README
资源名称:ddos_scan.tar [点击查看]
上传用户:zht1018
上传日期:2007-01-07
资源大小:29k
文件大小:9k
源码类别:
系统/网络安全
开发平台:
Unix_Linux
- =======================================================
- dds - a combined trinoo/TFN/stacheldraht agent detector
- =======================================================
- "dds" is a program to scan for a limited set of distributed denial of
- service (ddos) agents.
- At present, it scans for active instances of "trinoo", "Tribe Flood
- Network" ("TFN") and "stacheldraht" agents, which were compiled
- using the default values in known source distributions, such as those
- found at:
- http://packetstorm.securify.com/distributed/
- It will *not* detect TFN2K agents.
- For analyses of the three distributed denial of service attack
- tools it scans for, and the methods being used by dds to identify
- them, see:
- http://staff.washington.edu/dittrich/misc/trinoo.analysis
- http://staff.washington.edu/dittrich/misc/tfn.analysis
- http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
- To be honest, I would recommend using an even newer and more general
- tool, RID, by David Brumley of Stanford University. You can find a
- link to RID source, and other resources on DDoS attacks, on
- the following page:
- http://staff.washington.edu/dittrich/misc/ddos/
- See CHECKSUMS.asc for PGP signed MD5 checksums.
- Usage
- =====
- This program is known to compile and run on at least the following
- operating systems:
- * Linux (kernel 2.2.x)
- * Solaris 2.6 or higher (Solaris 2.5 seems to be missing inet_aton())
- * Digital Unix 4.0d
- * IBM AIX 4.2
- * FreeBSD 3.3-Release
- * OpenBSD 2.6
- * IRIX 6.5 (MIPS Pro compiler warns of incompatible type
- with trinoo_rctport variable)
- You may need to edit the Makefile to define the libraries necessary
- to compile the program. The default should work for Sun Solaris
- systems.
- You must run dds as root, as it needs to open a raw mode socket.
- (If you don't trust running the code as root, which you *should*
- be wary of doing if someone asks you, the source file is there
- to check.)
- There is an interpacket delay, as well as a default 30 second delay
- after sending out all packets to allow delayed packets to be received
- before the program exits. If you use the debug or verbose options, be
- aware of this delay (the program is not "hung," it is simply being
- patient.)
- Networks are specified using classless interdomain routing (CIDR)
- notation. (See RFC 1518 and RFC 1519.)
- Common netmasks, and their CIDR equivalents, are:
- 255.255.0.0 /16
- 255.255.255.0 /24
- 255.255.255.255 /32
- Say you have a network of subnets, all sharing a common network
- address of 198.162. To scan this entire /16 network, you would
- use the command:
- # ./dds 198.162.0.0/16
- If you instead wish to just scan the 24 bit subnet 198.162.1, you
- would use the command:
- # ./dds 198.162.1.0/24
- To scan a single host, just give its IP address (/32 is assumed):
- # ./dds 198.162.1.1
- If dds is able to find an active trinoo or stacheldraht agent, it will
- report as follows:
- # ./dds 192.168.1.0/24
- Received 'PONG' from 192.168.1.17 - probable trinoo agent
- Received TFN Reply from 192.168.1.153 - probable tfn agent
- Received 'sicken' from 192.168.1.202 - probable stacheldraht agent
- If dds does not find any active trinoo, TFN or stacheldraht agents, it
- will return nothing. You can use verbose mode if you really want to
- see it report each time it sends a packet, like this:
- # ./dds -v 192.168.1.0/24
- Mask: 24
- Target: 192.168.1.0
- dds $Revision: 1.3 $ - scanning...
- Probing address 192.168.1.1
- Probing address 192.168.1.2
- . . .
- Received 'PONG' from 192.168.1.17 - probable trinoo agent
- . . .
- Probing address 192.168.1.152
- Received TFN Reply from 192.168.1.153 - probable tfn agent
- . . .
- Received 'sicken' from 192.168.1.202 - probable stacheldraht agent
- Probing address 192.168.1.203
- . . .
- Probing address 192.168.1.254
- If you do this, realize that scanning a /24 subnet will generate
- > 254 lines out output, so you will probably need to run "script" to
- capture all the output.
- If dds receives an ICMP_ECHOREPLY packet that happens to have the same
- ID value (669) as a stacheldraht agent produces, but without the
- word "sicken" in the data portion of the packet, or a UDP packet
- on the trinoo handler listen port without "PONG" in the data portion
- of the packet, it will report one of the following:
- Unexpected ICMP packet from ...
- Unexpected UDP packet received on port ... from ...
- This is not the same as detecting a trinoo or stacheldraht agent.
- Please read the analyses of trinoo and stacheldraht to understand what
- this tool is doing and what it expects to receive.
- Any ICMP_ECHOREPLY packet with an ID of 123 received by dds
- will appear to be (and will be reported as coming) from a
- probable TFN agent. It is very unlikely this would be a false
- positive.
- Caveats
- =======
- This program MAY NOT DETECT stacheldraht agents that are not part of
- an active network. In other words, if a stacheldraht agent is
- installed on a system, but there is no handler currently running to
- control it, it may not respond to the packets sent by this program.
- This program WILL NOT DETECT agents which have had the default values
- changed for handler/agent "command" communication.
- Because of these limitations, a negative response DOES NOT GUARANTEE
- you have no agents on your network.
- Even if you do detect trinoo, TFN or stacheldraht agents, you may find
- it difficult to locate them due to "root kits" or loadable kernel
- modules installed on the system. This may require that you use file
- system integrity checking techniques, or otherwise identify the
- modified files. A write-up on root kits can be found at:
- http://staff.washington.edu/dittrich/misc/faq/rootkits.faq
- A complementary tool that will scan the local file system for
- handlers/agents on Solaris systems is provided by the National
- Infrastructure Protection Center. See:
- http://www.fbi.gov/nipc/trinoo.htm
- For more information on ddos tools and how to respond to them, see:
- http://www.cert.org/advisories/CA-2000-01.html
- http://www.cert.org/reports/dsit_workshop.pdf
- You should take care to NOT SCAN networks that you do NOT OWN AND
- CONTROL. People will get very angry with you if you do this. This
- tool was intended to be used by network administrators and incident
- response teams for scanning internal networks.
- You should also coordinate your activities with other groups that
- share the use of, or administration of, your network.
- If you find agents with this tool, you have identified the bottom tier
- of a distributed network, which may contain hundreds (as many as a
- thousand) of other agents at various sites. Proper forensic
- procedures, to gather evidence about which computers (most likely at
- other sites) are acting as the handlers of the network, which will
- then lead to the other agents. You should remove the system from the
- network, and perform a backup of the system immediately, to ensure you
- take the system out of the control of the attackers who compromised
- it, and to preserve evidence. More information on responding to root
- level compromise can be found in the CERT advisory mentioned above.
- CREDITS
- =======
- I can only take credit for the analyses of trinoo, TFN, and
- stacheldraht, the initial C version of "gag" (dds' predecessor, which
- was hacked together from the stacheldraht source code and then
- significantly modified by Marcus Ranum of Network Flight Recorder and
- others) and the addition of trinoo agent detection to dds (based on
- code produced by George Weaver of Pennsylvania State University.) TFN
- detection was added to dds by David Brumley of Stanford University.
- Alan Cox provided some bug fix advice.
- It would not have been possible to get the program to this level, this
- fast, without their contributions (which is greatly appreciated!)
- (Anyone wishing to supply patches to fix bugs or add new features,
- please feel free to send them my way. Open source development
- rules!)
- LEGALESE
- ========
- This software should only be used in compliance with all applicable laws and
- the policies and preferences of the owners of any networks, systems, or hosts
- scanned with the software
- The developers and licensors of the software provide the software on an "as
- is" basis, excluding all express or implied warranties, and will not be liable
- for any damages arising out of or relating to use of the software.
- THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON
- DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE,
- INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
- FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF
- WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
- DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING
- OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.