Snort mailing list archives
RE: More info on "DDOS - TFN client command LE"
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Tue, 17 Sep 2002 12:24:12 +0800
Below is the signature definition that trigger the alerts ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; reference: arachnids,183; classtype:attempted-dos; sid:251; rev:1;) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++ To understand more about TFN I've also included some info about it ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++ TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. TFN daemons were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ Best Regards Ohanes Semerjian PGP kEY 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254 -----Original Message----- From: Jeff Taylor [mailto:jeff () austinblues dyndns org] Sent: Tuesday, 17 September 2002 13:41 To: snort-users () lists sourceforge net Subject: [Snort-users] More info on "DDOS - TFN client command LE" Can anyone give me more information on this attack, "DDOS - TFN client command LE"? It just showed up in my logs from the ISP's router address. TIA, Jeffrey ------------------------------------------------------- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More info on "DDOS - TFN client command LE" Jeff Taylor (Sep 16)
- Re: More info on "DDOS - TFN client command LE" Dragos Ruiu (Sep 16)
- <Possible follow-ups>
- RE: More info on "DDOS - TFN client command LE" Semerjian, Ohanes (Sep 16)