Tribe Flood Network

• Attacks:
  • UDP flood
  • ICMP flood
  • SYN flood
  • "Smurf" (forged ICMP Echo Request from victim to a series of broadcast addresses)
• Communication:
  • ICMP_ECHOREPLY packets between "client" and "daemons"
  • Daemon commands sent in ICMP_ECHOREPLY id field
  • Arguments sent in data payload
• Encryption:
  • Latest version of master suspected to encrypt list of daemon IP addresses using Blowfish
  • No passwords required to run master (not sure about latest version)
• Priviledges:
  • Both client/daemon require root (uses SOCK_RAW socket)
• Forensics:
  • Master IP addresses visible in latest version (+)
  • Enough strings to recognize daemon/master easily (+)
  • Remote shell's TCP port can be seen with "lsof" (+)
  • Attacker session not encrypted (+)
  • Master may not be password protected (+)
  • Untyped socket only thing visible with "lsof" otherwise (-)
  • "Root Kits" hide processes/files/directories (-)
  • Ethernet switches make monitoring ICMP traffic difficult (-)
• [Analysis]

[Next] | [Prev] | [Top]