"Trinity v3/ Stacheldraht 1.666" Distributed
Denial of Service Tool
New variants of the Trinity and Stacheldraht
Distributed Denial of Service (DDoS) tools have been found in the wild. As
was demonstrated in February of this year, DDoS attacks can bring down networks
by flooding target machines with more traffic than the machines can process.
This advisory provides an update to previous NIPC DDoS advisories (issued
since December 1999) on similar tools such as "mstream," "Tribal
Flood Network," and "trinoo." The NIPC has recently determined
that masters tied to zombies have been placed on many users' systems, heightening
the possibility of a DDoS attack in the future. In addition to large corporate
and university systems, affected users also include those with home computers
having broadband access such as DSL and cable modem. The NIPC recommends
that all computer network owners and organizations examine their systems
for evidence of DDoS tools, including Trinity and Stacheldraht.
System administrators should ensure their TCP Port Scanners are configured to scan port 33270 as machines found listening at this port may have the Trinity portshell installed. Trinity v3 is difficult to detect because the agent does not listen to specific ports to receive commands, but receives them over IRC. Watching for suspicious IRC traffic is useful in detecting Trinity v3. It is important to note that if Trinity v3 is found on a system, the system may have experienced root level compromise.
Stacheldraht consists of three parts -- a master server, a client, and an agent program -- and runs on Linux and Solaris machines. Stacheldraht performs several types of flooding attacks, and has IRC flooding options. The latest Stracheldraht variants, "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps" prompt the user for a password when building the binaries.
The NIPC DDoS detection tool has been modified to detect Trinity v3 and some new variants of Stacheldraht. While the tool is designed to detect mutations of these DDoS tools, it may not detect all variants of the tools. NIPC will continue to update the detection tool as we receive new DDoS variants. Currently, the NIPC tool (find_ddos) detects the DDoS exploit in the following operating systems: Solaris on Sparc or Intel platforms, and Linux on Intel platforms. The tool currently detects mstream, tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht daemon and trn-rush client. Please refer to http://www.nipc.gov/warnings/alerts/1999/trinoo.htm for more information.
Alternatively, specific technical instructions are available from CERT Coordination Center, SANS Institute, and other competent sources. CERT/CC, SANS Institute, and the University of Washington have published information on distributed denial of service exploits that can be readily found at the following web sites:
Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate.