FYI....
Wilmont C. Belfry
> Internet Security Systems Security Alert
> May 1, 2000
>
> "mstream" Distributed Denial of Service Tool
>
> Synopsis:
>
> A new Distributed Denial of Service tool, mstream, has been discovered at
> the University of Washington. It has also been seen on networks at Penn
> State and Indiana University. A Distributed Denial of Service attack is
> designed to bring a network down by flooding target machines with large
> amounts of traffic. The source code for a version of the program was
> recently posted anonymously to the BugTraq and VULN-DEV
> e-mail lists hosted by SecurityFocus. This tool includes a "master
> controller" and a "zombie." The master controller is the portion of the
tool
> that controls all of the zombie agents. An attacker connects to the master
> controller using telnet to control the zombies.
>
> The attack the zombie performs is a modification of the "stream.c" attack.
> Most of the source code in the zombie that is used to flood the target
> computers originated from stream.c. The zombie sends TCP ACK packets to
the
> target hosts using random ports. This denial of service attack usually
does
> not have much effect coming from a single machine. However, the effects of
> the attack are intensified in the new distributed format used by mstream.
A
> full explanation of this attack can be found at
> http://packetstorm.securify.com/DoS/stream-dos.txt.
>
> There have been two versions of mstream made public: one that was found
"in
> the wild", and another that was posted to security mailing lists. They are
> functionally the same, but they have different passwords and use different
> port numbers for communication.
>
> Impact:
>
> This Distributed Denial of Service (DDoS) tool poses the same dangers as
> earlier tools including Trin00 and Tribe Flood Network. The stream.c
attack
> slows a machine down by using up CPU cycles. The attack also consumes
> network bandwidth. In addition to the incoming ACK packets, the target
host
> will consume bandwidth when it tries to send TCP RST packets to
non-existent
> IP addresses. Routers will then return ICMP host/network unreachable
packets
> to the victim, resulting in more bandwidth starvation. The distributed
> method of attack multiplies the effect on the CPU, as well as consuming
> large amounts of network bandwidth.
>
> Description:
>
> The mstream architecture is a standard 3-tier design used by most
> Distributed Denial of Service tools. The client is the machine that an
> attacker uses to launch the attack. The client launches the attack through
a
> connection to the master. A master, in the file master.c, controls all of
> the zombies. The zombies, in the file server.c, perform the "stream.c"
> denial of service attack on the victim. Each master can control any number
> of zombies, and each zombie can have any number of masters controlling it.
> The mstream tool uses no encryption to hide its activities on the network.
> There have been 3 different versions found of this tool found, using
> different ports. The master source code found in the wild listens on TCP
> port 12754 for client requests. To connect, a client must send the
password,
> which is "N7%diApf!". In the version that was posted to BugTraq and
> VULN-DEV, the TCP port is 6723, and the password is "sex". Another binary
> found in the wild listens on port 15104 for client connections. After
> sending the password, an attacker gets a prompt of "> ". Typing "help"
> displays the following information:
>
> Available commands:
> stream -- stream attack !
> servers -- Prints all known servers.
> ping -- ping all servers.
> who -- tells you the ips of the people logged in
> mstream -- lets you stream more than one ip at a time
>
> The master controller also listens on a UDP port for registrations from
> zombies. This port is 6838 in the version found at the universities and
9325
> in the version posted to security mailing lists. A zombie can send two
> different packets, one is "pong", which is a response from a ping request.
> The other is "newserver", which adds that IP address to the list of
servers
> in the file "..." (wild version) or ".sr" (mailing list version) in the
> directory in which the master controller is running. The IP addresses are
> encoded by adding 50 to the ASCII value of each character in the IP
address,
> so "208.21.2.18" becomes "dbj`dc`d`cj<". The "<" is a newline
> character (ASCII 10) plus 50.
