find_ddos find Distributed Denial of Service (DDOS) README This material and tool is furnished on an "as is" basis. There are no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. There is no warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Because of the rapid and continual evolving nature of DDOS of tools there is no warranty that all occurrences of different mutations of these tools will be identified. If the program "find_ddos" generates a log file revealing unlawful access of a tested system, system administrators are encouraged to contact their local FBI field office or the NIPC. NIPC / STAU FBIHQ Rm 11719 935 Pennsylvania Ave. NW Washington, DC 20535-0001 In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the National Infrastructure Proctection Center (NIPC) Special Technology Applications Unit (STAU) has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints, it is identified with that file. The tool will optionally make a copy of all files that are found to match. If it finds a match in a running process, it will also grab a core image of the process for subsequent analysis. Any matches that are found are also examined for any embedded IP addresses. All results are either displayed to the user's terminal, or stored in a log file. The tool also looks for files named "..." or "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.) The destributed denial-of-service tools that are detected by the tool are: * stacheldraht client * stacheldraht daemon * stacheldraht master * tfn-rush client * tfn client * tfn daemon * tfn2k client * tfn2k daemon * trinoo daemon * trinoo master The tool must be run as root. The syntax of the tool is: ./find_ddos [-g grabdir] [-l logfile] [-p] [-v] [-V] [-x exclude1] [scandir] - OR - ./find_ddos Where: * "-g grabdir" specifies an optional location to store file matches, core images, and files named "..." or "mservers". This directory will be created if it doesn't already exist, and will NOT be scanned by the tool. * "-l logfile" specifies an optional location to save the results (in which case the results are not displayed). * "-p" tells the tool to also scan running processes. * "-v" tells the tool to give more feedback on what it's scanning. * "-V" displays version information. * "-x exclude1" tells the tool to skip over a file or directory when performing the scan. Multiple excludes can be supplied by repeating the "-x" flag for each one. If the exclude is a directory, it will also exclude all subdirectories. * "scandir" specifies one or more files or directories to scan. The tool will not cross over filesystem boundaries when scanning a directory unless the filesystem type is the same as the starting directory's. This will ordinarily prevent tmpfs, nfs, procfs, and hsfs filesystems from being scanned when the root directory is scanned. If the tool is run with no parameters, it assumes the following default parameters: ./find_ddos -g files -l LOG -p /tmp / If ANY parameters are given, these default parameters are not used. Therefore, "./find_ddos -v -x /mymount" will no NOTHING. Instead, you must do: ./find_ddos -v -x /mymount -g files -l LOG -p /tmp / The tool is designed to be able to be run from a floppy disk, where it can scan the system and save the results back to the floppy disk for later analysis. To do this, log in as root, place a copy of the tool on an otherwise blank floppy disk, and mount the disk on the target system. The tool can then be run by double-clicking on its icon in the File Manager, or by running it from the command line. Once the tool is finished running, the disk can be unmounted and removed for offline analysis. Caveats: * The tool is fast, but resource intensive. If you have users that are likely to complain when the system slows to a crawl, you may wish to use the "nice" command. * The tool was written in C so that it will have minimal reliance on system binaries, so it will not be impacted by most "root kits". However, it is susceptable to a kernel loadable module-based root kit. * Some differences in the symbol table may be a result of differences in how the distributed denial-of-service program was compiled, rather than a change in the source code of the program. This will not cause the program to be missed, but will cause differences to be reported that are not significant. Solaris caveats: * Because the tool was written in C, it must be compiled for a specific operating system. This tool has only been compiled to run on Solaris 2.x and higher operating systems, as well as Linux 2.x-based operating systems. It has only been tested on Solaris 2.5.1, Solaris 2.6, and Solaris 7. The Linux version has only been tested on Red Hat Linux 6.0 and 6.1. * The Solaris version of the tool will only scan 32-bit ELF format files, and does not support COFF or 64-bit files. Linux caveats * Because the tool was written in C, it must be compiled for a specific operating system. This tool has only been compiled to run on Linux 2.x based operating systems. It has only been tested on Red Hat Linux 6.0 and 6.1. * The Linux version of the tool will only scan 32-bit i386 ELF format files, but not Sparc format or a.out format files. Changes in Version 3.3: * The find_ddos tool now returns an exit status of "0" if a DDOS program was found, a status of "1" if no DDOS program was found, and a status of "2" if the scan was unable to run. Previously, the exit status was not meaningful. * The find_ddos tool is now much less likely to fail if it runs out of memory while attempting to scan a large (or corrupted) file. Changes in Version 3.3 (Solaris only): * The Solaris version of the find_ddos tool can now scan running processes on a Solaris 2.5.1 system. Changes in Version 3.3 (Linux only): * The Linux version of the find_ddos tool will no longer improperly identify itself or any previous version as a DDOS program. Changes in Version 3.2 (Linux only): * Fixed a memory leak in the Linux version of the tool. Changes in Version 3.1: * The find_ddos tool is now available for Linux, and most of the source code is common between the Solaris and Linux versions. * The tool now handles the fact that Linux places a lot less information than Solaris places in the dynamic symbol table. If a Linux stripped binary is seen (either by the Solaris or Linux version of the tool), it is reported to have no symbol table. * A bug has been fixed in the Solaris version of the tool that would cause the tool to dump core under some circumstances if it scanned a file that was damaged/corrupted. Changes in Version 3: * The find_ddos tool will no longer improperly identify itself or any previous version as a DDOS program. * The tool is now available for download compiled for Solaris on Sparc or Intel platforms. There is a separate download for each platform. * All output is now unbuffered, to solve problems that some people were having. * Better error messages in some cases. * There are several new flags (documented above): the "-x", "-v", and "-V" flags. * Detection of the stacheldraht client and stacheldraht master has been added. * "enhanced tfn daemon" has been properly renamed to "stacheldraht daemon". * All output is now unbuffered, to solve problems that some people were having.