HoneyPot University Security Advisory 2002-001 - (summary) ========================================================== Subject: New denial of service tool "the-binary" discovered Abstract ======== A new tool for performing remote denial of service (DOS) attacks has recently been discovered "in the wild". This new tool, code named "the-binary", is similar to the TFN and trinoo tools which received much media attention in early 2000. Minor updates to an institution's firewall configuration can effectively neuter this tool, reducing it to a low threat. Details ======= the-binary is a tool which is installed by an attacker, once they have compromised a system. It only runs on linux systems, but there may be versions for other operating systems in existence. Once installed, the tool hides itself from casual observation to reduce the chances of being noticed by the system administrator. the-binary is controlled remotely (and anonymously), so an attacker does not need to be connected to the machine where the-binary is running. The tool allows a remote attacker to direct a denial of service attack upon a specific victim. The victim need not be a machine owned by the institution, but could be any host on the Internet. In effect, the attacker causes the compromised system (the machine running the-binary) to attack the victim. There are three types of DOS attacks that the-binary can perform: * syn flooding * jolt 2 attacks * DNS flooding Syn flooding is a type of attack which was popular in 1996 / 1997 but is rarely used today, as techniques to reduce its effectiveness are widely implemented. This attack is not specific to any type of hardware / operating system configuration. The Jolt 2 attack is an attack specifically against windows 9x, windows NT4.0 and windows 2000. The attack causes 100% CPU utilisation on the attacked machine. A fix for this vulnerability is available from Microsoft. The DNS flooding attack is a custom attack to cause many thousands of machines on the Internet to send unasked for DNS replies to the victim. This huge amount of network traffic is intended to prevent the victim from being able to utilise their network connection. This attack is not specific to any type of hardware / operating system configuration. the-binary also installs a "backdoor" on the compromised system, which allows an attacker to execute commands on the system, or even obtain shell access. The attacker communicates with the-binary using non standard Internet protocols. Many firewall configurations to not consider these non standard protocols, and hence ignore them. Recommendations =============== All firewalls at an institution should be updated to block all non standard protocols which are not used on the institution's network. This will prevent an attacker from controlling any existing copies of the-binary that may have been installed on machines in the institution. Any running programs found to be accepting network traffic using these protocols should be examined, as they may be copies of the-binary. Of course, keeping all machines up to date by applying the latest vendor patches is strongly recommended, to prevent system compromise. More Information ================ CERT Advisory CA-1999-17 Denial-of-Service Tools http://www.cert.org/advisories/CA-1999-17.html Jolt2 - Remote Denial of Service attack against Windows 2000 and NT4 http://razor.bindview.com/publish/advisories/adv_Jolt2.html