Firewall Wizards mailing list archives
Re: SANS & Ranum on DoS Trojans for Solaris
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 05 Jan 2000 11:08:09 -0500
Vin McLellan wrote:
Want to tell us about this tool Dave Dittrich and you developed to scan network hosts for Solaris machines infected with trojans which install clients distributed Denial of Service attacks: trinoo, TFN, TFN2000, or stacheldraht?
Dave gets the credit, all I did was code cleanup, portabilizing, and some optimization. But since you've asked, I'll explain how it works. There's a whole generation of denial of service tools that have been released lately, that do distributed DOS attacks. TFN, Trinoo, Stacheldraht, etc, all operate by having a master controller program that activates agents residing on multiple compromised machines. The agents know how to launch various types of denial of service attacks. Agent/master communications are encrypted. The weakness in the tools is that the agents and masters have to speak somehow, and there's a "ping/alive" capability whereby the master can identify active agents to use in launching an attack. Dave's tool works by emulating the master's pinging, to get any live agents to answerm - essentially giving themselves away. You give it a class B network (with various masking options so you can select down to class C or individual machines if you want) and it just searches each host for an agent, by emulating a master controller. The bad guys will doubtless respond by changing the default encryption keys, etc, which will make these kind of tools less effective. The good news, for now, is that most script kiddies aren't doing that and denial of service attacks are the kind of attacks that only appeal to script kiddies in the first place. Even so, we're fortunate that the hackers that build these kind of tools don't really understand computer security, or they'd realize that the systems they build are vulnerable to traffic analysis. In the large, you find that, even encrypted under different keys, the traffic between a master controller and agents will have a very distinctive fan-out and back/forth pattern. Of course, to detect that kind of thing, you need broad-based network analysis tools. :) I've known that for a while. Hence NFR. :) There's a set of N-code filters for detecting Trinoo/TFN on our web site at http://www.nfr.net/updates/ if you want to see how they work. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- SANS & Ranum on DoS Trojans for Solaris Vin McLellan (Jan 05)
- Re: SANS & Ranum on DoS Trojans for Solaris Marcus J. Ranum (Jan 05)
- Re: IDS: Re: SANS & Ranum on DoS Trojans for Solaris Clarissa Cook (Jan 06)
- Re: SANS & Ranum on DoS Trojans for Solaris Marcus J. Ranum (Jan 05)