本文是对德国著名黑客Mixter编写的分布式拒绝服务攻击工具——"Tribe Flood Network(TFN)"的技术性分析。TFN与另一个分布式拒绝服务攻击工具"Trinoo"相似,都在互联网的大量Unix系统中开发和测试。
最近发现的二进制代码中的字符串表明,多TFN客户端支持(类似Trinoo)、iplist文件加密、ICMP包数据段内容加密等新功能正在或已经加入到该工具中。
最近发现的二进制代码有些使用了"rcp"命令,这样监视"rcp"连接(514/tcp)也许能够较快地发现问题。
由于TFN使用ICMP数据包,很难实时监测出通讯,而且这些数据包往往能直接通过大多数防火墙。象"ngrep"这类程序也不能处理ICMP数据包,所以目前也很难监视ICMP包中的数据段内容。
TFN的一个缺陷是目前为止还没有对ICMP包的源地址进行验证。这样如果命令对应的缺省数值未被改变,只需一个数据包就能探测出一个TFN守护程序。(请参阅附录C中的Perl脚本。)
如果命令对应的各个数据改变了,通过暴力法(发送所有可能的数值组合)仍然有可能使TFN守护程序关闭(id字段是16位,共有64K种组合)。与此同时,对TFN守护程序端机器进行ICMP flood攻击来使其失效,也是一种潜在的可行方法。
附录A:sniffit v0.3.7.beta显示ICMP包数据内容的补丁程序
-----------------------------------------------------------------
--------------------------- cut here -------------------------------
diff -c sniffit.0.3.7.beta.orig/sn_defines.h sniffit.0.3.7.beta/sn_defines.h
*** sniffit.0.3.7.beta.orig/sn_defines.h Wed Aug 26 12:21:23 1998
--- sniffit.0.3.7.beta/sn_defines.h Wed Oct 20 10:15:41 1999
***************
*** 126,132 ****
#define ICMP_TYPE_3 "Destination unreachable"
#define ICMP_TYPE_4 "Source quench"
#define ICMP_TYPE_5 "Redirect"
! #define ICMP_TYPE_8 "Echo"
#define ICMP_TYPE_11 "Time exceeded"
#define ICMP_TYPE_12 "Parameter problem"
#define ICMP_TYPE_13 "Timestamp"
--- 126,132 ----
#define ICMP_TYPE_3 "Destination unreachable"
#define ICMP_TYPE_4 "Source quench"
#define ICMP_TYPE_5 "Redirect"
! #define ICMP_TYPE_8 "Echo request"
#define ICMP_TYPE_11 "Time exceeded"
#define ICMP_TYPE_12 "Parameter problem"
#define ICMP_TYPE_13 "Timestamp"
***************
*** 134,140 ****
#define ICMP_TYPE_15 "Information request"
#define ICMP_TYPE_16 "Information reply"
#define ICMP_TYPE_17 "Address mask request"
! #define ICMP_TYPE_18 "Adress mask reply"
/*** Services (standardised) *******************************************/
#define FTP_DATA_1 20
--- 134,140 ----
#define ICMP_TYPE_15 "Information request"
#define ICMP_TYPE_16 "Information reply"
#define ICMP_TYPE_17 "Address mask request"
! #define ICMP_TYPE_18 "Address mask reply"
/*** Services (standardised) *******************************************/
#define FTP_DATA_1 20
diff -c sniffit.0.3.7.beta.orig/sniffit.0.3.7.c sniffit.0.3.7.beta/sniffit.0.3.7.c
*** sniffit.0.3.7.beta.orig/sniffit.0.3.7.c Wed Aug 26 12:21:25 1998
--- sniffit.0.3.7.beta/sniffit.0.3.7.c Wed Oct 20 10:15:49 1999
***************
*** 1333,1339 ****
printf ("Unknown ICMP type!\n");
break;
}
! printf ("\n");
return;
}
if (finish < 30) /* nothing yet */
--- 1333,1351 ----
printf ("Unknown ICMP type!\n");
break;
}
! total_length = info.IP_len + info.ICMP_len + info.DATA_len;
! n = 0;
! for (i = 0; i < total_length; i++)
! {
! unsigned char c = sp[PROTO_HEAD + i]; 75)
! n = 0, printf ("\n");
! if (DUMPMODE & 1)
! n += printf (" %02X", c);
! if (DUMPMODE & 2)
! n += printf (" %c", isprint (c) ? c : ’.’);
! }
! printf ("\n\n");
return;
}
if (finish < 30) /* nothing yet */
--------------------------- cut here -------------------------------
附录B:tcpshow 1.0显示ICMP ECHO包id/序列号的补丁程序
----------------------------------------------------------------------
--------------------------- cut here -------------------------------
diff -c tcpshow.c.orig tcpshow.c
*** tcpshow.c.orig Thu Oct 21 14:12:19 1999
--- tcpshow.c Thu Oct 21 14:22:34 1999
***************
*** 1081,1086 ****
--- 1081,1088 ----
uint2 nskipped;
uint1 type;
char *why;
+ uint2 echo_id;
+ uint2 echo_seq;
type = getbyte(&pkt); nskipped = sizeof(type);
***************
*** 1091,1096 ****
--- 1093,1103 ----
/* Must calculate it from the size of the IP datagram - the IP header. */
datalen -= ICMPHDRLEN;
+ if (type == ECHO_REQ || type == ECHO_REPLY) {
+ echo_id = getword(&pkt); nskipped += sizeof(cksum);
+ echo_seq = getword(&pkt); nskipped += sizeof(cksum);
+ }
+
why = icmpcode(type, code);
if (dataflag) {
printf(
***************
*** 1113,1118 ****
--- 1120,1129 ----
icmptype(type), why? "\n\tBecause:\t\t\t": "", why? why: ""
);
printf("\tChecksum:\t\t\t0x%04X\n", cksum);
+ if (type == ECHO_REQ || type == ECHO_REPLY) {
+ printf("\tId:\t\t\t\t0x%04X\n", echo_id);
+ printf("\tSequence:\t\t\t0x%04X\n", ntohs(echo_seq));
+ }
}
return pkt;
--------------------------- cut here -------------------------------
附录C:关闭TFN守护程序的Perl脚本"civilize"
----------------------------------------------------------
--------------------------- cut here -------------------------------
#!/usr/bin/perl
#
# civilize v. 1.0
# By Dave Dittrich
#
# Send commands to TFN daemon(s), causing them to do things like
print "sending packet [$opt_c/$opt_a] to $d_host\n" if $opt_v;send;
}
exit(0);