Attacker -> Handler(s) : 6723/tcp (in published source) 15104/tcp ("in the wild") 12754/tcp (in recovered source) Agent -> Handler(s) : 9325/udp (in published source) 6838/udp ("in the wild") Handler -> Agent(s) : 7983/udp (in published source) 10498/udp ("in the wild")
Available commands: stream stream attack !(进行stream攻击) servers Prints all known servers.(显示所有已知servers/agents) ping ping all servers. who tells you the ips of the people logged in mstream lets you stream more than one ip at a time
-------------------------------------------------------------------------- % strings -n 3 master socket stream bind stream attack ! listen servers setsockopt Prints all known servers. fcntl ping You're too idle ! ping all servers. Connection from %s who newserver tells you the ips of the people log New server on %s. mstream pong lets you stream more than one ip at Got pong number %d from %s who %s has disconnected (not auth'd): %s Currently Online: Invalid password from %s. Socket number %d Password accepted for connection fr [%s] Lost connection to %s: %s ping stream Pinging all servers. Usage: stream mstream Unable to resolve %s. Usage: mstream stream/%s/%s MStreaming %s for %s seconds. Streaming %s for %s seconds. mstream/%s/%s quit fork %s has disconnected. Forked into background, pid %d servers Caught SIGHUP, ignoring. Server file doesn't exist, creating Caught SIGINT, ignoring. The following ips are known servers Segmentation Violation, Exiting cle help Caught unknown signal, This should commands Available commands: --------------------------------------------------------------------------
Halloween (trinoo) Thanksgiving (TFN) Christmas (stacheldraht) New Years (building/testing scanning tools for all three) Sven Dietrich & Neil Long (analyzing "shaft" [07]) Andrew Korty & investigators at Indiana University (forensic analysis and data gathering)
[03] The DoS Project's "trinoo" distributed denial of service attack tool, David Dittrich http://staff.washington.edu/dittrich/misc/trinoo.analysis
[04] The "Tribe Flood Network" distributed denial of service attack tool, David Dittrich http://staff.washington.edu/dittrich/misc/tfn.analysis
[05] The "stacheldraht" distributed denial of service attack tool, David Dittrich http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
[06] TFN2K - An Analysis, Jason Barlow and Woody Thrower, Axent Security Team http://packetstorm.securify.com/distributed/TFN2k_Analysis-1.3.txt
[07] An analysis of the ``Shaft'' distributed denial of service tool, Sven Dietrich, Neil Long, and David Dittrich http://netsec.gsfc.nasa.gov/~spock/shaft_analysis.txt
[08] Distributed Denial of Service (DDoS) Attack Tools, David Dittrich http://staff.washington.edu/dittrich/misc/ddos/
[09] Distributed denial of service attack tools at Packet Storm Security http://packetstorm.securify.com/distributed/
[10] "Root Kits" and hiding files/directories/processes after a break-in, David Dittrich http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
[11] Technical details of the attack on Yahoo! http://packetstorm.securify.com/distributed/yahoo.txt
[12] BUGTRAQ threads on the stream.c DoS attack and its fallout http://staff.washington.edu/dittrich/misc/ddos/stream.txt
[13] RFC 2267 -- Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, Paul Fergussen and Daniel Senie ftp://ftp.isi.edu/in-notes/rfc2267.txt
[14] ngrep http://www.packetfactory.net/ngrep/
[15] rid http://theorygroup.com/Software/RID
[16] Dan Farmer & Wietse Venema's class on computer forensic analysis http://www.fish.com/security/forensics.html
[20] Source code for mstream http://securityfocus.com/templates/archive.pike?list=82&date=2000-04-29&thread=200004291748.TAA13203@lobeda.jena.thur.de
☆ 附录B - 检测mstream的snort规则
alert UDP any any -> any 6838 (msg: "IDS100/ddos-mstream-agent-to-handler"; content: "newserver"; ) alert UDP any any -> any 10498 (msg: "IDS101/ddos-mstream-handler-to-agent"; content: "stream/"; ) alert UDP any any -> any 10498 (msg: "IDS102/ddos-mstream-handler-ping-to-agent" ; content: "ping";) alert UDP any any -> any 10498 (msg: "IDS103/ddos-mstream-agent-pong-to-handler" ; content: "pong";) alert TCP any any -> any 12754 (msg: "IDS109/ddos-mstream-client-to-handler"; flags: S;) alert TCP any 12754 -> any any (msg: "IDS110/ddos-mstream-handler-to-client"; content: ">"; flags: AP;) alert TCP any any -> any 15104 (msg: "IDS111/ddos-mstream-client-to-handler"; flags: S;) alert TCP any 15104 -> any any (msg: "IDS112/ddos-mstream-handler-to-client"; content: ">"; flags: AP;)
-------------------------------------------------------------------------- working 1120/tcp # Kerberos working daemon --------------------------------------------------------------------------