Advisory

SECURITY ADVISORY

Date: May 31 2002 15:00:00 GMT
From: sysadmin@honeyp.edu
Advisory ID: SA-2002-24
Severity: High
Title: Distributed Denial of Service (DDoS) Attack tools

------------------------------------------------------------------------------

1. SYSTEMS AFFECTED:

Most Linux systems.

2. DESCRIPTION:

Recently, a new DDoS attack tool has been discovered on one of honeyp.edu's server. It is a statically linked ELF binary designed to run on Linux systems. It is the daemon process of a multi-tiered DDoS system.

The daemon can be instructed by a master to launch the following DoS attacks:

single and multiple packet TCP SYN attack
single and multiple packet reflective DNS query attack
DNS query attack on a DNS server
fragmentated IP packet attack

The daemon allows the source IP to be spoofed when conducting the above attacks.

In addition, the daemon allows the master to:

execute arbitruary commands on the system and optionally send back the output
open a remote backdoor shell

The DDoS tool also feature a network data encoding process that prevents the communications between the master and the daemon to be easily sniffed. The master and its daemon communications via IP packets of protocol type 11.

3. DETECTION:

The following strings sequence can be used as a signature for the DDoS tool:

[mingetty]

/tmp/.hj237349

/bin/csh -f -c "%s" 1> %s 2>&1

TfOjG

/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.

PATH

HISTFILE

linux

TERM

/bin/sh

/bin/csh -f -c "%s"

%d.%d.%d.%d

%u.%u.%u.%u

%c%s

If the daemon is already running, it should also have the following tell-tale signs:
a) The `netstat -a` command will show an open raw socket of protocol 11 in a listening state
b) The `ps -A` command will show a process named "[mingetty]"

4. FURTHER INFORMATION:

Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Center, December, 1999, http://www.cert.org/reports/dsit_workshop.pdf