HoneyPot University Security Advisory 2002-001 - (summary)
==========================================================
Subject: New denial of service tool "the-binary" discovered
Abstract
========
A new tool for performing remote denial of service (DOS) attacks has
recently been discovered "in the wild". This new tool, code named
"the-binary", is similar to the TFN and trinoo tools which received much
media attention in early 2000. Minor updates to an institution's firewall
configuration can effectively neuter this tool, reducing it to a low
threat.
Details
=======
the-binary is a tool which is installed by an attacker, once they have
compromised a system. It only runs on linux systems, but there may be
versions for other operating systems in existence. Once installed, the
tool hides itself from casual observation to reduce the chances of being
noticed by the system administrator. the-binary is controlled remotely
(and anonymously), so an attacker does not need to be connected to the
machine where the-binary is running.
The tool allows a remote attacker to direct a denial of service attack upon
a specific victim. The victim need not be a machine owned by the
institution, but could be any host on the Internet. In effect, the
attacker causes the compromised system (the machine running the-binary) to
attack the victim.
There are three types of DOS attacks that the-binary can perform:
* syn flooding
* jolt 2 attacks
* DNS flooding
Syn flooding is a type of attack which was popular in 1996 / 1997 but is
rarely used today, as techniques to reduce its effectiveness are widely
implemented. This attack is not specific to any type of hardware /
operating system configuration.
The Jolt 2 attack is an attack specifically against windows 9x, windows
NT4.0 and windows 2000. The attack causes 100% CPU utilisation on the
attacked machine. A fix for this vulnerability is available from
Microsoft.
The DNS flooding attack is a custom attack to cause many thousands of
machines on the Internet to send unasked for DNS replies to the victim.
This huge amount of network traffic is intended to prevent the victim
from being able to utilise their network connection. This attack is not
specific to any type of hardware / operating system configuration.
the-binary also installs a "backdoor" on the compromised system, which
allows an attacker to execute commands on the system, or even obtain shell
access.
The attacker communicates with the-binary using non standard Internet
protocols. Many firewall configurations to not consider these non standard
protocols, and hence ignore them.
Recommendations
===============
All firewalls at an institution should be updated to block all non standard
protocols which are not used on the institution's network. This will
prevent an attacker from controlling any existing copies of the-binary that
may have been installed on machines in the institution. Any running
programs found to be accepting network traffic using these protocols should
be examined, as they may be copies of the-binary.
Of course, keeping all machines up to date by applying the latest vendor
patches is strongly recommended, to prevent system compromise.
More Information
================
CERT Advisory CA-1999-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-1999-17.html
Jolt2 - Remote Denial of Service attack against Windows 2000 and NT4
http://razor.bindview.com/publish/advisories/adv_Jolt2.html