. Homepage here. By Simple Nomad | | denial_of_service.ht..> | 29802 | Feb 17 11:00:37 2000 | | CERT FAQ on Denial of Service attacks. Homepage here. | | distributed_metastas..> | 30889 | Aug 16 17:07:14 1999 | | A
new model of computer penetration: distributed metastasis, increases
the possible depth of penetration for an attacker, while minimizing the
possibility of detection. Distributed Metastasis is a non-trivial
methodology for computer penetration, based on an agent based approach,
which points to a requirement for more sophisticated attack detection
methods and software to detect highly skilled attackers. By Andrew J. Stewart | | dscan-0.4.tar.gz | 11145 | Jan 7 13:43:44 2000 | | A
simple distributed port scanner that uses many computers to conduct a
port scan which should make it harder to trace the source. This release
of dscan has many improvements of the last release, for a full list see
the HISTORY file in the archive. Dscan started off as proof of concept
code and has now turned into a project for testing new techniques such
as linked lists. This release does not come with UDP port scanning
support but a patch file should be available in a few days time to add
UDP support. By Andrew Kay | | dsit_workshop.pdf | 64532 | Dec 9 13:21:08 1999 | | Results
of the Distributed-Systems Intruder Tools Workshop (Nov 2-4, 1999).
Several distributed intruder tools are in widespread use now, and the
technology is maturing. As a result, a single command from an attacker
can result in tens of thousands of concurrent attacks. By Clarissa
Cook, Richard Kemmerer, and David Dittrich | | find_ddosV2.tar.Z | 43644 | Jan 4 00:48:52 2000 | | Find_ddos
Version 2 - In response to a number of recent distributed
denial-of-service (DDOS) attacks that have been reported, the NPIC
has developed a tool to assist in combating this threat. The tool
(called "find_ddos") is intended to scan a local system that is either
known or suspected to contain a DDOS program. It is capable of scanning
executing processes on Solaris 2.6 or later, and of scanning local
files on a Solaris 2.x (or later) system. The tool will detect several
known denial-of-service attack tools, including the trinoo daemon,
trinoo master, enhanced tfn daemon, tfn daemon, tfn client, tfn2k
daemon, tfn2k client, and the tfn-rush client. Changes: Detects TFN2k.
Homepage here. | | find_ddos_v31_intel...> | 54470 | Feb 7 12:53:59 2000 | | Find_ddos
Version 3.1 (solaris intel) - In response to a number of recent
distributed denial-of-service (DDOS) attacks that have been reported,
the NPIC has developed a tool
to assist in combating this threat. The tool (called "find_ddos") is
intended to scan a local system that is either known or suspected to
contain a DDOS program. It is capable of scanning executing processes
on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x
(or later) system. The tool will detect several known denial-of-service
attack tools including tfn2k client, tfn2k daemon, trinoo daemon,
trinoo master, tfn daemon, tfn client, stacheldraht master,
stacheldraht client, stachelddraht demon and tfn-rush client. Homepage here. | | find_ddos_v31_linux...> | 358839 | Feb 7 12:53:55 2000 | | Find_ddos
Version 3.1 (linux) - In response to a number of recent distributed
denial-of-service (DDOS) attacks that have been reported, the NPIC
has developed a tool to assist in combating this threat. The tool
(called "find_ddos") is intended to scan a local system that is either
known or suspected to contain a DDOS program. It is capable of scanning
executing processes on Solaris 2.6 or later, and of scanning local
files on a Solaris 2.x (or later) system. The tool will detect several
known denial-of-service attack tools including tfn2k client, tfn2k
daemon, trinoo daemon, trinoo master, tfn daemon, tfn client,
stacheldraht master, stacheldraht client, stachelddraht demon and
tfn-rush client. Homepage here. | | find_ddos_v31_sparc...> | 53336 | Feb 7 12:53:49 2000 | | Find_ddos
Version 3.1 (sparc) - In response to a number of recent distributed
denial-of-service (DDOS) attacks that have been reported, the NPIC
has developed a tool to assist in combating this threat. The tool
(called "find_ddos") is intended to scan a local system that is either
known or suspected to contain a DDOS program. It is capable of scanning
executing processes on Solaris 2.6 or later, and of scanning local
files on a Solaris 2.x (or later) system. The tool will detect several
known denial-of-service attack tools including tfn2k client, tfn2k
daemon, trinoo daemon, trinoo master, tfn daemon, tfn client,
stacheldraht master, stacheldraht client, stachelddraht demon and
tfn-rush client. Homepage here. | | find_ddos_v3_intel.t..> | 50898 | Jan 13 11:29:27 2000 | | Find_ddos
Version 3 (intel) - In response to a number of recent distributed
denial-of-service (DDOS) attacks that have been reported, the NPIC
has developed a tool to assist in combating this threat. The tool
(called "find_ddos") is intended to scan a local system that is either
known or suspected to contain a DDOS program. It is capable of scanning
executing processes on Solaris 2.6 or later, and of scanning local
files on a Solaris 2.x (or later) system. The tool will detect several
known denial-of-service attack tools. Changes: Detects tfn2k client,
tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client,
stacheldraht master, stacheldraht client, stachelddraht demon and
tfn-rush client. This new version (find_ddosV3) is now available for
Solaris on Sparc or Intel platforms and will no longer improperly
identify itself or any previous version as a DDOS program. Homepage here. | | find_ddos_v3_sparc.t..> | 49436 | Jan 13 11:25:21 2000 | | Find_ddos
Version 3 (sparc) - In response to a number of recent distributed
denial-of-service (DDOS) attacks that have been reported, the NPIC
has developed a tool to assist in combating this threat. The tool
(called "find_ddos") is intended to scan a local system that is either
known or suspected to contain a DDOS program. It is capable of scanning
executing processes on Solaris 2.6 or later, and of scanning local
files on a Solaris 2.x (or later) system. The tool will detect several
known denial-of-service attack tools. Changes: Detects tfn2k client,
tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client,
stacheldraht master, stacheldraht client, stachelddraht demon and
tfn-rush client. This new version (find_ddosV3) is now available for
Solaris on Sparc or Intel platforms and will no longer improperly
identify itself or any previous version as a DDOS program. Homepage here. | | firstaid.txt | 7465 | Feb 11 11:16:50 2000 | | Mixters
guide to defending against DDOS - 10 Proposed 'first-aid' security
measures which should be implemented by anyone at risk. Homepage here. By Mixter | | Freak88.zip | 12434 | May 14 14:30:14 2000 | | Freak88's
Distributed Attack Suite is a windows trojan similar to wintrin00. It
can connect up to 3 infected machines and start 65000 byte ICMP floods.
Auto starts from the registry and copies itself to c:\windows\system.
Homepage here. By Freak88@dalnet | | funtimeApocalypseWin..> | 295507 | Jan 13 11:40:19 2000 | | Dynamic
IP's getting you down in your search for a better distributed attack?
Don't think remote control, think "timed fuse". This is "concept code"
designed to show the real danger of Windows systems being rooted en
masse and used in a distributed attack scenario. Beta, no updates. By The Pull | | icmpenum-1.1.tgz | 8613 | Feb 16 15:37:04 2000 | | This
is a proof-of-concept tool to demonstrate possible distributed
attacking concepts, such as sending packets from one workstation and
sniffing the reply packets on another. Homepage here. By Simple Nomad | | mio-star.tgz | 9961 | Apr 25 10:08:42 2000 | | The
mio-star distributed multihosted unix password cracker v0.1 runs on all
platforms where perl is installed. Comments and documentation is in
German. By Drunken Monkey Style | | mstream.analysis.txt | 97850 | May 14 03:56:00 2000 | | Analysis
of the "mstream" distributed denial of service attack tool, based on
the source code of "stream2.c", a classic point-to-point DoS attack
tool. mstream is more primitive than any of the other DDoS tools.
