-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert
February 9, 2000

Denial of Service Attack using the TFN2K and Stacheldraht programs
       

Synopsis:

A new form of Distributed Denial of Service (DDoS) attack has been
discovered following the release of the trin00 and Tribe Flood Network (TFN)
denial of service programs (see December 7, 1999 ISS Security Alert at
http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful
than any previous denial of service attack observed on the Internet. A
Distributed Denial of Service attack is designed to bring a network down by
flooding target machines with large amounts of traffic. This traffic can
originate from many compromised machines, and can be managed remotely using
a client program. ISS X-Force considers this attack a high risk since it can
potentially impact a large number of organizations. DDoS attacks have proven
to be successful and are difficult to defend against.

Description:

Over the last two months, several high-capacity commercial and educational
networks have been affected by DDoS attacks.  In addition to the trin00 and
TFN attacks, two additional tools are currently being used to implement this
attack: TFN2K and Stacheldraht. Both of these tools are based on the
original TFN/trin00 attacks described in the December ISS Security Alert.

Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or
Stacheldraht) on hundreds of compromised machines and direct this network of
machines to initiate an attack against single or multiple victims. This
attack occurs simultaneously from these machines, making it more dangerous
than any DoS attack launched from a single machine.
 

Technical Information:

TFN2K:
The TFN2K distributed denial of service system consists of a client/server
architecture.

The Client:
The client is used to connect to master servers, which can then perform
specified attacks against one or more victim machines. Commands are sent
from the client to the master server within the data fields of ICMP, UDP,
and TCP packets. The data fields are encrypted using the CAST algorithm and
base64 encoded. The client can specify the use of random TCP/UDP port
numbers and source IP addresses. The system can also send out "decoy"
packets to non-target machines. These factors make TFN2K more difficult to
detect than the original TFN program.

The Master Server: 
The master server parses all UDP, TCP, and ICMP echo reply packets for
encrypted commands. The master server does not use a default password when
it is selected by the user at compile time.

The Attack:
The TFN2K client can be used to send various commands to the master for
execution, including commands to flood a target machine or set of target
machines within a specified address range. The client can send commands
using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks
cause the target machine to slow down because of the processing required to
handle the incoming packets, leaving little or no network bandwidth.
Possible methods for detection of these flooding attacks are recommended in
the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used
to execute remote commands on the master server and bind shells to a
specified TCP port. 

TFN2K runs on Linux, Solaris, and Windows platforms. 

Stacheldraht (Barbed Wire):

Stacheldraht consists of three parts: the master server, client, and agent
programs.

The Client:
The client is used to connect to the master server on port 16660 or port
60001. Packet contents are blowfish encrypted using the default password
"sicken", which can be changed by editing the Stacheldraht source code.
After entering the password, an attacker can use the client to manage
Stacheldraht agents, IP addresses of attack victims, lists of master
servers, and to perform DoS attacks against specified machines. 

The Master Server: 
The master server handles all communication between client and agent
programs. It listens for connections from the client on port 16660 or 60001.
When a client connects to the master, the master waits for the password
before returning information about agent programs to the client and
processing commands from the client. 

The Agent:
The agent listens for commands from master servers on port 65000. In
addition to this port, master server/agent communications are also managed
using ICMP echo reply packets. These packets are transmitted and replied to
periodically. They contain specific values in the ID field (such as 666,
667, 668, and 669) and corresponding plaintext strings in the data fields
(including "skillz", "ficken", and  "spoofworks"). The ICMP packets act as a
"heartbeat" between agent and master server, and to determine source IP
spoofing capabilities of the master server. The agent identifies master
servers using an internal address list, and an external encrypted file
containing master server IP addresses. Agents can be directed to "upgrade"
themselves by downloading a fresh copy of the agent program and deleting the
old image as well as accepting commands to execute flood attacks against
target machines.

The Attack:
Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood
attacks. The attacks can run for a specified duration, and SYN floods can be
directed to a set of specified ports. These flood attacks cause the target
machine to slow down because of the processing required to handle the
incoming packets, leaving little or no network bandwidth. Possible methods
for detection of these flooding attacks are discussed in the TFN/trin00 ISS
Security Alert published December 7, 1999. 

Stacheldraht runs on Linux and Solaris machines.

Detecting TFN2K/Stacheldraht related attacks:

ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial
of Service attacks that these distributed tools use, providing early warning
and response capabilities. RealSecure can reconfigure firewalls and routers
to block the traffic. On some firewalls this can be as granular as blocking
a particular service or protocol port. In conjunction with the December 7,
1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the
communications between the distributed components of TFN and trin00.
RealSecure will add signatures to detect TFN2K and Stacheldraht in its next
release, which will also include an X-press Update capability to speed
future signature deployment.

Additional Information:

ISS worked in coordination with CERT, SANS, and the NIPC.  The following is
additional information regarding these DDoS attacks:
- - Advisory CA-2000-01 Denial-of-Service Developments
http://www.cert.org/advisories/CA-2000-01.html
- - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000
- - http://www.fbi.gov/nipc/trinoo.htm
- - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis



About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services, and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net of
Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/
iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH
OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A
vg77CCVq3W8=
=sMAK
-----END PGP SIGNATURE-----