There are several tools available which could  detect whether  a system is being used as a DDOS server. The following  tools can detect TFN2K,  Trinoo and Stacheldraht.
-  
 
 Find_ddos
-  
 
 SARA
-  
 
 DDoSPing v2.0
-  
 
 RID
-  
 
 Zombie Zapper
| Find_DDoS The tool find_ddos is intended to scan a local system  that is  either known or suspected to contain a DDOS program. It is  capable of scanning  executing processes on Solaris 2.6 or later, and of  scanning local files on a  Solaris 2.x (or later) system. | 
The tool will detect several known denial-of-service  attack tools  by looking at all 32-bit ELF format files in a given  directory tree, and  comparing the files' strings and symbol table  against a set of known  "fingerprints" for TFN and trinoo tools. If a  file is considered a close enough  match to one of these fingerprints,  it is identified with that file. The tool  will optionally make a copy  of all files that are found to match. If it finds a  match in a running  process, it will also grab a core image of the process for  subsequent  analysis. Any matches that are found are also examined for any  embedded  IP addresses. All results are either displayed to the user's terminal,   or stored in a log file.
The tool also looks for  files named ".sr", "...", "mservers", and  optionally makes a copy of  them for later analysis. (These are common names for  files that contain  a list of blowfish-encrypted IP addresses. The blowfish  encryption key  can be found by examining the binary.)
The  distributed denial-of-service tools that are detected by the  tool are:
-  
 
 mstream master
-  
 
 mstream server
-  
 
 stacheldraht client
-  
 
 stacheldraht daemon
-  
 
 stacheldraht master
-  
 
 tfn-rush client
-  
 
 tfn client
-  
 
 tfn daemon
-  
 
 tfn2k client
-  
 
 tfn2k daemon
-  
 
 trinoo daemon
-  
 
 trinoo master
The tool  must be run as root. The syntax of the tool is:
./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir]
SARA
SARA (Security Auditor's  Research Assistant), a derivitive of the  Security Administrator Tool  for Analyzing Networks (SATAN), remotely probes  systems via the network  and stores its findings in a database. The results can  be viewed with  any Level 2 HTML browser that supports the http  protocol (e.g. Mosaic, Netscape etc.)
primary_targets(s) can specify a:
host (e.g., www.microsoft.com),
range (e.g., 192.168.0.12–192.168.0.223)
subnet (e.g., 192.168.0.0/23)
When no primary_target(s) are specified on  the command  line, SARA starts up in interactive mode and takes commands from the   HTML user interface. When primary_target(s) are specified on the command  line,  SARA collects data from the named hosts, and, possibly, from  hosts that it  discovers while probing a primary host. A primary target  can be a host name, a  host address, or a network number. In the latter  case, SARA collects data from  each host in the named network. SARA can  generate reports of hosts by type,  service, vulnerability and by trust  relationship.
---
DDoSPing
This is a tool that  explores another system and looks for  vulnerabilities. DDoSPing  is a remote network scanner for the  most common DDoS programs. It can  detect Trinoo, Stacheldraht and Tribe Flood  Network programs running  with their default settings, although configuration of  each program  type is possible from the tool's configuration screen. Scanning is   performed by sending the appropriate UDP and ICMP messages at a  controllable  rate to a user-defined range of addresses.
---
| RID RID (remote intrusion detector) is a tool programmed  in C  that is a highly configurable packet snooper and generator. It  works by sending  out packets defined in the config.txt file, then  listening for appropriate  replies. | 
RID can detect any remote software that elicits a  predefined  response to a given set of packets. Examples are:
-  
 
 The Trinoo distributed denial of service attack client.
-  
 
 The Tribal flood network distributed denial of service attack client.
-  
 
 The StachelDraht distributed denial of service attack client.
This  list is not extensive -- the tool is highly configurable to  suit  specific needs. RID is not a vulnerability assessment tool. It is also  --  not a network intrusion detection system in the sense that it does  not  continually run monitoring your network.
Example: # Sample config file start AgentStacheldraht send icmp type=0 id=668 data=""
recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht
---
Zombie ZapperZombie Zapper works against Trinoo, TFN, Stacheldraht, Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that
 
0 comments:
Post a Comment