ISSalert: Internet Security Systems Security Alert: "mstream"
Distributed Denial of Service Tool (fwd)
dittrich at cac.washington.edu
Tue May 2 09:50:14 PDT 2000
Please note the following X-Force advisory summarizing "mstream".
It should be noted that the information about finding potential mstream
handlers/agents with "find" is *only* valid if there is no root kit
present on the system. Both the handler and agent systems found "in the
wild" in an mstream network had rootkits installed on them (as well as
two other Linux systems compromised on the UW campus in the past two
weeks used for sniffer and classic point-to-point DoS attacks).
You must first determine if you can trust your operating system
binaries, otherwise you will find nothing on the system (false negative)
and the attackers will still control your system. This argues for
pre-emptive measures in security, such as file system integrity checking
and preparing your own "anti-rootkit" with clean operating system
binaries *before* and incident occurs.
For more information on how to get around rootkits, see:
.... and Appendices D and E in the following analysis:
Dave Dittrich Client Services
dittrich at cac.washington.edu Computing & Communications
University of Washington
Dave Dittrich / dittrich at cac.washington.edu [PGP Key]</a>
PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
---------- Forwarded message ----------
Date: Tue, 2 May 2000 12:18:39 -0400 (EDT)
Subject: ISSalert: Internet Security Systems Security Alert: "mstream"
Distributed Denial of Service Tool
From: X-Force <xforce at iss.net>
To: alert at iss.net
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo at iss.net Contact alert-owner at iss.net for help with any problems!
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert
May 1, 2000
"mstream" Distributed Denial of Service Tool
A new Distributed Denial of Service tool, mstream, has been discovered at
the University of Washington. It has also been seen on networks at Penn
State and Indiana University. A Distributed Denial of Service attack is
designed to bring a network down by flooding target machines with large
amounts of traffic. The source code for a version of the program was
recently posted anonymously to the BugTraq and VULN-DEV
e-mail lists hosted by SecurityFocus. This tool includes a "master
controller" and a "zombie." The master controller is the portion of the tool
that controls all of the zombie agents. An attacker connects to the master
controller using telnet to control the zombies.
The attack the zombie performs is a modification of the "stream.c" attack.
Most of the source code in the zombie that is used to flood the target
computers originated from stream.c. The zombie sends TCP ACK packets to the
target hosts using random ports. This denial of service attack usually does
not have much effect coming from a single machine. However, the effects of
the attack are intensified in the new distributed format used by mstream. A
full explanation of this attack can be found at
There have been two versions of mstream made public: one that was found "in
the wild", and another that was posted to security mailing lists. They are
functionally the same, but they have different passwords and use different
port numbers for communication.
This Distributed Denial of Service (DDoS) tool poses the same dangers as
earlier tools including Trin00 and Tribe Flood Network. The stream.c attack
slows a machine down by using up CPU cycles. The attack also consumes
network bandwidth. In addition to the incoming ACK packets, the target host
will consume bandwidth when it tries to send TCP RST packets to non-existent
IP addresses. Routers will then return ICMP host/network unreachable packets
to the victim, resulting in more bandwidth starvation. The distributed
method of attack multiplies the effect on the CPU, as well as consuming
large amounts of network bandwidth.
The mstream architecture is a standard 3-tier design used by most
Distributed Denial of Service tools. The client is the machine that an
attacker uses to launch the attack. The client launches the attack through a
connection to the master. A master, in the file master.c, controls all of
the zombies. The zombies, in the file server.c, perform the "stream.c"
denial of service attack on the victim. Each master can control any number
of zombies, and each zombie can have any number of masters controlling it.
The mstream tool uses no encryption to hide its activities on the network.
There have been 3 different versions found of this tool found, using
different ports. The master source code found in the wild listens on TCP
port 12754 for client requests. To connect, a client must send the password,
which is "N7%diApf!". In the version that was posted to BugTraq and
VULN-DEV, the TCP port is 6723, and the password is "sex". Another binary
found in the wild listens on port 15104 for client connections. After
sending the password, an attacker gets a prompt of "> ". Typing "help"
displays the following information:
stream -- stream attack !
servers -- Prints all known servers.
ping -- ping all servers.
who -- tells you the ips of the people logged in
mstream -- lets you stream more than one ip at a time
The master controller also listens on a UDP port for registrations from
zombies. This port is 6838 in the version found at the universities and 9325
in the version posted to security mailing lists. A zombie can send two
different packets, one is "pong", which is a response from a ping request.
The other is "newserver", which adds that IP address to the list of servers
in the file "..." (wild version) or ".sr" (mailing list version) in the
directory in which the master controller is running. The IP addresses are
encoded by adding 50 to the ASCII value of each character in the IP address,
so "126.96.36.199" becomes "dbj`dc`d`cj<". The "<" is a newline
character (ASCII 10) plus 50.
Zombies listen on UDP port 10498 (wild version) or 7983 (mailing list
version) for commands from the master controller. The 3 commands that can be
sent to the zombies are "ping", "stream", and "mstream". The ping request
receives a "pong" from the server. The pong goes to UDP port 6838 (wild
version) or 9325 (mailing list version). In the wild version of mstream, the
"stream" command is not used, it just sends "mstream" commands. The
"mstream" command on the network looks similar to the following:
In the above command, x.x.x.x represents IP address(es) to attack, and y is
the time to attack (in seconds). The "stream" command is of a similar
format, but allows only one IP address to be sent. It looks like this:
To locate the mstream master or zombie on a system, use the following
command for each filesystem on the machine:
find / -mount -type f -print | xargs grep -l newserver
Replace / with whichever file system you want to search. This may find files
that are not part of mstream, such as /usr/bin/xchat, but you can verify
each file found by using the strings command on it. The strings output of
the zombie, from server.c, will contain this text:
Must be ran as root.
Forked into background, pid %d
Running strings on the master will find this text:
Connection from %s
New server on %s.
Got pong number %d from %s
%s has disconnected (not auth'd): %s
Invalid password from %s.
Password accepted for connection from %s.
Lost connection to %s: %s
If you know which port the master controller is listening on, you can use
lsof. Use this command to locate the master: "lsof -i TCP:port." The result
will be similar to the following:
[root at berry]# lsof -i TCP:12754
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mstream 3664 juser 3u IPv4 721759 TCP *:12754 (LISTEN)
This will locate the process that is listening on TCP port 12754. To find
the path to the executable, use the command "lsof -c <command> -a -d txt":
[root at berry]# lsof -c mstream -a -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mstream 3664 juser txt REG 8,1 33185 306211
To kill the process, delete the master controller executable, check the
"..." or ".sr" file, and decode the IP addresses of all of the zombies. The
following shell command will decrypt the file:
[root at berry]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//'
ISS' SAFEsuite intrusion detection system, RealSecure 5.0, will include new
attack signatures to detect all levels of communications between the mstream
DDoS components. ISS' SAFEsuite network security assessment product,
Internet Scanner, will have checks available to detect mstream DDoS master
and zombie in the next X-Press Update.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.
This tool was researched by the ISS X-Force. The X-Force would like to thank
Dave Dittrich at the University of Washington and Andrew Korty at Indiana
University for their initial information on mstream. X-Force would also
like to thank Tim Yardley for his analysis of the stream.c attack that was
posted to BugTraq in January 2000.
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services, and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.
Copyright (c) 2000 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce at iss.net
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce at iss.net of
Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Linux