Dddos_Scan
所属分类:网络编程
开发工具:C/C++
文件大小:10KB
下载次数:5
上传日期:2009-10-24 21:50:07
上 传 者:
tksi
说明: 分析扫描分布式拒绝服务攻击特征码的源代码
(For analyses of the three distributed denial of service attack
tools it scans for, and the methods being used by dds to identify
them)
文件列表:
dds.c (13538, 2000-02-11)
Makefile (834, 2000-01-11)
CHECKSUMS.asc (830, 2000-03-25)
=======================================================
dds - a combined trinoo/TFN/stacheldraht agent detector
=======================================================
"dds" is a program to scan for a limited set of distributed denial of
service (ddos) agents.
At present, it scans for active instances of "trinoo", "Tribe Flood
Network" ("TFN") and "stacheldraht" agents, which were compiled
using the default values in known source distributions, such as those
found at:
http://packetstorm.securify.com/distributed/
It will *not* detect TFN2K agents.
For analyses of the three distributed denial of service attack
tools it scans for, and the methods being used by dds to identify
them, see:
http://staff.washington.edu/dittrich/misc/trinoo.analysis
http://staff.washington.edu/dittrich/misc/tfn.analysis
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
To be honest, I would recommend using an even newer and more general
tool, RID, by David Brumley of Stanford University. You can find a
link to RID source, and other resources on DDoS attacks, on
the following page:
http://staff.washington.edu/dittrich/misc/ddos/
See CHECKSUMS.asc for PGP signed MD5 checksums.
Usage
=====
This program is known to compile and run on at least the following
operating systems:
* Linux (kernel 2.2.x)
* Solaris 2.6 or higher (Solaris 2.5 seems to be missing inet_aton())
* Digital Unix 4.0d
* IBM AIX 4.2
* FreeBSD 3.3-Release
* OpenBSD 2.6
* IRIX 6.5 (MIPS Pro compiler warns of incompatible type
with trinoo_rctport variable)
You may need to edit the Makefile to define the libraries necessary
to compile the program. The default should work for Sun Solaris
systems.
You must run dds as root, as it needs to open a raw mode socket.
(If you don't trust running the code as root, which you *should*
be wary of doing if someone asks you, the source file is there
to check.)
There is an interpacket delay, as well as a default 30 second delay
after sending out all packets to allow delayed packets to be received
before the program exits. If you use the debug or verbose options, be
aware of this delay (the program is not "hung," it is simply being
patient.)
Networks are specified using classless interdomain routing (CIDR)
notation. (See RFC 1518 and RFC 1519.)
Common netmasks, and their CIDR equivalents, are:
255.255.0.0 /16
255.255.255.0 /24
255.255.255.255 /32
Say you have a network of subnets, all sharing a common network
address of 1***.162. To scan this entire /16 network, you would
use the command:
# ./dds 1***.162.0.0/16
If you instead wish to just scan the 24 bit subnet 1***.162.1, you
would use the command:
# ./dds 1***.162.1.0/24
To scan a single host, just give its IP address (/32 is assumed):
# ./dds 1***.162.1.1
If dds is able to find an active trinoo or stacheldraht agent, it will
report as follows:
# ./dds 192.168.1.0/24
Received 'PONG' from 192.168.1.17 - probable trinoo agent
Received TFN Reply from 192.168.1.153 - probable tfn agent
Received 'sicken' from 192.168.1.202 - probable stacheldraht agent
If dds does not find any active trinoo, TFN or stacheldraht agents, it
will return nothing. You can use verbose mode if you really want to
see it report each time it sends a packet, like this:
# ./dds -v 192.168.1.0/24
Mask: 24
Target: 192.168.1.0
dds $Revision: 1.3 $ - scanning...
Probing address 192.168.1.1
Probing address 192.168.1.2
. . .
Received 'PONG' from 192.168.1.17 - probable trinoo agent
. . .
Probing address 192.168.1.152
Received TFN Reply from 192.168.1.153 - probable tfn agent
. . .
Received 'sicken' from 192.168.1.202 - probable stacheldraht agent
Probing address 192.168.1.203
. . .
Probing address 192.168.1.254
If you do this, realize that scanning a /24 subnet will generate
> 254 lines out output, so you will probably need to run "script" to
capture all the output.
If dds receives an ICMP_ECHOREPLY packet that happens to have the same
ID value (669) as a stacheldraht agent produces, but without the
word "sicken" in the data portion of the packet, or a UDP packet
on the trinoo handler listen port without "PONG" in the data portion
of the packet, it will report one of the following:
Unexpected ICMP packet from ...
Unexpected UDP packet received on port ... from ...
This is not the same as detecting a trinoo or stacheldraht agent.
Please read the analyses of trinoo and stacheldraht to understand what
this tool is doing and what it expects to receive.
Any ICMP_ECHOREPLY packet with an ID of 123 received by dds
will appear to be (and will be reported as coming) from a
probable TFN agent. It is very unlikely this would be a false
positive.
Caveats
=======
This program MAY NOT DETECT stacheldraht agents that are not part of
an active network. In other words, if a stacheldraht agent is
installed on a system, but there is no handler currently running to
control it, it may not respond to the packets sent by this program.
This program WILL NOT DETECT agents which have had the default values
changed for handler/agent "command" communication.
Because of these limitations, a negative response DOES NOT GUARANTEE
you have no agents on your network.
Even if you do detect trinoo, TFN or stacheldraht agents, you may find
it difficult to locate them due to "root kits" or loadable kernel
modules installed on the system. This may require that you use file
system integrity checking techniques, or otherwise identify the
modified files. A write-up on root kits can be found at:
http://staff.washington.edu/dittrich/misc/faq/rootkits.faq
A complementary tool that will scan the local file system for
handlers/agents on Solaris systems is provided by the National
Infrastructure Protection Center. See:
http://www.fbi.gov/nipc/trinoo.htm
For more information on ddos tools and how to respond to them, see:
http://www.cert.org/advisories/CA-2000-01.html
http://www.cert.org/reports/dsit_workshop.pdf
You should take care to NOT SCAN networks that you do NOT OWN AND
CONTROL. People will get very angry with you if you do this. This
tool was intended to be used by network administrators and incident
response teams for scanning internal networks.
You should also coordinate your activities with other groups that
share the use of, or administration of, your network.
If you find agents with this tool, you have identified the bottom tier
of a distributed network, which may contain hundreds (as many as a
thousand) of other agents at various sites. Proper forensic
procedures, to gather evidence about which computers (most likely at
other sites) are acting as the handlers of the network, which will
then lead to the other agents. You should remove the system from the
network, and perform a backup of the system immediately, to ensure you
take the system out of the control of the attackers who compromised
it, and to preserve evidence. More information on responding to root
level compromise can be found in the CERT advisory mentioned above.
CREDITS
=======
I can only take credit for the analyses of trinoo, TFN, and
stacheldraht, the initial C version of "gag" (dds' predecessor, which
was hacked together from the stacheldraht source code and then
significantly modified by Marcus Ranum of Network Flight Recorder and
others) and the addition of trinoo agent detection to dds (based on
code produced by George Weaver of Pennsylvania State University.) TFN
detection was added to dds by David Brumley of Stanford University.
Alan Cox provided some bug fix advice.
It would not have been possible to get the program to this level, this
fast, without their contributions (which is greatly appreciated!)
(Anyone wishing to supply patches to fix bugs or add new features,
please feel free to send them my way. Open source development
rules!)
LEGALESE
========
This software should only be used in compliance with all applicable laws and
the policies and preferences of the owners of any networks, systems, or hosts
scanned with the software
The developers and licensors of the software provide the software on an "as
is" basis, excluding all express or implied warranties, and will not be liable
for any damages arising out of or relating to use of the software.
THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE,
INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF
WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
近期下载者:
相关文件:
收藏者: