National Infrastructure Protection Center Information System Advisory 00-044
mstream Distributed Denial of Service Tool
2200 EDT, 24 May 2000

The potential represented by the "mstream" Distributed Denial of Service (DDoS) exploit is a serious and continuing threat. This advisory provides an update to a previously delivered NIPC DDoS detection tool that now allows users to identify the presence of mstream on host systems. The NIPC recommends that all computer network owners and organizations examine their systems for evidence of DDoS tools, including mstream.

The mstream DDoS exploit enables intruders to use multiple, internet-connected systems to launch packet flooding denial of service attacks against one or more target systems. It was first discovered in late April 2000 on a compromised Linux system.

The NIPC tool (find_ddos) detects the DDoS exploit in the following operating systems: Solaris on Sparc or Intel platforms, and Linux on Intel platforms. The tool has been designed to detect mstream as well as tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht daemon and trn-rush client.

The download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or Intel platforms, and Linux on Intel platforms. The tool has not been tested on Solaris 8. Although the current configuration of mstream is not known to run on Windows 95/98/NT-based PC, certain versions of Trinoo do. Please refer to http://www.nipc.gov/trinoo.htm for more information.

The following links provide tools and information for detecting DDoS exploits:
README
Solaris on Sparc Executable File (tar, compressed format) version 4.0
Linux on Intel Executable File (tar, compressed format) version 4.0
Solaris on Intel Executable File (tar, compressed format) version 4.0
Checksums (The MD5 Checksums are provided to verify the integrity of the files.)