>
> Zombies listen on UDP port 10498 (wild version) or 7983 (mailing list
> version) for commands from the master controller. The 3 commands that can
be
> sent to the zombies are "ping", "stream", and "mstream". The ping request
> receives a "pong" from the server. The pong goes to UDP port 6838 (wild
> version) or 9325 (mailing list version). In the wild version of mstream,
the
> "stream" command is not used, it just sends "mstream" commands. The
> "mstream" command on the network looks similar to the following:
>
> mstream/x.x.x.x:x.x.x.x:...../y
>
> In the above command, x.x.x.x represents IP address(es) to attack, and y
is
> the time to attack (in seconds). The "stream" command is of a similar
> format, but allows only one IP address to be sent. It looks like this:
>
> stream/x.x.x.x/y
>
>
> Recommendations:
>
> To locate the mstream master or zombie on a system, use the following
> command for each filesystem on the machine:
>
> find / -mount -type f -print | xargs grep -l newserver
>
> Replace / with whichever file system you want to search. This may find
files
> that are not part of mstream, such as /usr/bin/xchat, but you can verify
> each file found by using the strings command on it. The strings output of
> the zombie, from server.c, will contain this text:
>
> Must be ran as root.
> socket
> bind
> setsockopt
> newserver
> stream
> mstream
> ping
> pong
> fork
> Forked into background, pid %d
>
> Running strings on the master will find this text:
>
> Connection from %s
> newserver
> New server on %s.
> pong
> Got pong number %d from %s
> %s has disconnected (not auth'd): %s
> Invalid password from %s.
> Password accepted for connection from %s.
> Lost connection to %s: %s
>
> If you know which port the master controller is listening on, you can use
> lsof. Use this command to locate the master: "lsof -i TCP:port." The
result
> will be similar to the following:
>
> [root_at_berry]# lsof -i TCP:12754
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> mstream 3664 juser 3u IPv4 721759 TCP *:12754 (LISTEN)
>
> This will locate the process that is listening on TCP port 12754. To find
> the path to the executable, use the command "lsof -c <command> -a -d txt":
>
> [root_at_berry]# lsof -c mstream -a -d txt
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> mstream 3664 juser txt REG 8,1 33185 306211
> /home/juser/mstream
>
> To kill the process, delete the master controller executable, check the
> "..." or ".sr" file, and decode the IP addresses of all of the zombies.
The
> following shell command will decrypt the file:
>
> [root_at_berry]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//'
> 208.21.2.18
>
> ISS' SAFEsuite intrusion detection system, RealSecure 5.0, will include
new
> attack signatures to detect all levels of communications between the
mstream
> DDoS components. ISS' SAFEsuite network security assessment product,
> Internet Scanner, will have checks available to detect mstream DDoS master
> and zombie in the next X-Press Update.
>
> Additional Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
> CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security
problems.
>
> Credits:
>
> This tool was researched by the ISS X-Force. The X-Force would like to
thank
> Dave Dittrich at the University of Washington and Andrew Korty at Indiana
> University for their initial information on mstream. X-Force would also
> like to thank Tim Yardley for his analysis of the stream.c attack that was
> posted to BugTraq in January 2000.
>
> _______
>
> About ISS
>
> ISS is a leading global provider of security management solutions for
> e-business. By offering best-of-breed SAFEsuite(tm) security software,
> comprehensive ePatrol(tm) monitoring services, and industry-leading
> expertise, ISS serves as its customers' trusted security provider
protecting
> digital assets and ensuring the availability, confidentiality and
integrity
> of computer systems and information critical to e-business success. ISS'
> security management solutions protect more than 5,000 customers including
21
> of the 25 largest U.S. commercial banks, 9 of the 10 largest
> telecommunications companies and over 35 government agencies. Founded in
> 1994, ISS is headquartered in Atlanta, GA, with additional offices
> throughout North America and international operations in Asia, Australia,
> Europe and Latin America. For more information, visit the ISS Web site at
> www.iss.net or call 888-901-7477.
>
> Copyright (c) 2000 Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express consent
of
> the X-Force. If you wish to reprint the whole or any part of this Alert in
> any other medium excluding electronic medium, please e-mail xforce_at_iss.net
> for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
are
> NO warranties with regard to this information. In no event shall the
author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
the
> user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
> as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force xforce_at_iss.net
of
> Internet Security Systems, Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOQ7+pjRfJiV99eG9AQFvpgP6AlQFKZyXSuvTfPkaeF/5DBJYtm2WWuv+
Received on Tue May 02 2000 - 13:58:52 CDT
