[Snort-users] More info on "DDOS - TFN client command LE"

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Mon Sep 16 21:28:02 EDT 2002


Below is the signature definition that trigger the alerts
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client
command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; reference:
arachnids,183; classtype:attempted-dos; sid:251; rev:1;)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++

To understand more about TFN I've also included some info about it
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++
TFN is made up of client and daemon programs, which implement a
distributed network denial of service tool capable of waging ICMP
flood, SYN flood, UDP flood, and Smurf style attacks, as well as
providing an "on demand" root shell bound to a TCP port.

TFN daemons were originally found in binary form on a number of
Solaris 2.x systems, which were identified as having been compromised
by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd".
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++

Best Regards
Ohanes Semerjian
PGP kEY 
6604 2A46 E64F BEBF A4B7  9D01 9E08 399C 9D45 3254


-----Original Message-----
From: Jeff Taylor [mailto:jeff at ...6176...]
Sent: Tuesday, 17 September 2002 13:41
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] More info on "DDOS - TFN client command LE"


Can anyone give me more information on this attack, "DDOS - TFN client
command LE"?  It just showed up in my logs from the ISP's router
address.

TIA,
  Jeffrey



-------------------------------------------------------
Sponsored by: AMD - Your access to the experts on Hammer Technology! 
Open Source & Linux Developers, register now for the AMD Developer 
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list