Abstract
--------
This article is distributed denial of service (DDoS) attack tool "Tribe Flood Network 2000 (TFN2K)" technical analysis.TFN2K Mixter is prepared by the German hacker attack tools TFN similar follow-up version.
About Trinoo, TFN, and Stacheldraht distributed denial of service attack tools such as analysis, please refer to the documentation.
Terminology
--------
Client - the application used to launch attacks through the program, through which an attacker to send a variety of commands.
Daemon - run in the process of host-side agent, receive and respond to commands from the client.
Host - the host running the client program.
Agent of - the host daemon running.
Target host - distributed attacks target (host or network).
What is TFN2K?
------------
By using a large number of agents TFN2K master the resources of the host side or on a coordinated attack multiple targets.In the current Internet, UNIX, Solaris, and Windows NT platforms such as the host can be used for such attacks, but this tool is very easy to be ported to other system platforms.
TFN2K consists of two parts: the master on the host client and the agent daemon on the client host.Master sends its proxy attacks on targets specified list of hosts.Accordingly Agent of denial of service attack on the target.Controlled by a host of multiple proxy client host, can attack each other in the process of collaboration to ensure the continuity of the attack.Master and agent side of the central network communication is encrypted, and may mix a number of false packets.The TFN2K networks may use different TCP, UDP, or ICMP packets to communicate.And the host can forge their IP address.All of these features are the development of defense strategy and technology TFN2K attacks are very difficult or inefficient.
Technical Insider TFN2K
---------------
◆ host via TCP, UDP, ICMP, or random use of one end of the packet to the proxy host
Send command.The attack on the target, including TCP / SYN, UDP, ICMP / PING or BROADCAST
PING (SMURF) packet flood and so on.
◆ between the host and agent-side data packet header information is also random, in addition to always use ICMP
ICMP_ECHOREPLY types of data packets.
◆ TFN different version of its predecessor, TFN2K daemon is completely silent, it will not be receiving
There is no response to the command.Each client repeatedly sends a command 20 times, and that the daemon
Order should be received at least one of them.
◆ These commands may be mixed a number of packets sent to random IP addresses of the forged packets.
◆ TFN2K command is not based on a string, and use the "+ +" format, which is
Value on behalf of a specific command, it is of the order parameter.
◆ All orders have been the CAST-256 algorithm (RFC 2612) encryption.Encryption key in the program code
When the definition of translation, and as TFN2K client password.
◆ All encrypted data is encoded before it is sent (Base 64) into printable ASCII characters.TFN2K
Daemon receives packets and decrypt the data.
◆ daemon for each attack that child process.
◆ TFN2K daemon attempts to modify the argv [0] content (or in some platform to modify process name)
To hide themselves.Fake process name specified at compile time, so there may be different each time installation.
This feature allows the host TFN2K disguised as Agent of the ordinary normal process.Therefore, simply check
Check the list of processes may not be able to find TFN2K daemon (and its child process.)
◆ from each client or daemon, all packets can be forged.
Monitoring the characteristics of TFN2K
---------------
Since all of the control communications are unidirectional, which makes real-time monitoring TFN2K additional difficulties.Because of its random use of TCP, UDP and ICMP packets, while encrypted, packet filtering and other passive defenses are obviously impractical and inefficient.Forged packets will follow in denial of service attacks by proxy client host difficult.
Fortunately, TFN2K still have weaknesses.May be the reasons for failure, encrypted Base 64 encoded data in each packet TFN2K left its mark on the end (nothing to do with the protocol and encryption algorithm).May be the program of each packet to make changes in the length of 1 to 16 filled with zero (0x00), through the Base 64 encoded after a number of consecutive 0x41 (''A'').Add to the end of the 0x41 packet number is variable, but at least there will be a packet of these at the end of 0x41 (''A'') became TFN2K order to capture the characteristics of the packet.
Client program on the TFN2K (tfn) and the daemon file (td) may also be a simple search to find TFN2K.While these file names can be freely modified, but the client programs and daemons string contains many features, can be used as search keywords.As follows:
TFN2K client program (tfn)
[1; 34musage:% s
[-P protocol]
[-S host / ip]
[-F hostlist]
[-H hostname]
[-I target string]
[-P port]
<-C command ID>
change spoof level to% d
change packet size to% d bytes
bind shell (s) to port% d
commence udp flood
commence syn flood, port:% s
commence icmp echo flood
commence icmp broadcast (smurf) flood
commence mix flood
commence targa3 attack
execute remote command
TFN2K daemon (td)
fork
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
/ Dev / urandom
/ Dev / random
% D.% d.% d.% d
sh *
ksh *
command.exe **
cmd.exe **
tfn-daemon ***
tfn-child ***
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Unix and Solaris systems only
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Windows NT systems only
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only This text is likely to have been changed in many TFN2K installations
TFN2K daemon and client program (tfn and td)
security_through_obscurity backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news: 15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar. gz xml2dict-read-only
D4 40 FB 30 0B FF A0 9F backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12news: 13 news: 14 news: 15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svntasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only
64 64 64 64 ... backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news: 15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn taskstmp xml2dict-2008.6-tar.gz xml2dict-read-only
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only program was compiled with the function name, is a very useful feature string.
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only CAST-256 encryption form the first 8 bytes (in little-endian order).
backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news:15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only Base 64 encoding algorithm uses a static table in a row the length of the 0x64 value of 128 bytes.
TFN2K defense strategy
---------------
There is currently no effective defense TFN2K denial of service attacks.The most effective strategy is to prevent network resources from being used as a client or agency side.
Prevention
◆ Use only application proxy firewall.This can effectively block all the TFN2K communications.Should be used only
With the proxy server is often not practical, it can only use the minimum possible non-agent services.
◆ against unnecessary ICMP, TCP and UDP communication.Especially for the ICMP data, can only allow ICMP type
Type 3 (destination unreachable destination unreachable) packets.
◆ If you can not prohibit ICMP protocol, it would prohibit unsolicited or all of the ICMP_ECHOREPLY package.
◆ ban is not allowed to list all of the UDP port and TCP packets.
◆ configure the firewall to filter all possible forged packets.
◆ the system patches and security configuration to prevent an attacker from invading and install TFN2K.
Monitoring
◆ scan client / daemon name.
◆ According to the characteristics listed in front of the string to scan all executable files.
◆ the process of scanning a list of system memory.
◆ Check ICMP_ECHOREPLY end of the packet whether it contains a continuous 0x41.Also, check the data side
Whether the content side is the printable ASCII characters (2B, 2F-39, 0x41-0x5A, 0x61-0x7A).
◆ monitored continuously with the same content packet data (possibly a mixture of TCP, UDP and ICMP packets.)
Response
Once in the system found TFN2K, must immediately notify the security company or an expert to track the invasion of conduct.TFN2K daemon because the received orders not to make any response, TFN2K client will generally continue to send commands to the proxy client host packets.In addition, the intruder will often find that trying to attack fails to connect to the proxy client host to be checked.These network communication can be tracked.