[Snort-sigs] SID 232
warchild at ...288...
Fri Mar 22 19:27:02 EST 2002
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
classtype:attempted-dos; sid:232; rev:2;)
An "I've alive" packet for the Trinoo (aka trin00) DDos suite was
detected heading from a trin00 client to the trin00 master.
System comprimise if the HELLO packet was destined for your machine
(indicating your machine is the master). On the flipside, if your
machine is the one sending the HELLO packet, chances are high that you
have also been comprimised. Once a machine becomes part of a trin00
network, a Denial of Service (DoS) is typically initiated against one
(or more) victim machines.
Trinoo was the first DDoS tool to make serious headlines. Once the
client has been installed on a comprimised machine, it sends a packet
to port 31335 of the master daemon containing the text "*HELLO*"
indicating that it is alive and ready for business.
As part of a large scale attack against a machine or a network, an
attacker will comprimise large numbers of machines which will form the
army that the trin00 master daemon will command. The master daemon
typically instructs the clients to send mass-quantities of packets to
a set of victim hosts. If the traffic is sufficient, the victim
machines will become resource deprived.
Ease of Attack:
Medium. Use of this tool requires a comprimised system from which to
to run (unless you choose to just run it on your own machine). Once a
machine has been comprimsed, all that is required to become part of the
trin00 network is proper permissions and a network connection.
Rare. The current version of trin00 ships with a configuration
sending a HELLO packet over udp to port 31335. Communication via udp
to such a high port is fairly uncommon. That, coupled with the
*HELLO* string, make this rule fairly foolproof.
Rare unless newer versions change port/protocol/message.
Disconnect your machine(s) from the network immediately. Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
comprimised and had a root kit installed.
Warchild <warchild at ...288...>
More information about the Snort-sigs