SECURITY ADVISORY

Date: May 31 2002 15:00:00 GMT
From: sysadmin@honeyp.edu
Advisory ID: SA-2002-24
Severity: High
Title: Distributed Denial of Service (DDoS) Attack tools

------------------------------------------------------------------------------

1. SYSTEMS AFFECTED:

Most Linux systems.


2. DESCRIPTION:

Recently, a new DDoS attack tool has been discovered on one of honeyp.edu's server. It is a statically linked ELF binary designed to run on Linux systems. It is the daemon process of a multi-tiered DDoS system.

The daemon can be instructed by a master to launch the following DoS attacks:
The daemon allows the source IP to be spoofed when conducting the above attacks.

In addition, the daemon allows the master to:
The DDoS tool also feature a network data encoding process that prevents the communications between the master and the daemon to be easily sniffed. The master and its daemon communications via IP packets of protocol type 11.


3. DETECTION:

The following strings sequence can be  used as a signature for the DDoS tool:
 
[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
PATH
HISTFILE
linux
TERM
/bin/sh
/bin/csh -f -c "%s" 
%d.%d.%d.%d
%u.%u.%u.%u
%c%s
  
If the daemon is already running, it should also have the following tell-tale signs:
a) The `netstat -a` command will show an open raw socket of protocol 11 in a listening state
b) The `ps -A` command will show a process named "[mingetty]"

 
4. FURTHER INFORMATION:

Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Center, December, 1999, http://www.cert.org/reports/dsit_workshop.pdf