One of the Linux machines belonging to honeyp.edu was recently broken
in to (hacked, in popular but wrong terms), and a software tool was
installed on it by the attacker. Upon detailed analysis, the security
team found that the installed software (referred to hereafter as the
"Prot11 zombie" or generically as the "malware") was primarily a
Distributed Denial-of-Service (DDoS) attack tool. It was installed to
help the attacker temporarily shut down other computer systems, either
inside Honeypot University network or on the Internet (e.g. Yahoo,
Hotmail), using well-known attack techniques like DNS flood, IP
fragment attacks, and TCP SYN flood. The Prot11 zombie has the
capability to be remotely controlled by the attacker from anywhere on
the Internet, in a stealthy way. In many ways it is similar to tools
that were used in early 2000 to cause major service disruptions to
CNN, Amazon, and eBay. Even though the Prot11 zombie was found on a
Linux system, it is possible that it could work on other platforms as
well. Methods that can be used to detect the presence of the Prot11
zombie include using network scanning tools (e.g. Nmap), examining
systems with trusted security software, and using an Intrusion
Detection System (IDS) configured to identify abnormal IP
protocols. Measures that can thwart or reduce the effectiveness of
attacks launched by such tools include egress filtering at Internet
gateways and filtering out unused protocol at the firewall. If you
are an end-user and would like your systems tested, please contact
your system administrator. If you are a system administrator, please
see the accompanying technical advisory
for technical details on detecting and dealing with this malware.
How does the tool work?
The following fictitious example shows how the Prot11 zombie could be
used to put amazon.com (or even honeyp.edu) out of business at least
for some time. While the example is fictitious, the capabilities
of the tool are real.
TCP SYN flood one of the attacks provided by the tool. Other attacks
that the Prot11 zombie can perpetrate
are DNS request flood, DNS response flood and IP fragments flood.
Note that this is in fact a very simple example. It is entirely
possible that the controller operates many of the Prot11 zombies
simultaneously, perhaps through a well-known technique of
"amplifiers", with the result of hundreds of zombies simultaneously
attacking the www.amazon.com server. It should also be pointed out
that while the source address of the attack traffic can be forged,
with some work the attack packets can be traced back to their origin,
- The attacker breaks into a
installs the Prot11 zombie, and starts it running.
- The attacker starts a controller program on his machine (or
some other compromised machine).
- The controller sends a command to the attack tool, using an
unused (and often non-monitored) network protocol. The command
instructs it to launch a TCP SYN attack against www.amazon.com,
Amazon's World Wide Web server.
- The attack tool sends TCP SYN packets to www.amazon.com at a very rapid
rate (specified by the attacker). www.amazon.com is so busy handling these
packets that no other business could be performed for some time.
- To www.amazon.com, these packets will not appear to come from where
they are actually coming from, but from some arbitrary IP address. If
the random source IP feature of the attack tool is turned on, they will
all appear to be coming from different machines.
- After a while, the controller instructs the attacker to stop.
honeyp.edu in this case, which might face some
liability for providing the platform that launched part of the
attack. For this reason, it is very important that such tools be
discovered and removed from within the
network as quickly as possible.
Other threats posed by the tool
Though the Prot11 zombie is primarily a Denial-of-Service tool, it
can also be used to help the attacker take over other systems inside
Honeypot University network. This power comes from the ability of the
attack tool to execute any commands (specified by the attacker) on the
victim machine with administrator privileges. This capability is
sometimes referred to as a "backdoor" into the compromised system,
because the attacker can return and use the system without having to
go through the standard authentication procedure. For example, the
attacker could run a key logging program to collect passwords typed on
the victim machine by the users while logging into other
machines. This then allows the attacker access to those machines.
Thus it's not difficult for the attacker to take over an entire
network in a short period of time.
How to detect presence of such tools
If you are an end-user, it is best to contact your security or system
administrator to evaluate whether your machine has the Prot11 zombie
installed. There are subtle issues that arise in testing a
system which may have been compromised, and security administrators
have experience in dealing with these issues. The following tips are
given for more technically knowledgable users, and more details can be
found in the accompanying technical advisory.
First, the system administrator should be aware of what services are
supposed to be offered by a machine. Only the corresponding protocols
(e.g. TCP which is IP protocol no. 6, UDP which IP protocol no. 17)
and ports should be open on the machine. This can be checked from a
"safe" system (one that is known to not be compromised) using scanning
software like Nmap. If any protocols or ports are found open
other than the authorized services, it's possible that you are some
attack tool. In particular, a "protocol scan" can be performed with
Nmap to see if the machine is accepting IP protocol 11 packets, which
is an indication of the Prot11 zombie running.
The Prot11 zombie may also show up in a process listing (the output
ps -ef) using the program name
[mingetty]. Note that "mingetty" is actually a
legitimate program, but the true mingetty program will show up in the
process listing without the square brackets. Also,
netstat can be used to see if there is a process
listening for raw protocol 11 packets. Warning: The
techniques just described are not a reliable way of determining that
your system is not running the Prot11 zombie! Remember that if the
Prot11 zombie has been installed, then the machine has been
compromised, and the attacker could have easily installed programs
(sometimes called "rootkits") that can make it so the zombie does not
appear in either
ps output or
output. While seeing the signs just described are signs that the
Prot11 zombie is running, lack of these signs is not an indication
that your machine is clean!
If an unknown binary is discovered on your Linux system, it can be
checked to determine if it is the Prot11 zombie. First, execute the
following command from a Linux shell (the middle character of "TfOjG"
is a capital letter O):
strings unknown-binary | grep -C3 TfOjG
If the "
unknown-binary" is the Prot11 zombie, the
following output will be seen:
/bin/csh -f -c "%s" 1> %s 2>&1
Finally, an Intrusion Detection System (IDS) can be
configured to detect the control packets for the Prot11 zombie.
In particular, the IDS should flag any IP protocol 11 packets as being
suspicious (in general, all protocols and ports other than the useful
ones should be flagged).
When attacking other sites, this tool will produce a very high
volume of network data. You might be able to notice that using tools
like sysstat, which summarize your system activity.
How to defend against these attacks
Obviously the best defense against the Prot11 zombie is to not have
your systems broken into in the first place. Systems should be kept
up-to-date with the latest security patches, and should be properly
administered to achieve a reasonable level of security. However,
despite the best efforts toward these goals, system security will
occassionally be breached. To protect against the Prot11 zombie, or
other DDoS tools, the following general techniques are useful:
- All protocols and ports other than the useful ones should be blocked
at the firewall, so that the attacker cannot communicate with the attack
tool to launch any attacks.
- The network traffic generated during attacks has a typical behavior.
IDS signatures can be developed or purchased (if not already present) to
detect the kind of traffic, and flag it as suspicious.