Revision

Revision Date Notes
v1.0 31/05/20002 First revision of the document

Abstract

This document is a summary of analysis of "the-binary" - a Distributed Denial of Service (DDoS) attack tool. Key aspects of the-binary are covered as well as description of threats it poses, detection techniques and methods of defence.

Target audience

Non-technical audience wishing to gain knowledge what is "the-binary", how does it work, how to detect it and defend against it.

Introduction

"the-binary" is another Distributed Denial of Service (DDoS) attack tool, similar to already known tools, suich as trinoo, TFN, TFN2k and others. It employs well-known techniques, such as DNS reflection, DNS flood, fragments flood and TCP SYN flood. Those techniques are seen in real-world DDoS attacks for at least 10 years now.

Key aspects

The-binary can bu run only under Linux Operating System on Intel x86 platform. The-binary itself does not contain any "worm" or "viral" capabilites: it has to be run "by hand" by the attacker. The-binary tries to disguise in the system but it's fairly easy to detect it (see Detection section below). Once run it can be controlled remotely from the network. However, properly configured firewall can prevent access to the-binary functions from outside (see Defence section below). If the attacker can control the-binary, she has full control over the system the-binary is run on: she can issue any commands (e.g. install so called "rootkits" (see here) which can make detection and successful removal of the-binary much harder) and/or launch attacks against other hosts.

Attack techniques

The-binary is able to perform 4 types of attacks:
  1. Fragments flood
  2. DNS flood
  3. DNS reflection
  4. TCP SYN flood
DNS reflection seems to be the most harmful attack as it provides a way to "amplify" bandwith: the target is flooded with wide stream of data, which is initiated by a small stream coming out of attacker machine. However several bugs contained in the-binary slightly mitigate this possibility.

Detection

An open source network exploration tool and security scanner nmap can be used to detect all IP protocols registered on a given host (-sO command line switch). If the host responds to IP protocol number 11 there is a strong suspicion that the-binary is running on this host. Also with access to interactive shell on the host one can check if "[mingetty]" process is running on the system (e.g. using "ps" system utility). This is the name used by the-binary to disguise among other system processes. Warning: this detection technique can only be employed to unmodified versions of the-binary. One can easily modify the-binary to use other channel of communication to control its functions and/or another process name.

Defence

Properly configured firewall can provide sufficient security against outside attackers which try to control the-binary run on host inside zone protected by the firewall. To prevent already existing DDoS attack tools, as well as future ones, from using reflection techniques and make the identification of attacker easier, ingress and egress filtering should be implemented at ISP level. ISPs should also deploy techonologies which would allow the vicitm of a DDoS attack to trace back the actual origin of packets (regardless of the spoofed IP).