IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


"Trinity v3/ Stacheldraht 1.666" Distributed Denial of Service Tool
October 13, 2000

New variants of the Trinity and Stacheldraht Distributed Denial of Service (DDoS) tools have been found in the wild. As was demonstrated in February of this year, DDoS attacks can bring down networks by flooding target machines with more traffic than the machines can process. This advisory provides an update to previous NIPC DDoS advisories (issued since December 1999) on similar tools such as "mstream," "Tribal Flood Network," and "trinoo." The NIPC has recently determined that masters tied to zombies have been placed on many users' systems, heightening the possibility of a DDoS attack in the future. In addition to large corporate and university systems, affected users also include those with home computers having broadband access such as DSL and cable modem. The NIPC recommends that all computer network owners and organizations examine their systems for evidence of DDoS tools, including Trinity and Stacheldraht.

The "Trinity v3" Distributed Denial of Service (DDoS) exploit represents a potentially serious and continuing threat to networked computers running certain versions of the Linux operating system. Trinity v3 is a DDoS tool that is controlled via IRC or ICQ. When a system has been compromised and the Trinity v3 tool installed, each compromised machine joins a specified IRC channel and waits for commands. The Trinity v3 tool enables intruders to use multiple, Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems. At least eight variations of Trinity have been found on the Undernet Internet Relay Chat network, each reporting to a different IRC channel. Trinity v3 responds to commands in IRC channels on lines beginning with "(trinity)," and the "Entitee" version of Trinity responds to lines beginning with "(entitee)."

System administrators should ensure their TCP Port Scanners are configured to scan port 33270 as machines found listening at this port may have the Trinity portshell installed. Trinity v3 is difficult to detect because the agent does not listen to specific ports to receive commands, but receives them over IRC. Watching for suspicious IRC traffic is useful in detecting Trinity v3. It is important to note that if Trinity v3 is found on a system, the system may have experienced root level compromise.

Stacheldraht consists of three parts -- a master server, a client, and an agent program -- and runs on Linux and Solaris machines. Stacheldraht performs several types of flooding attacks, and has IRC flooding options. The latest Stracheldraht variants, "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps" prompt the user for a password when building the binaries.

The NIPC DDoS detection tool has been modified to detect Trinity v3 and some new variants of Stacheldraht. While the tool is designed to detect mutations of these DDoS tools, it may not detect all variants of the tools. NIPC will continue to update the detection tool as we receive new DDoS variants. Currently, the NIPC tool (find_ddos) detects the DDoS exploit in the following operating systems: Solaris on Sparc or Intel platforms, and Linux on Intel platforms. The tool currently detects mstream, tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht daemon and trn-rush client. Please refer to http://www.nipc.gov/warnings/alerts/1999/trinoo.htm for more information.

Alternatively, specific technical instructions are available from CERT Coordination Center, SANS Institute, and other competent sources. CERT/CC, SANS Institute, and the University of Washington have published information on distributed denial of service exploits that can be readily found at the following web sites:




Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate.