文件列表:

dds.c (13538, 2000-02-11)
Makefile (834, 2000-01-11)
CHECKSUMS.asc (830, 2000-03-25)

======================================================= dds - a combined trinoo/TFN/stacheldraht agent detector ======================================================= "dds" is a program to scan for a limited set of distributed denial of service (ddos) agents. At present, it scans for active instances of "trinoo", "Tribe Flood Network" ("TFN") and "stacheldraht" agents, which were compiled using the default values in known source distributions, such as those found at: http://packetstorm.securify.com/distributed/ It will *not* detect TFN2K agents. For analyses of the three distributed denial of service attack tools it scans for, and the methods being used by dds to identify them, see: http://staff.washington.edu/dittrich/misc/trinoo.analysis http://staff.washington.edu/dittrich/misc/tfn.analysis http://staff.washington.edu/dittrich/misc/stacheldraht.analysis To be honest, I would recommend using an even newer and more general tool, RID, by David Brumley of Stanford University. You can find a link to RID source, and other resources on DDoS attacks, on the following page: http://staff.washington.edu/dittrich/misc/ddos/ See CHECKSUMS.asc for PGP signed MD5 checksums. Usage ===== This program is known to compile and run on at least the following operating systems: * Linux (kernel 2.2.x) * Solaris 2.6 or higher (Solaris 2.5 seems to be missing inet_aton()) * Digital Unix 4.0d * IBM AIX 4.2 * FreeBSD 3.3-Release * OpenBSD 2.6 * IRIX 6.5 (MIPS Pro compiler warns of incompatible type with trinoo_rctport variable) You may need to edit the Makefile to define the libraries necessary to compile the program. The default should work for Sun Solaris systems. You must run dds as root, as it needs to open a raw mode socket. (If you don't trust running the code as root, which you *should* be wary of doing if someone asks you, the source file is there to check.) There is an interpacket delay, as well as a default 30 second delay after sending out all packets to allow delayed packets to be received before the program exits. If you use the debug or verbose options, be aware of this delay (the program is not "hung," it is simply being patient.) Networks are specified using classless interdomain routing (CIDR) notation. (See RFC 1518 and RFC 1519.) Common netmasks, and their CIDR equivalents, are: 255.255.0.0 /16 255.255.255.0 /24 255.255.255.255 /32 Say you have a network of subnets, all sharing a common network address of 1***.162. To scan this entire /16 network, you would use the command: # ./dds 1***.162.0.0/16 If you instead wish to just scan the 24 bit subnet 1***.162.1, you would use the command: # ./dds 1***.162.1.0/24 To scan a single host, just give its IP address (/32 is assumed): # ./dds 1***.162.1.1 If dds is able to find an active trinoo or stacheldraht agent, it will report as follows: # ./dds 192.168.1.0/24 Received 'PONG' from 192.168.1.17 - probable trinoo agent Received TFN Reply from 192.168.1.153 - probable tfn agent Received 'sicken' from 192.168.1.202 - probable stacheldraht agent If dds does not find any active trinoo, TFN or stacheldraht agents, it will return nothing. You can use verbose mode if you really want to see it report each time it sends a packet, like this: # ./dds -v 192.168.1.0/24 Mask: 24 Target: 192.168.1.0 dds $Revision: 1.3 $ - scanning... Probing address 192.168.1.1 Probing address 192.168.1.2 . . . Received 'PONG' from 192.168.1.17 - probable trinoo agent . . . Probing address 192.168.1.152 Received TFN Reply from 192.168.1.153 - probable tfn agent . . . Received 'sicken' from 192.168.1.202 - probable stacheldraht agent Probing address 192.168.1.203 . . . Probing address 192.168.1.254 If you do this, realize that scanning a /24 subnet will generate > 254 lines out output, so you will probably need to run "script" to capture all the output. If dds receives an ICMP_ECHOREPLY packet that happens to have the same ID value (669) as a stacheldraht agent produces, but without the word "sicken" in the data portion of the packet, or a UDP packet on the trinoo handler listen port without "PONG" in the data portion of the packet, it will report one of the following: Unexpected ICMP packet from ... Unexpected UDP packet received on port ... from ... This is not the same as detecting a trinoo or stacheldraht agent. Please read the analyses of trinoo and stacheldraht to understand what this tool is doing and what it expects to receive. Any ICMP_ECHOREPLY packet with an ID of 123 received by dds will appear to be (and will be reported as coming) from a probable TFN agent. It is very unlikely this would be a false positive. Caveats ======= This program MAY NOT DETECT stacheldraht agents that are not part of an active network. In other words, if a stacheldraht agent is installed on a system, but there is no handler currently running to control it, it may not respond to the packets sent by this program. This program WILL NOT DETECT agents which have had the default values changed for handler/agent "command" communication. Because of these limitations, a negative response DOES NOT GUARANTEE you have no agents on your network. Even if you do detect trinoo, TFN or stacheldraht agents, you may find it difficult to locate them due to "root kits" or loadable kernel modules installed on the system. This may require that you use file system integrity checking techniques, or otherwise identify the modified files. A write-up on root kits can be found at: http://staff.washington.edu/dittrich/misc/faq/rootkits.faq A complementary tool that will scan the local file system for handlers/agents on Solaris systems is provided by the National Infrastructure Protection Center. See: http://www.fbi.gov/nipc/trinoo.htm For more information on ddos tools and how to respond to them, see: http://www.cert.org/advisories/CA-2000-01.html http://www.cert.org/reports/dsit_workshop.pdf You should take care to NOT SCAN networks that you do NOT OWN AND CONTROL. People will get very angry with you if you do this. This tool was intended to be used by network administrators and incident response teams for scanning internal networks. You should also coordinate your activities with other groups that share the use of, or administration of, your network. If you find agents with this tool, you have identified the bottom tier of a distributed network, which may contain hundreds (as many as a thousand) of other agents at various sites. Proper forensic procedures, to gather evidence about which computers (most likely at other sites) are acting as the handlers of the network, which will then lead to the other agents. You should remove the system from the network, and perform a backup of the system immediately, to ensure you take the system out of the control of the attackers who compromised it, and to preserve evidence. More information on responding to root level compromise can be found in the CERT advisory mentioned above. CREDITS ======= I can only take credit for the analyses of trinoo, TFN, and stacheldraht, the initial C version of "gag" (dds' predecessor, which was hacked together from the stacheldraht source code and then significantly modified by Marcus Ranum of Network Flight Recorder and others) and the addition of trinoo agent detection to dds (based on code produced by George Weaver of Pennsylvania State University.) TFN detection was added to dds by David Brumley of Stanford University. Alan Cox provided some bug fix advice. It would not have been possible to get the program to this level, this fast, without their contributions (which is greatly appreciated!) (Anyone wishing to supply patches to fix bugs or add new features, please feel free to send them my way. Open source development rules!) LEGALESE ======== This software should only be used in compliance with all applicable laws and the policies and preferences of the owners of any networks, systems, or hosts scanned with the software The developers and licensors of the software provide the software on an "as is" basis, excluding all express or implied warranties, and will not be liable for any damages arising out of or relating to use of the software. THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：