Detecting the Trin00 DDoS Tool

Trin00 is a classic tool for mounting a Distributed Denial of Service (DDoS) attack by sending large quantities of UDP packets against a target in a simultaneous flood from multiple attack nodes. Trin00 implements its own methods for coordinating the efforts of the attack nodes, and the Snort signature set devotes several signatures to detecting Trin00 administrative communications. For example, Snort ID 237 looks for the string l44adsl contained within a UDP packet destined for port 27444 on the home network. This string is the default password that a Trin00 control node uses to authenticate to an endpoint node in order to instruct it to perform particular operations, and is included within Snort rule ID 237:

alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)

Using fwsnort, we recast the Snort rule into equivalent iptables rules:

[iptablesfw]# fwsnort --snort-sid 237 [+] Parsing Snort rules files... [+] Found sid: 237 in ddos.rules Successful translation.

Here is the resulting iptables rule in the FWSNORT_FORWARD chain.

$IPTABLES -A FWSNORT_FORWARD -d 192.168.10.0/24 -p udp --dport 27444 -m string --string "l44adsl" --algo bm -m comment --comment "sid:237; msg: DDOS Trin00 Master to Daemon default password attempt; classtype: attempted-dos; reference: arachnids,197; rev: 2; FWS:1.0;" -j LOG --log-ip-options --log-prefix "[1] SID237 "

Because this is a UDP signature, there is no notion of an established connection, and hence the signature belongs in the FWSNORT_FORWARD chain instead of the FWSNORT_FORWARD_ESTAB chain. In addition, even though the default policy in this book (see "Default iptables Policy" on page 20) does not accept

UDP packets destined for port 27444, fwsnort can still detect packets that match the Trin00 signature because a connection does not have to be established before data can be sent (as in the case of TCP signatures). That is, we don't need an ACCEPT rule before data can be sent over the UDP socket from the client. This is a fundamental difference between TCP and UDP sockets.

Now, from the ext_scanner system, we execute the following command to see if the signature triggers:

[ext_scanner]$ echo "l44adsl" | nc -u 71.157.X.X 27444

The iptables log faithfully reports the signature match:

[iptablesfw]# grep SID237 /var/log/messages | tail -n 1 Jul 19 22:18:24 iptablesfw kernel: [1] SID237 IN=eth0 OUT= MAC=00:l3:d3:38:b6:e4:00:30:48:80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.X LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=42386 DF PROTO=UDP SPT=54494 DPT=27444 LEN=16

In bold above is the iptables log prefix [1] SID237 from the ext_scanner system—indeed, fwsnort has detected the (simulated) attack.

Was this article helpful?

0 0

Post a comment