Distributed Denial-of-Service Tools

Impact

The presence of a distributed denial-of-service tool is a powerful threat to the entire network. It could also be used to attack other networks, and the owner of the infected network could be held responsible. The presence of a distributed denial-of-service tool is also an indication that the system has already been compromised.

Background

Distributed denial-of-service is a type of attack in which a large number of hosts are used to flood a single target with unwanted traffic. The target becomes unusable while it is processing the flood of traffic. An attacker who breaks into many hosts on a network and sets up such a distributed denial-of-service attack can create a threat that is very powerful and difficult to defend against.

The Problem

Trinoo is one such distributed denial-of-service tool. A trinoo network consists of a master host and many broadcast hosts. When an attacker wishes to launch a denial-of-service attack, he or she issues commands to the master host using a TCP connection. The master then communicates with all of the broadcast hosts via UDP, telling them to send a flood of UDP packets to random ports on the specified target host. The flood of UDP packets coming from the broadcast hosts causes denial of service to the target host. An attacker must have prior access to a host in order to install a trinoo master or broadcast, either by breaking in or by some other means.

Tribe Flood Network (TFN) is another distributed denial-of-service tool, consisting of a client host and many daemon hosts. It is similar to trinoo, but communicates using ICMP, and is capable of launching ICMP flood, UDP flood, SYN flood, and Smurf attacks. A newer version of TFN called TFN2K includes many additional features, such as encryption, stealth attacks, denial-of-service attacks designed to crash the target host, and the ability to send shell commands to the daemons.

Stacheldraht is a similar tool which consists of a handler and many agents. It communicates using TCP and ICMP, offers the same attacks as TFN, and features encrypted sessions between the attacker and the handlers.

Resolution

Although a distributed denial-of-service tool can be easily eradicated from a single system, its presence is an indication of a much bigger problem. The fact that it was installed on one system makes it likely to be installed on many more systems. The entire network should be scanned. Furthermore, the presence of the tool means that the system was probably compromised. Trinoo, TFN, and stacheldraht are often associated with breakins resulting from vulnerabilities in Tooltalk, Calendar Manager, amd, statd, sadmind and mountd, but could have been put on the system no matter how the compromise occurred. An infected system should be taken off the network until all vulnerabilities have been corrected and the system has been inspected for other backdoors and hacker trails.

To eradicate trinoo, TFN, or stacheldraht from a single system, kill the process and delete the executable file from the system. The processes have the following names by default, but the intruder could easily have chosen a different name, or could even have hidden the files and processes using a rootkit.

Trinoo
Master: master
Broadcast: ns

TFN
Client: tfn
Daemon: td

Stacheldraht
Handler: mserv
Agent: td

Where can I read more about this?

More information about trinoo and TFN can be found in the X-Force Alert and in CERT Incident Note 99-07. Developments in the area of distributed denial-of-service tools are reported in CERT Advisories 99-17 and 2000-01. For detailed technical information, see David Dittrich's papers on trinoo, TFN, and stacheldraht,

This tutorial was derived from SAINT 1.5.