Denial of Service Attack using the trin00 and Tribe Flood Network programs
Denial of Service Attack using the trin00 and Tribe Flood Network programs
ISS Security Alert
December 7, 1999
Denial of Service Attack using the trin00 and Tribe Flood Network programs
Synopsis:
A new form of Denial of Service (DoS) attack has been developed that is more
powerful than any previous DoS attack observed on the Internet. A Denial of
Service attack is designed to bring a network down by flooding it with large
amounts of traffic. This DoS attack uses an array of compromised systems to
launch a distributed flood attack against a single target. ISS X-Force
considers this attack as a high risk since it can potentially impact a wide
number of organizations. It has proven to be successful and is difficult to
defend against.
Description:
Over the last two months, several high-capacity commercial and educational
networks have been affected by this type of DoS attack. Two known exploit
tools are currently being used to implement this attack: trin00 and Tribe
Flood Network (TFN). Attackers can install these tools on hundreds of
compromised machines and direct a network of trin00/TFN machines to initiate
an attack against a single victim. This attack occurs simultaneously from
these machines, making it more dangerous than any DoS attack launched from
any single machine.
Recommendations:
The ISS X-Force is currently developing several critical countermeasures
within ISS SAFEsuite solutions to help organizations protect themselves from
this attack. Detection for this DoS attack
is currently available on the ISS web site for Internet Scanner (v.6.0.1)
with an additional update available in late December. System Scanner, the
host-based security assessment product, will detect these tools with the
installation of the check available at:
http://www.iss.net/support/flexchecks/sscanner.php. An update to the ISS intrusion detection system, RealSecure (v.3.2.1), will
be available December 30, 1999 from the ISS web site.
Technical Information:
trin00:
The trin00 distributed denial-of-service system consists of 3 parts:
The Client:
The client is not part of the trin00 package. The telnet or Netcat program
is used to connect to port 27665 of the "master." An attacker connects to a
master to control the "broadcasts" that will flood a target. (The master
and broadcast are described later in this section.)
The Master:
The master is contained in the file master.c in the trin00 package. While
running, it waits for UDP packets going to port 31335. These packets are
registration packets from the "broadcast." It also waits for connections to
TCP port 27665. When a client connects to port 27665, the master expects
the password to be sent before it returns any data. The default password is
"betaalmostdone". When the master is run, it displays a "??" prompt,
waiting for a password. The password is "gOrave".
The Broadcast (or Bcast):
The broadcast is the code in trin00 that performs the actual flooding. It is
ns.c in the trin00 package. When the broadcast is compiled, the IP
addresses of the masters that can control it are hardcoded into the program.
Starting the broadcast, a UDP packet is sent to port 31335 of each master
IP, containing the data "*HELLO*". This packet registers the broadcast with
the master. An attacker can then connect to the master and use the daemons
to send a UDP flood.
There are six commands that a client can send to the master to cause the
master to communicate with the broadcast. A master sending commands to a
broadcast sends a UDP packet to port 27444 of the broadcast. The default
password between the master and the broadcast daemon is "144adsl".
These are the six commands the client sends to the master:
- - mtimer:
Sets a timer to DoS a target. The master sends a "bbb" command to the
broadcast. This packet looks like: "bbb 144adsl 300" when observed on the
network.
- - dos:
Performs a Denial of Service attack on a machine. The attack used is
explained below. The dos command sends an "aaa" command to the broadcast.
This packet looks like: "aaa 144adsl 10.1.1.1" when observed on the network.
- - mdie:
Kills all broadcasts. An attacker cannot use this command when connected to
the master unless an additional password is known (the password is unknown
as of this writing), but an attacker can send their own UDP packet with the
master-broadcast password ("144adsl") to kill each of the broadcasts. The
master then sends a "d1e" command to the broadcast daemon. This packet
looks like: "d1e 144adsl" when observed on the network.
- - mping:
Pings all broadcasts. The master sends a "png" command to each broadcast,
and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the
master. When this packet is transmitted from the master to the broadcast
daemon, it looks like: "png 144 adsl".
- - mdos:
This command performs a Denial of Service attack on a list of machines.
The master sends an "xyz" command to each broadcast. The packet looks like
"xyz 144adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".
- - msize:
This command sets the size of the UDP packets to use when performing a
Denial of Service attack on a target. It is undocumented in the master's
online help system. The master sends a "rsz" command to the broadcast
daemon, and the packet looks like "rsz 144adsl 300".
The DoS attack that trin00 broadcasts use is a UDP flood. Trin00 sends a
large number of UDP packets containing 4 data bytes (all zeros) and coming
from one source port to random destination ports on the target host. The
target host returns ICMP Port Unreachable messages. The target host slows
down because it is busy processing the UDP packets, and at this point there
will be little or no network bandwidth left.
There are several ways this attack could be detected. The first involves
looking for a number of UDP packets with the same source port and different
destination ports. Finding approximately 10 UDP packets with the same
source IP, destination IP, and source port, but different destination ports
would detect this flood attack. It is also possible that this method would
detect UDP port scans.
Another method is to look for a number of ICMP Port Unreachable messages
with the same source and destination IP. This technique will also detect a
UDP port scan.
There is no reliable way to tell the difference between a trin00 flood and a
UDP port scan, because it is not possible to determine if someone is
monitoring the ICMP messages.
Detecting trin00/TFN related attacks:
Several conventional attacks are known to be related to trin00/TFN
compromises. Machines that are compromised using the following list of
attacks should be checked for trin00/TFN daemons:
Although these are the vulnerabilities associated with trin00/TFN daemons so
far, there is no guarantee that attackers are not using other methods to
compromise trin00/TFN daemon candidates.
About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider
protecting digital assets and ensuring the availability, confidentiality and
integrity of computer systems and information critical to e-business
success. ISS' security management solutions protect more than 5,000
customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10
largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe and Latin America. For more information, visit the ISS Web
site at www.iss.net or call 800-776-2362.
Copyright (c) 1999 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