Homepage here. By Dave Dittrich | | mstream.txt | 26473 | May 1 12:52:04 2000 | | mstream,
a DDoS tool. It's been alleged that this source code, once compiled,
was used by persons unknown in the distributed denial of service (DDoS)
attacks earlier this year. Obviously such a thing cannot be confirmed
aside from through a process of targeted sites making an appropriate
comparison between the traffic this software would generate and the
traffic they actually received. Submitted Anonymously. | | Mstream_Analysis.txt | 98002 | May 1 14:19:09 2000 | | Mstream,
the newest of DDoS tools to be circulated, has been analyzed and has
been found to be more primitive than any of the other DDoS tools
available. Examination of reverse engineered and recovered C source
code reveals the program to be in early development stages, with
numerous bugs and an incomplete feature set compared with any of the
other listed tools. The effectiveness of the stream/stream2 attack
itself, however, means that it will still be disruptive to the victim
(and agent) networks even with an attack network consisting of only a
handfull of agents. By David Dittrich | | Project_ZombieZapper..> | 85037 | Feb 11 11:16:50 2000 | | Project_ZombieZapper.zip | | Project_ZombieZapper..> | 35986 | Feb 16 15:49:12 2000 | | Project_ZombieZapper1.1.zip | | Project_ZombieZapper..> | 37158 | Mar 29 16:14:00 2000 | | Project_ZombieZapper1.2.zip | | razor.wintrinoo.txt | 1872 | Feb 29 04:15:33 2000 | | Razor
has acquired a copy of the Windows Trojan Trinoo, the following is
technical information gained from disassembling the binary. Homepage here. By Simple Nomad | | rid-1_0.tgz | 22964 | Feb 9 14:42:58 2000 | | RID
is a configurable remote DDOS tool detector which can remotely detect
Stacheldraht, TFN, Trinoo and TFN2k if the attacker did not change the
default ports. By David Brumley | | saltine-cracker-1.05..> | 24051 | Aug 16 17:07:14 1999 | | Saltine
Cracker v1.05 is a TCP/IP Distributed Network Password Auditing Tool
for NTHASH (MD4) and POSIX LibDES Crypt(3) passwords. With the
incorporated cross-compatiblity, you can audit Win9X/NT client
passwords attached to POSIX servers and vice-versa. By Ambient Empire. | | shaftnode.txt | 19752 | Mar 29 23:27:13 2000 | | Analysis
of a Shaft Node and Master - This analysis is in addition to Sven
Dietrich's analysis of the Shaft DDoS tool. The analysis we provide
here is a description of the rootkit used and the methods of
distribution of the tool. Homepage here. By Richard Wash | | shaft_analysis.txt | 45788 | Mar 24 15:20:50 2000 | | An
analysis of the "Shaft" distributed denial of service tool. Shaftnode
was recovered initially in November, 1999. Distinctive features are the
ability to switch handler servers and handler ports on the fly, making
detection by intrusion detection tools difficult from that perspective,
a "ticket" mechanism to link transactions, and the particular interest
in packet statistics, showing the "yield" of the DDoS network as a
whole. Homepage here. By Sven Dietrich, David Dittrich, and Neil Long | | sickenscan.tar | 20480 | Jan 6 11:23:16 2000 | | "gag"
is a program to remotely scan for "stacheldraht" agents, which are part
of an active "stacheldraht" network. It will not detect trinoo, the
original Tribe Flood Network (TFN), or TFN2K agents. Tested on
linux/solaris/AIX/BSD. By David Dittrich and Marcus Ranum | | slurpie.tgz | 8117 | Aug 16 17:07:14 1999 | | Slurpie
v2.0b - Slurpie is a passwd file cracker similar to CrackerJack and
John the Ripper except that it runs in a distributed environment. It
supports file based and generated dictionary comparison. By Adam Klosowicz. | | snort-ids.trinoo.txt | 1970 | Dec 13 16:29:01 1999 | | Rules for the Snort IDS to detect trinoo. This rules work only as long as the ports/passwords/protocol aren't changed. Homepage here. By Stefan Aeschbacher | | stachel.tgz | 36831 | Feb 8 14:25:28 2000 | | StacheldrahtV4
- (German for "barbed wire") combines features of the "trinoo"
distributed denial of service tool, with those of the original TFN, and
adds encryption of communication between the attacker and stacheldraht
masters and automated update of the agents. | | stacheldraht.analysi..> | 43953 | Jan 4 00:25:38 2000 | | The
following is an analysis of "stacheldraht", a distributed denial of
service attack tool, based on source code from the "Tribe Flood
Network" distributed denial of service attack tool. Stacheldraht
(German for "barbed wire") combines features of the "trinoo"
distributed denial of service tool, with those of the original TFN, and
adds encryption of communication between the attacker and stacheldraht
masters and automated update of the agents. Homepage here. By David Dittrich | | tfn.analysis.txt | 31815 | Aug 16 17:07:14 1999 | | The
following is an analysis of the "Tribe Flood Network", or "TFN", by
Mixter. TFN is ai powerful distributed attack tool and backdoor
currently being developed and tested on a large number of compromised
Unix systems on the Internet. TFN source available here. By David Dittrich | | tfn.tgz | 8093 | Sep 23 12:47:52 1999 | | Distributed
flood network client/server that can be installed on a large number of
hosts and used to hit a target with high bandwidth simultaneously.
communicates over icmp and supports udp, syn, icmp/8, smurf flood and
more. Courtesy of Mixter. | | tfn2k.tgz | 27134 | Dec 20 13:04:14 1999 | | Tribe
Flood Network 2000. Using distributed client/server functionality,
stealth and encryption techniques and a variety of functions, TFN can
be used to control any number of remote machines to generate on-demand,
anonymous Denial Of Service attacks and remote shell access. The new
and improved features in this version include Remote one-way command
execution for distributed execution control, Mix attack aimed at weak
routers, Targa3 attack aimed at systems with IP stack vulnerabilities,
Compatibility to many UNIX systems and Windows NT, spoofed source
addresses, strong CAST encryption of all client/server traffic, one-way
communication protocol, messaging via random IP protocol, decoy
packets, and extensive documentation. Currently no IDS software will
recognise tfn2k. Homepage here. By Mixter | | tfn2kpass.c | 7716 | Feb 24 19:13:08 2000 | | Tfn2k
password recovery tool - Tfn2k asks for a password during the build,
which is used to prevent someone from recovering the password from the
td or tfn binaries. Usefor for forensics, or to command a whole flood
network to send you mail letting you know all the machines infected, or
to command an attack to stop if you can recover a binary. Homepage here. By Simple Nomad | | TFN2k_Analysis-1.3.t..> | 12384 | Mar 9 12:03:42 2000 | | This
document is a technical analysis of the Tribe Flood Network 2000
(TFN2K) distributed denial-of-service (DDoS) attack tool, the successor
to the original TFN Trojan by Mixter. Additionally, countermeasures for
this attack are also covered. Changes: This revision includes several
new discoveries, corrections, and clarifications. Many thanks to those
who responded with feedback and comments to the original posting of
this paper. Homepage here. By Jason Barlow | | TFN2k_Analysis.htm | 14506 | Feb 11 15:07:50 2000 | | This
document is a technical analysis of the Tribe Flood Network 2000
(TFN2K) distributed denial-of-service (DDoS) attack tool, the successor
to the original TFN Trojan by Mixter. Homepage here. By Jason Barlow and Woody Thrower of the Axent Security Team | | tfn3k.txt | 13850 | Feb 14 15:35:13 2000 | | TFN3k
is a paper about the future of DDOS tools, how they can be used, and
the dangerous features that can and probably will be implemented in the
future. Also has information on establishing Network Intrusion
Detection (NIDS) Rules for DDOS attacks. By Mixter | | TFN_toolkit.htm | 31282 | Jan 4 00:33:02 2000 | | Analysis
of TFN-Style Toolkit v 1.1 - One of our systems was compromised and
prompt action by the local sysadmin prevented the hackers from running
their cleanup scripts. Consequently, we were able to get the toolkit
that they were using against us. This toolkit contains components that
are similar to what is in the TFN toolkit. Homepage here. By Randy Marchany | | trinokiller.c | 1006 | Dec 30 18:37:23 1999 | | This program remotely kills trino nodes on version 1.07b2+f3 and below. Homepage here. | | trinoo.analysis.txt | 55408 | Aug 16 17:07:14 1999 | | The
following is an analysis of the DoS Project's "trinoo" (a.k.a.
"trin00") master/slave programs, which implement a distributed network
denial of service tool. Trinoo daemons were originally found in binary
form on a number of Solaris 2.x systems, and probably being set up on
hundreds, perhaps thousands, of systems on the Internet that are being
compromised by remote buffer overrun exploitation. By David Dittrich | | trinoo.tgz | 13941 | Dec 9 12:21:13 1999 | | Trinoo daemon source - Implements a distributed denial of service attack. Controlled via UDP. | | Turner.mstream | 27299 | May 2 13:43:24 2000 | | In
response to the surfacing of the mstream attack tool and the published
analysis of its inner workings, a set of SNP-L scripts and attack
signatures has been developed which allow one to detect and decode
"mstream" network activity. By Elliot Turner | | UW-CSE-00-02-01.tgz | 164581 | Feb 11 11:04:48 2000 | | This
paper describes a technique for tracing anonymous attacks in the
Internet back to their source. This work is motivated by the increased
frequency and sophistication of denial-of-service attacks and by the
difficulty in tracing packets with incorrect, or ``spoofed'', source
addresses. In this paper we describe a general purpose traceback
mechanism based on probabilistic packet marking in the network. Our
approach allows a victim to identify the network path(s) traversed by
an attacker without requiring interactive operational support from
Internet Service Providers (ISPs). Moreover, this traceback can be
performed ``post-mortem'' -- after an attack has completed. We present
one implementation of this technology that is incrementally deployable,
(mostly) backwards compatible and can be efficiently implemented using
conventional technology. In pdf and postscript format. Homepage here. By Stefan Savage | | yahoo.txt | 5766 | Feb 17 10:20:52 2000 | | Technical
details of the attack on Yahoo! last week. Includes information on what
kind of packets were sent, how they were affected, and how they fixed
it. | | zombie | 512 | Jun 1 14:11:35 2000 | | Directory:
Zombie Zapper is a utility which attempts to command a remote DDOS
agent to stop flooding. Works if the default password / port is not
changed. |
Distributed DoS attacks Special Briefing: Denial of Service Attacks
Security Analyst Gary Kessler reviews the technology behind DoS attacks
and interacts with an industry panel (30 min). Registration required.
Webtorial.com eToys attacks show need for strong Web defenses
Article discusses distributed DoS attacks and possible ways to defend against them.
Network World, 12/20/99. Yahoo outage raises Web concerns
If an Internet giant like Yahoo can be crippled for a few hours from a
denial of service attack, is any Web site or Web service truly safe
from a similar type of directed assault?
InfoWorld, 2/9/00. The "stacheldraht" distributed denial of service attack tool
An analysis of attacks by one DDoS tool. Has links to similar reports on Trinoo and TFN attacks.
University of Washington. Analysis of TFN-Style Toolkit v 1.1
Report on a TFN attack.
Global Incident Analysis Center. Distributed Attack Tools
Download various DoS applications (including Trinoo and TFN) to test on your own network. Matrix IQ
Measures ISP performance so you know if the network is being flooded. ISS home page
Keep up to date with the latest security violation attacks.
Internet Security Systems. Q&A about the DOS attacks
Associated Press. SYN, Ping of Death and related attacks Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
Cisco. Details of TrinOO and Tribal Flood Network
Features downloadable files.
Technotronic. X-Force
Browse through a database of alerts and info about various backdoor programs.
