[27250] in North American Network Operators' Group
Re: FBI / NIPC released a DDoSD detection tool?
daemon@ATHENA.MIT.EDU (Richard Steenbergen)
Thu Feb 10 15:01:16 2000
Date: Thu, 10 Feb 2000 14:27:05 -0500
From: Richard Steenbergen <ras@above.net>
To: Rodney Caston <largo@megatokyo.com>
Cc: nanog@merit.edu
Message-ID: <20000210142705.J24338@above.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.LNX.4.03.10002101038080.3643-100000@quincy.megatokyo.com>; from Rodney Caston on Thu, Feb 10, 2000 at 10:44:35AM -0600
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Feb 10, 2000 at 10:44:35AM -0600, Rodney Caston wrote:
>
> I'm not sure if this is news or not, but looking at
> http://www.fbi.gov/nipc/trinoo.htm - it seems the NIPC has released
> binaries, (no source code, the jerks), for tools to detect if a box has
> trin00, tribal flood net, tfn2k and some other DDoSD's on it.
>
> So far they have a sparc solaris, intel solaris, and x86 linux binary for
> download. While I am shocked to see a government agency writing
> potentially usefull code so quickly, I am dissappointed they didn't
> release their source code so it can be ported to say.. FreeBSD? .. AIX ..
> HP/UX ... and so on...
There is also code available that sends a kill message to the individual
nodes attacking you upon reception of the attack for the original versions
of trinoo (the non-spoofed or spoofed with the last octet only udp flood
version). Unfortunantly I havn't had a chance to look at the src for any
of the newer flood programs, if someone would be so kind as to forward me
a copy perhaps there are some more easily exploitable ways to use their
poorly designed distributed programs against them, or if nothing else at
least write a scanner with freely distributable source.
--
Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB)
MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
