Re: SANS & Ranum on DoS Trojans for Solaris

From: Marcus J. Ranum (mjrat_private)
Date: Wed Jan 05 2000 - 08:08:09 PST

Next message: arkat_private: "Re: Sizing a firewall"

Previous message: Brock, Todd A: "RE: Win98 SE Firewall?"
Maybe in reply to: Vin McLellan: "SANS & Ranum on DoS Trojans for Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vin McLellan wrote:
>        Want to tell us about this tool Dave Dittrich and you developed to
>scan network hosts for Solaris machines infected with trojans which install
>clients distributed Denial of Service attacks:  trinoo, TFN, TFN2000, or
>stacheldraht?  

Dave gets the credit, all I did was code cleanup, portabilizing,
and some optimization. But since you've asked, I'll explain how
it works.

There's a whole generation of denial of service tools that have
been released lately, that do distributed DOS attacks. TFN, Trinoo,
Stacheldraht, etc, all operate by having a master controller program
that activates agents residing on multiple compromised machines.
The agents know how to launch various types of denial of service
attacks. Agent/master communications are encrypted. The weakness
in the tools is that the agents and masters have to speak somehow,
and there's a "ping/alive" capability whereby the master can identify
active agents to use in launching an attack.

Dave's tool works by emulating the master's pinging, to get any
live agents to answerm - essentially giving themselves away. You
give it a class B network (with various masking options so you can
select down to class C or individual machines if you want) and it
just searches each host for an agent, by emulating a master controller.

The bad guys will doubtless respond by changing the default
encryption keys, etc, which will make these kind of tools less
effective. The good news, for now, is that most script kiddies
aren't doing that and denial of service attacks are the kind of
attacks that only appeal to script kiddies in the first place.
Even so, we're fortunate that the hackers that build these kind
of tools don't really understand computer security, or they'd
realize that the systems they build are vulnerable to traffic
analysis. In the large, you find that, even encrypted under
different keys, the traffic between a master controller and
agents will have a very distinctive fan-out and back/forth
pattern. Of course, to detect that kind of thing, you need
broad-based network analysis tools. :) I've known that for a
while. Hence NFR. :) There's a set of N-code filters for detecting
Trinoo/TFN on our web site at http://www.nfr.net/updates/ if
you want to see how they work.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: arkat_private: "Re: Sizing a firewall"
Previous message: Brock, Todd A: "RE: Win98 SE Firewall?"
Maybe in reply to: Vin McLellan: "SANS & Ranum on DoS Trojans for Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:44 PDT