-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-

TFN2K - An Analysis
Jason Barlow and Woody Thrower
AXENT Security Team
February 10, 2000 (Updated March 7, 2000)
Revision: 1.3


Abstract

This document is a technical analysis of the Tribe Flood Network 2000
(TFN2K) distributed denial-of-service (DDoS) attack tool, the successor to
the original TFN Trojan by Mixter. Additionally, countermeasures for this
attack are also covered. This document assumes a basic understanding of DDoS
attacks. Analyses of related DDoS attack tools such as Stacheldraht and
Trinoo are not presented here. For information about DDoS attacks and
TFN2K's cousins, please refer to the following documents:

http://www2.axent.com/swat/News/ddos-explanation.htm
http://staff.washington.edu/dittrich/misc/trinoo.analysis
http://staff.washington.edu/dittrich/misc/tfn.analysis
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
http://packetstorm.securify.com/distributed
http://www.cert.org/advisories/CA-2000-01.html
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html
http://www.cert.org/incident_notes/IN-99-07.html
http://www.sans.org/y2k/solaris.htm
http://www.fbi.gov/nipc/trinoo.htm
http://www.fbi.gov/pressrm/pressrel/pressrel99/prtrinoo.htm


Terminology

The terminology used in DDoS analyses is often confusing. For clarity, we
use the following:

Client - an application that can be used to initiate attacks by sending
commands to other components (see below).

Daemon - a process running on an agent (see below), responsible for
receiving and carrying out commands issued by a client.

Master - a host running a client

Agent - a host running a daemon

Target - the victim (a host or network) of a distributed attack


Overview - What is TFN2K?

TFN2K allows masters to exploit the resources of a number of agents in order
to coordinate an attack against one or more designated targets. Currently,
UNIX, Solaris, and Windows NT platforms that are connected to the Internet,
directly or indirectly, are susceptible to this attack. However, the tool
could easily be ported to additional platforms.

TFN2K is a two-component system: a command driven client on the master and a
daemon process operating on an agent. The master instructs its agents to
attack a list of designated targets. The agents respond by flooding the
targets with a barrage of packets. Multiple agents, coordinated by the
master, can work in tandem during this attack to disrupt access to the
target. Master-to-agent communications are encrypted, and may be intermixed
with any number of decoy packets. Both master-to-agent communications and
the attacks themselves can be sent via randomized TCP, UDP, and ICMP
packets. Additionally, the master can falsify its IP address (spoof). These
facts significantly complicate development of effective and efficient
countermeasures for TFN2K.


TFN2K - The Facts

  * Commands are sent from the master to the agent via TCP, UDP, ICMP, or
    all three at random.

    Targets may be attacked with a TCP/SYN, UDP, ICMP/PING, or BROADCAST
    PING (SMURF) packet flood. The daemon may also be instructed to
    randomly alternate between all four styles of attack.

  * Packet headers between master and agent are randomized, with the
    exception of ICMP, which always uses a type code of ICMP_ECHOREPLY
    (ping response).  Unlike its predecessors, the TFN2K daemon is
    completely silent; it does not acknowledge the commands it receives.
    Instead, the client issues each command 20 times, relying on
    probability that the daemon will receive at least one.  The command
    packets may be interspersed with any number of decoy packets sent to
    random IP addresses.

  * TFN2K commands are not string-based (as they are in TFN and
    Stacheldraht).  Instead, commands are of the form "+<id>+<data>" where
    <id> is a single byte denoting a particular command and <data>
    represents the command's parameters.  All commands are encrypted using
    a key-based CAST-256 algorithm (RFC 2612).  The key is defined at
    compile time and is used as a password when running the TFN2K client.

  * All encrypted data is Base 64 encoded before it is sent. This holds
    some significance, as the payload should be comprised entirely of
    ASCII printable characters. The TFN2K daemon uses this fact as a
    sanity-test when decrypting incoming packets.

  * The daemon spawns a child for each attack against a target.  The TFN2K
    daemon attempts to disguise itself by altering the contents of
    argv[0], thereby changing the process name on some platforms. The
    falsified process names are defined at compile time and may vary from
    one installation to the next. This allows TFN2K to masquerade as a
    normal process on the agent.  Consequently, the daemon (and its
    children) may not be readily visible by simple inspection of the
    process list.  All packets originating from either client or daemon
    can be (and are, by default) spoofed.

  * The UDP packet length (as it appears in the UDP header) is three bytes
    longer than the actual length of the packet.

  * The TCP header length (as it appears in the TCP header) is always
    zero. In legitimate TCP packets, this value should never be zero.

  * The UDP and TCP checksums do not include the 12-byte pseudo-header,
    and are consequently incorrect in all TFN2K UDP and TCP packets.


Detecting TFN2K - The Signature

All control communications are unidirectional, making TFN2K extremely
problematic to detect by active means. Because it uses TCP, UDP, and ICMP
packets that are randomized and encrypted, packet filtering and other
passive countermeasures become impractical and inefficient. Decoy packets
also complicate attempts to track down other agents participating in the
denial-of-service network.

