[Snort-users] More info on "DDOS - TFN client command LE"

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Mon Sep 16 21:28:02 EDT 2002

Below is the signature definition that trigger the alerts
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client
command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; reference:
arachnids,183; classtype:attempted-dos; sid:251; rev:1;)

To understand more about TFN I've also included some info about it
TFN is made up of client and daemon programs, which implement a
distributed network denial of service tool capable of waging ICMP
flood, SYN flood, UDP flood, and Smurf style attacks, as well as
providing an "on demand" root shell bound to a TCP port.

TFN daemons were originally found in binary form on a number of
Solaris 2.x systems, which were identified as having been compromised
by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd".

Best Regards
Ohanes Semerjian
6604 2A46 E64F BEBF A4B7  9D01 9E08 399C 9D45 3254

-----Original Message-----
From: Jeff Taylor [mailto:jeff at ...6176...]
Sent: Tuesday, 17 September 2002 13:41
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] More info on "DDOS - TFN client command LE"

Can anyone give me more information on this attack, "DDOS - TFN client
command LE"?  It just showed up in my logs from the ISP's router


Sponsored by: AMD - Your access to the experts on Hammer Technology! 
Open Source & Linux Developers, register now for the AMD Developer 
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list