ISS Security Alert
February 9, 2000

Denial of Service Attack using the TFN2K and Stacheldraht programs


Synopsis:

A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe Flood Network (TFN) denial of service programs (see December 7, 1999 ISS Security Alert at http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful than any previous denial of service attack observed on the Internet. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. This traffic can originate from many compromised machines, and can be managed remotely using a client program. ISS X-Force considers this attack a high risk since it can potentially impact a large number of organizations. DDoS attacks have proven to be successful and are difficult to defend against.
Description:

Over the last two months, several high-capacity commercial and educational networks have been affected by DDoS attacks.(C0VERTl's note: Such as Ebay.com, Buy.com, Zd-Net.com,CNN, possibly others) In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement this attack: TFN2K and Stacheldraht. Both of these tools are based on the original TFN/trin00 attacks described in the December ISS Security Alert.
Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from a single machine.

Technical Information:

TFN2K:
The TFN2K distributed denial of service system consists of a client/server architecture.

The Client:
The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.

The Master Server:
The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time.

The Attack:
The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are recommended in the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port.

TFN2K runs on Linux, Solaris, and Windows platforms.

Stacheldraht (Barbed Wire):

Stacheldraht consists of three parts: the master server, client, and agent programs.

The Client:
The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

The Master Server:
The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client.

The Agent:
The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

The Attack:
Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999.

Stacheldraht runs on Linux and Solaris machines.

Detecting TFN2K/Stacheldraht related attacks:

ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial of Service attacks that these distributed tools use, providing early warning and response capabilities. RealSecure can reconfigure firewalls and routers to block the traffic. On some firewalls this can be as granular as blocking a particular service or protocol port. In conjunction with the December 7, 1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the communications between the distributed components of TFN and trin00. RealSecure will add signatures to detect TFN2K and Stacheldraht in its next release, which will also include an X-press Update capability to speed future signature deployment.(C0VERTl's note: Also See info from The National Infrastructure Protection Center (FBI)NIPC-Info.
Additional Information:
stach.html
ISS worked in coordination with CERT, SANS, and the NIPC. The following is additional information regarding these DDoS attacks:
- - Advisory CA-2000-01 Denial-of-Service Developments http://www.cert.org/advisories/CA-2000-01.html - - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000 - - http://www.fbi.gov/nipc/trinoo.htm (note on 02/20/00, the tools were disabled, unable to download) (also see http://fbi.gov/nipc/ddos.htm ) - - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis (see this paper on my site Stacheldraht)


About ISS
ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.