Security Incidents mailing list archives

Re: ddos

From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Tue, 15 Feb 2000 07:26:23 -0500


At 10:50 PM 2/14/00 -0000, you wrote:

I wrote tests to detect trinoo, strat., and tfn about 2
months ago. They were going to be released with our security
analyzer for the next build, but in light of the problems as
of late we have them available for download.


As long as people are talking about detecting these ddos attacks, it
may be useful to tell you what we have been seeing with Dragon. We've
been running signatures since Thanksgiving which look for tfn,trinno,
tfn2k and a few other ddos attacks. We have seen a lot of people use
the free tools which "discover" platforms that may have been compromised.
Here is an example:

bash-2.03# sum_event -n | grep TRINOO
[TRINOO:CMD]              6553
bash-2.03# mklog -l -e TRINOO:CMD | more
** Make Logs Tool - Copyright 1999 Network Security Wizards
** http://www.securitywizards.com
** Printing 'dragon.log' style data
** Printing events of type [TRINOO:CMD
** Date: Thursday February 10 2000
17:26:36  [I]  105.152.72.114  105.152.72.1    [TRINOO:CMD]
(udp,dp=27444,sp=2209) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.2    [TRINOO:CMD]
(udp,dp=27444,sp=2210) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.3    [TRINOO:CMD]
(udp,dp=27444,sp=2211) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.5    [TRINOO:CMD]
(udp,dp=27444,sp=2213) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.8    [TRINOO:CMD]
(udp,dp=27444,sp=2216) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.10   [TRINOO:CMD]
(udp,dp=27444,sp=2218) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.11   [TRINOO:CMD]
(udp,dp=27444,sp=2219) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.12   [TRINOO:CMD]
(udp,dp=27444,sp=2220) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.13   [TRINOO:CMD]
(udp,dp=27444,sp=2221) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.23   [TRINOO:CMD]
(udp,dp=27444,sp=2231) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.31   [TRINOO:CMD]
(udp,dp=27444,sp=2239) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.32   [TRINOO:CMD]
(udp,dp=27444,sp=2240) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.33   [TRINOO:CMD]
(udp,dp=27444,sp=2241) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.34   [TRINOO:CMD]
(udp,dp=27444,sp=2242) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.35   [TRINOO:CMD]
(udp,dp=27444,sp=2243) (bass.gula.net)

The sweep goes on for several Class C addresses.

For TFN2K, several signatures have been deployed to look for TFN2K
traffic on TCP, UDP and ICMP. Strangley enough, the game Halflife
tends to false positive the UDP signature somewhat.

Ron Gula, CTO
Network Security Wizards, Inc.
http://www.securitywizards.com

Current thread:

DDoS intranet (Feb 09)
- <Possible follow-ups>
- ddos Daniel Avila (Feb 14)
  - Re: ddos Ron Gula (Feb 15)
  - Incident with ports: 4 and 8 Kenneth Duran (Feb 15)
- Re: ddos Miller, Toby (Feb 16)
  - Re: ddos David Brumley (Feb 17)
- Re: ddos Miller, Toby (Feb 17)