ISS Security Alert February 9, 2000 Denial of Service Attack using the TFN2K and Stacheldraht programs Synopsis: A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe Flood Network (TFN) denial of service programs (see December 7, 1999 ISS Security Alert at http://xforce.iss.net/alerts/advise40.php). These attacks are more powerful than any previous denial of service attack observed on the Internet. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. This traffic can originate from many compromised machines, and can be managed remotely using a client program. ISS X-Force considers this attack a high risk since it can potentially impact a large number of organizations. DDoS attacks have proven to be successful and are difficult to defend against. Description: Over the last two months, several high-capacity commercial and educational networks have been affected by DDoS attacks. In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement this attack: TFN2K and Stacheldraht. Both of these tools are based on the original TFN/trin00 attacks described in the December ISS Security Alert. Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from a single machine. Technical Information: TFN2K: The TFN2K distributed denial of service system consists of a client/server architecture. The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program. The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time. The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are recommended in the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms. Stacheldraht (Barbed Wire): Stacheldraht consists of three parts: the master server, client, and agent programs. The Client: The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client. The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. Detecting TFN2K/Stacheldraht related attacks: ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial of Service attacks that these distributed tools use, providing early warning and response capabilities. RealSecure can reconfigure firewalls and routers to block the traffic. On some firewalls this can be as granular as blocking a particular service or protocol port. In conjunction with the December 7, 1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the communications between the distributed components of TFN and trin00. RealSecure will add signatures to detect TFN2K and Stacheldraht in its next release, which will also include an X-press Update capability to speed future signature deployment. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.