Fortunately, there are weaknesses. In what appears to be an oversight (or a
bug), the Base 64 encoding (which occurs after encryption) leaves a telltale
fingerprint at the end of every TFN2K packet (independent of protocol and
encryption algorithm). We suspect it was the intent of the author to create
variability in the length of each packet by padding with one to sixteen
zeroes.  Base 64 encoding of the data translates this sequence of trailing
zeros into a sequence of 0x41's ('A'). The actual count of 0x41's appearing
at the end of the packet will vary, but there will always be at least one.
The padding algorithm is somewhat obscure (but predictable) and beyond the
scope of this document.  However, the presence of this fingerprint has been
validated both in theory and through empirical data gathered by dumping an
assortment of command packets.

A simple scan for the files tfn (the client) and td (the daemon) may also
reveal the presence of TFN2K. However, these files are likely to be renamed
when appearing in the wild. In addition to this, both client and daemon
contain a number of strings that can be found using virus scanning methods.
Below is a partial list of some of the strings (or sub-strings) appearing in
TFN2K:

NOTE: Scanners should look for pattern combinations unlikely to appear in
legitimate software.

TFN2K Client (tfn)

[1;34musage: %s <options>
[-P protocol]
[-S host/ip]
[-f hostlist]
[-h hostname]
[-i target string]
[-p port]
<-c command ID>
change spoof level to %d
change packet size to %d bytes
bind shell(s) to port %d
commence udp flood
commence syn flood, port: %s
commence icmp echo flood
commence icmp broadcast (smurf) flood
commence mix flood
commence targa3 attack
execute remote command

TFN2K Daemon (td)

tribe_cmd *
tfn-daemon **
tfn-child **

*  Mixter wisely avoids embedding clear-text strings in the TFN2K
   daemon.  However, tribe_cmd, the one function unique to the daemon,
   is clearly visible and can be detected with any standard grep
   utility.

** Because, this text is likely to be modified in many TFN2K
   installations, it may be problematic to definitively identify a
   TFN2K daemon by traditional virus-scanning means.

TFN2K Daemon and Client (tfn and td)

security_through_obscurity *
D4 40 FB 30 0B FF A0 9F **
64 64 64 64 ... ***
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
/dev/urandom
/dev/random
%d.%d.%d.%d
sh ****
ksh ****
command.exe *****
cmd.exe *****

*     This is a function whose definition is generated at compile time.
This
      is a strong (and probably unique) signature.

**    This byte pattern is present in both client and daemon, and
      represents the first eight bytes in the CAST-256 encryption table
      (displayed in little-endian byte ordering here).

***   A contiguous 128-byte sequence of 0x64 values reveals the presence of
      the static table used in the Base 64 decoding algorithm.

****  Unix and Solaris systems only

***** Windows NT systems only

The TFN2K binaries may be stripped of clear-text method and variable names,
making it difficult to definitively identify the daemon by conventional
string-based scanners.


Defeating TFN2K - A Strategy

There is no known way to defend against TFN2K denial-of-service attacks. The
most effective countermeasure is to prevent your own network resources from
being used as clients or agents.

Prevention

  * Configure your router to do egress filtering, preventing spoofed traffic
    from exiting your network. Refer to http://www.sans.org/y2k/egress.htm
    for more information.

  * Ask your ISP to configure their router to do ingress filtering on your
    network, preventing spoofed traffic reaching the Internet from your
    network.  Refer them to RFC 2267.

  * Use a firewall that exclusively employs application proxies. This should
    effectively block all TFN2K traffic. Exclusive use of application
    proxies is often impractical, in which case the allowed non-proxy
    services should be kept to a minimum.

  * Disallow unnecessary ICMP, TCP, and UDP traffic. Typically only ICMP
    type 3 (destination unreachable) packets should be allowed.

  * If ICMP cannot be blocked, disallow unsolicited (or all) ICMP_ECHOREPLY
    packets.

  * Disallow UDP and TCP, except on a specific list of ports.

  * Spoofing can be limited by configuring the firewall to disallow any
    outgoing packet whose source address does not reside on the protected
    network.

  * Take measures to ensure that your systems are not vulnerable to attacks
    that would allow intruders to install TFN2K.


Detection

  * Scan for the client/daemon files by name.

  * Scan all executable files on a host system for patterns described in the
    previous section.

  * Scan the process list for the presence of daemon processes.

  * Examine incoming traffic for unsolicited ICMP_ECHOREPLY packets
    containing sequences of 0x41 in their trailing bytes. Additionally,
    verify that all other payload bytes are ASCII printable characters in
    the range of (2B, 2F-39, 0x41-0x5A, or 0x61-0x7A).

  * Watch for a series of packets (possibly a mix of TCP, UDP, and ICMP)
    with identical payloads.


Response

Once TFN2K has been identified on a host system, it is imperative that the
authorities be notified immediately so that the perpetrators can be traced.
Because a TFN2K daemon does not acknowledge the commands it receives, it is
likely the client will continue to transmit packets to the agent system.
Additionally, a hacker observing the absence of flood activity, may attempt
to reestablish direct contact with the agent system to determine the nature
of the problem. In either case, the communication can be traced.

TFN2K is traceable but requires a timely response on the part of the victim.
If you believe you have been the victim of TFN2K or any other DDoS attack,
please contact your local authorities. In the United States, contact your
local FBI office. FBI contact information can be obtained from:

http://www.fbi.gov/contact/fo/fo.htm


Summary

TFN2K and other DDoS attack signatures are under continuous investigation by
AXENT Technologies. As more information becomes available, this document
will be updated.


Contact Information

If you have questions or comments regarding this article or other security
developments, send e-mail to securityteam@axent.com.


Copyright (C) 2000 AXENT Technologies Inc. All rights reserved.