There are several tools available which could detect whether a system is being used as a DDOS server. The following tools can detect TFN2K, Trinoo and Stacheldraht.
- Find_ddos
- SARA
- DDoSPing v2.0
- RID
- Zombie Zapper
Find_DDoS The tool find_ddos is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. |
The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints, it is identified with that file. The tool will optionally make a copy of all files that are found to match. If it finds a match in a running process, it will also grab a core image of the process for subsequent analysis. Any matches that are found are also examined for any embedded IP addresses. All results are either displayed to the user's terminal, or stored in a log file.
The tool also looks for files named ".sr", "...", "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.)
The distributed denial-of-service tools that are detected by the tool are:
- mstream master
- mstream server
- stacheldraht client
- stacheldraht daemon
- stacheldraht master
- tfn-rush client
- tfn client
- tfn daemon
- tfn2k client
- tfn2k daemon
- trinoo daemon
- trinoo master
The tool must be run as root. The syntax of the tool is:
./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir]
SARA
SARA (Security Auditor's Research Assistant), a derivitive of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol (e.g. Mosaic, Netscape etc.)
primary_targets(s) can specify a:
host (e.g., www.microsoft.com),
range (e.g., 192.168.0.12–192.168.0.223)
subnet (e.g., 192.168.0.0/23)
When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface. When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network. SARA can generate reports of hosts by type, service, vulnerability and by trust relationship.
---
DDoSPing
This is a tool that explores another system and looks for vulnerabilities. DDoSPing is a remote network scanner for the most common DDoS programs. It can detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although configuration of each program type is possible from the tool's configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user-defined range of addresses.
---
RID RID (remote intrusion detector) is a tool programmed in C that is a highly configurable packet snooper and generator. It works by sending out packets defined in the config.txt file, then listening for appropriate replies. |
RID can detect any remote software that elicits a predefined response to a given set of packets. Examples are:
- The Trinoo distributed denial of service attack client.
- The Tribal flood network distributed denial of service attack client.
- The StachelDraht distributed denial of service attack client.
This list is not extensive -- the tool is highly configurable to suit specific needs. RID is not a vulnerability assessment tool. It is also -- not a network intrusion detection system in the sense that it does not continually run monitoring your network.
Example: # Sample config file start AgentStacheldraht send icmp type=0 id=668 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht
---
Zombie ZapperZombie Zapper works against Trinoo, TFN, Stacheldraht,
Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.