The trinoo distributed denial-of-service system consists of 3 parts:
The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target.
The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".
The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.
There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:
- - mtimer: Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.
- - dos: Performs a Denial of Service attack on a machine. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.
- - mdie: Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known, but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.
- - mping: Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".
- - mdos: This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".
- - msize: This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".
The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.
There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.
The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target.
The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".
The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.
There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:
- - mtimer: Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.
- - dos: Performs a Denial of Service attack on a machine. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.
- - mdie: Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known, but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.
- - mping: Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".
- - mdos: This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".
- - msize: This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".
The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.
There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.
DOWNLOAD TRINOO
hi please help donwload software Trinoo
ReplyDeleteasdsada
ReplyDeleteHi, please can you help me ? ... when i run daemon with ./ns, it starts to print message recvfrom: Socket operation on non-socket, where is problem ?
ReplyDelete