From xforce@iss.net Tue Dec 7 14:50:51 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Tue, 7 Dec 1999 10:57:14 -0500 (EST) Subject: ISSalert: ISS Security Alert: Denial of Service Attack using the trin00 and Tribe Flood Network programs TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert December 7, 1999 Denial of Service Attack using the trin00 and Tribe Flood Network programs Synopsis: A new form of Denial of Service (DoS) attack has been developed that is more powerful than any previous DoS attack observed on the Internet. A Denial of Service attack is designed to bring a network down by flooding it with large amounts of traffic. This DoS attack uses an array of compromised systems to launch a distributed flood attack against a single target. ISS X-Force considers this attack as a high risk since it can potentially impact a wide number of organizations. It has proven to be successful and is difficult to defend against. Description: Over the last two months, several high-capacity commercial and educational networks have been affected by this type of DoS attack. Two known exploit tools are currently being used to implement this attack: trin00 and Tribe Flood Network (TFN). Attackers can install these tools on hundreds of compromised machines and direct a network of trin00/TFN machines to initiate an attack against a single victim. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from any single machine. Recommendations: The ISS X-Force is currently developing several critical countermeasures within ISS SAFEsuite solutions to help organizations protect themselves from this attack. Detection for this DoS attack is currently available on the ISS web site for Internet Scanner (v.6.0.1) with an additional update available in late December. System Scanner, the host-based security assessment product, will detect these tools with the installation of the check available at: http://www.iss.net/support/flexchecks/sscanner.php. An update to the ISS intrusion detection system, RealSecure (v.3.2.1), will be available December 30, 1999 from the ISS web site. Technical Information: trin00: The trin00 distributed denial-of-service system consists of 3 parts: The Client: The client is not part of the trin00 package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described later in this section.) The Master: The master is contained in the file master.c in the trin00 package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "??" prompt, waiting for a password. The password is "gOrave". The Broadcast (or Bcast): The broadcast is the code in trin00 that performs the actual flooding. It is ns.c in the trin00 package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood. There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "144adsl". These are the six commands the client sends to the master: - - mtimer: Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb 144adsl 300" when observed on the network. - - dos: Performs a Denial of Service attack on a machine. The attack used is explained below. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa 144adsl 10.1.1.1" when observed on the network. - - mdie: Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known (the password is unknown as of this writing), but an attacker can send their own UDP packet with the master-broadcast password ("144adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e 144adsl" when observed on the network. - - mping: Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl". - - mdos: This command performs a Denial of Service attack on a list of machines. The master sends an "xyz" command to each broadcast. The packet looks like "xyz 144adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:". - - msize: This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz 144adsl 300". The DoS attack that trin00 broadcasts use is a UDP flood. Trin00 sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point there will be little or no network bandwidth left. There are several ways this attack could be detected. The first involves looking for a number of UDP packets with the same source port and different destination ports. Finding approximately 10 UDP packets with the same source IP, destination IP, and source port, but different destination ports would detect this flood attack. It is also possible that this method would detect UDP port scans. Another method is to look for a number of ICMP Port Unreachable messages with the same source and destination IP. This technique will also detect a UDP port scan. There is no reliable way to tell the difference between a trin00 flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages. Detecting trin00/TFN related attacks: Several conventional attacks are known to be related to trin00/TFN compromises. Machines that are compromised using the following list of attacks should be checked for trin00/TFN daemons: - - rpc.ttdbserver - - amd - - rpc.cmsd - - rpc.mountd - - rpc.statd Although these are the vulnerabilities associated with trin00/TFN daemons so far, there is no guarantee that attackers are not using other methods to compromise trin00/TFN daemon candidates. Additional Information: ISS X-Force worked in collaboration with CERT to research this advisory. The URL for the CERT advisory for trin00/TFN is located at: http://www.cert.org/incident_notes/IN-99-07.html About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOE0sqDRfJiV99eG9AQHDNQQAmRV7iaaMQAGoUyCyPy5xdVmWpGTLKRb1 h30Bndmkacbsp/QTZYmR8a+73oWGDm2lHEZ7kNkbR7SFJolv08AlVwvvZmxzjGWC ROBKfj3iJ3LcQU8PlwcFMn1rleIoIFIgD68iXn394pXcd4xb53E6KB78Y5gtC+hc ApVW0k/ngDA= =NQe2 -----END PGP SIGNATURE-----