ISS. It's the Ping o' Death Page!
How to crash your operating system! A hackers' page. Ukiah Software
Provides antidote to the Windows NT "Ping of Death." "Ping of Death" and NetWare
A collection of links. Denial of service
A Java Security page explaining hostile applets, exercising a denial of service attack.
Sun. The Latest in Denial of Service Attack -- Smurfing
Slide lecture aimed at minimizing effects.
Cisco. New Teardrop-like TCP/IP Denial of Service Program
Microsoft's Security Bulletin. Denial of service attacks on Domain Name Servers (DNS) possible?
A discussion hosted by Netsys.com Security warning on Trinoo and TFN
Lawrence Livermore National Labs. Hacking group reveals 'Net protocol security glitch
Internet Control Message Protocol Router Discovery Protocol as a potential route for DoS attacks.
InfoWorld, 8/12/99. Attacked by smurf
Mark Gibbs discusses this ICMP-based attack.
Network World, 2/22/99. Preventing and responding to DoS attacks CERT's Denial of Service alerts
Gives suggestions on how to deal with the problem. The FBI's Denial of Service Information area
Includes information about TrinOO and Tribal Flood. Cisco's security advisory page Denial of Service Attack (DoS) Resources
A helpful site - compilation of DoS-relevant links.
Ferguson & Senie. OSF/DCE Denial of Service Attack
Silicon Graphics Security Advisory. Steps for dealing with an attack
Includes information about security products.
Internet Security Systems. Denial Of Service Attacks
DOS programs provided for system administrators to test their own systems for vulnerabilities.
Technotronic Security Information. Index of distributed attack tools
Packet Storm. Tools to test your network's vulnerabilities
Technotronic. Steps for handling a Denial of Service Trojan Infection
A step-by-step guide.
SANS Institute. Abstract: CenterTrack: An IP Overlay Network for Tracking DoS Floods
Work by UUNET in this area.
North American Network Operators Group. Dave Dittrich's Home Page.
Articles on various DDOS tools. Patches for protection
against SSping, Nuke_1, Land/Latierra, Teardrop, Nuke_2, ICMP-flood,
UDP-flood, IRC-flood, Bonk/Boink, New Teardrop, ping-floods and
syn-floods. Report: Common Vulnerabilities and Exposures
Background about the perils of information sharing.
Mitre. Hot firewalls finding new niches
Review and buyer's guide for firewalls that can fight DOS attacks.
Network World, 7/19/99. Web security FAQ
Making your server more secure. Serb supporters sock it to NATO and U.S. computers
Through DoS attacks.
Network World, 4/5/99. Opinion: Hactivists' cyberdisobedience is anything but civil
Security expert Winn Scwhartau's view.
Network World, 9/13/99. Opinion: Denial of service and the worm
Dan Blum: "Worms and viruses are not only disruptive and destructive, they're also denial-of-service attacks."
Network World, 6/28/99. Striking back
Corporate vigilantes go on the offensive to hunt down hackers.
Network World, 1/11/99. Discuss the topic Forum: Attacked?
What are you doing to protect your network from DOS attacks? Let us know. Forum: alt.hacking
A newsgroup archive from DejaNews. Hacker Community
A discussion group from DejaNews. Newsletters Network World on Security
Check out our archive of security information and then sign up for our free twice-weekly newsletters. X-Force
A great resource for computer threats and vulnerability. You can also subscribe for their free e-mail newsletter.
ISS. Latest DoS news Denial of service hackers take on new targets
CNN, 02/09/00. Hacker News Network
Breaking news about the computer underground for the computer underground. Security Alert: DoS
Recent bulletins of Denial of Service attacks and vulnerabilities. Report: Bringing down the Web
ICSA.net. EBay, Amazon, Buy.com hit by attacks
IDG News Service, 02/09/00. Attack takes down Yahoo for three hours
IDG News Service, 02/08/00. ITAA’s E-Shield Program Responds to Information Security Attacks
Education about attacks from the ITAA.
| 
