Chapter 4. Honeypot University Security Advisory

HONEYP-SEC-001

Table of Contents

honeyp DDoS Tool
Signatures
Defence

A new Distributed Denial of Service (DDoS) tool has been detected in the wild. The tool was captured on a compromised system at Honeypot University and analyzed by our staff.

The "honeyp" DDoS tool is a single binary. It has to be installed on a compromised system by an attacker with root access and does not include code for self-replication or compromising other hosts. Once the tool is started on the system, it goes into background mode and waits for commands from the attacker. The program changes it's name to "[mingetty]", the default login process name on RedHat systems, but does not try to otherwise hide itself. All communication between the attacker and the "honeyp" DDoS tool uses IP packets with the ip protocol field set to 11, an unassigned protocol number. Firewall rules to block this traffic are given in the Defence section of the advisory. The DDoS tool is capable of launching a multitude of denial of service attacks, including udp/icmp/syn flood, dns query flood and a dns smurf attack. It also includes backdoor functionality, allowing for remote execution of commands given by the attacker. The "honeyp" can spawn a root shell on port 23281, giving the attacker full shell access to the system. If the attacker is not currently connected to the backdoor, the shell process on port 23281 is not active and can not be detected with a port scan.

The version of the tool captured at Honeypot University is fairly big (205108 bytes) and has a MD5 sum of 1d726de4f7fe7e580c8fad4b3e4703f6. Keep in mind that an attacker with access to the source code of the tool will be able to modify its size, functionality, default strings and passwords.

The output of the strings command contains the following strings:

[mingetty]
/tmp/.hj237349
/bin/csh -f -c "%s" 1> %s 2>&1
TfOjG
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
HISTFILE
linux
TERM
/bin/csh -f -c "%s" 
%c%s

All network traffic between the attacker and the tool uses IP packets with a ip protocol field set to 11. The packets between 400 and 600 bytes long. The data is encrypted and will not show any human readable strings. Here is sample tcpdump output (the packets are shortened for brevity):

15:44:22.869076 192.168.0.1 > 192.168.0.3:  ip-proto-11 585
0x0000	 4500 025d c623 0000 fa0b 771d c0a8 0001	E..].#....w.....
0x0010	 c0a8 0003 0200 172f 465d 748b a2b9 d0e7	......./F]t.....
0x0020	 fe15 2c43 5a71 8ea5 bcd3 1eb5 d0ef d673	..,CZq.........s
0x0030	 8ead 1090 15a1 3047 5e75 8ca3 bad1 e8ff	......0G^u......
0x0040	 162d 445b 7289 a0b7 cee5 fc13 2a41 586f	.-D[r.......*AXo
0x0050	 869d                                   	..
15:44:22.888568 192.168.0.3 > 1.1.1.1:  ip-proto-11 597
0x0000	 4500 0269 233c 0000 fa0b d8a0 c0a8 0003	E..i#<..........
0x0010	 0101 0101 0300 172f 4d64 417b 92a9 badc	......./MdA{....
0x0020	 6a9e 7534 4b63 3af9 102a 435a 88ce 2b9f	j.u4Kc:..*CZ..+.
0x0030	 2acc 8555 3c3a 4f7b be18 8911 b672 452f	*..U<:O{.....rE/
0x0040	 6430 171d 0a94 39fd 24cb f7af f654 c955	d0....9.$....T.U
0x0050	 f8b2                                   	..
15:44:36.714456 192.168.0.1 > 192.168.0.3:  ip-proto-11 585
0x0000	 4500 025d c623 0000 fa0b 771d c0a8 0001	E..].#....w.....
0x0010	 c0a8 0003 0200 1736 4d64 7b92 a9c0 d7ee	.......6Md{.....
0x0020	 051c 334a 6178 95ac c3da 25bc d7f6 dd7a	..3Jax....%....z
0x0030	 95b4 1797 1ca8 374e 657c 93aa c1d8 ef06	......7Ne|......
0x0040	 1d34 4b62 7990 a7be d5ec 031a 3148 5f76	.4Kby.......1H_v
0x0050	 8da4                                   	..

The DDoS packets sent by this tool are not easily identifyable. Most of the fields in the IP packets are random, including the source port. The rest of the fields can be set by the attacker. The best approach to identifying the DDoS traffic is to monitor bandwidth consumption at the router level.

If shell process is running, it can be identified by running a portscan for port 23281 or locally with netstat -l.

The "honeyp" tool in its current form can be easily detected with ps on non-RedHat systems by looking for a "[mingetty]" process. It is likely that next versions of the tool will use more advanced stealth techniques or be protected with a rootkit.

The following Snort rule detects the traffic between the DDoS tool and the attacker:

alert ip !$HOME_NET any -> $HOME_NET any (msg: "Honeyp 1.0 traffic"; ip_proto: 11;)
On Linux machines you can use the following Netfilter rule to block all IP protocols but TCP and UDP:
iptables -A INPUT -p !TCP -p !UDP -j DROP

More general defence approaches can be found in DDoS Attack Mitigation by Elias Levy.