Tribe Flood Network

• Attacks:
  • UDP flood
  • ICMP flood
  • TCP SYN flood
  • "Smurf" (forged ICMP Echo Request from victim to a series of broadcast addresses)
• Communication:
  • ICMP_ECHOREPLY packets between "client" and "agents"
  • Agent commands sent in ICMP_ECHOREPLY id field
  • Arguments sent in data payload
• Encryption:
  • No passwords required to run handler
  • No encryption of data payload
• Priviledges:
  • Both client/agent require root (uses SOCK_RAW socket)
• Forensics:
  • Handler IP addresses visible in latest version (+)
  • Enough strings to recognize agent/handler easily (+)
  • Remote shell's TCP port can be seen with "lsof" (+)
  • Attacker session not encrypted (+)
  • Handler may not be password protected (+)
  • Untyped socket only thing visible with "lsof" otherwise (-)
  • "Root Kits" hide processes/files/directories (-)
  • Ethernet switches make monitoring ICMP traffic difficult (-)
• [Analysis]

[Next] | [Prev] | [Top]