Signature Detail

DDOS: TRIN00 Master to Daemon Command (xyz)

This signature detects the command string "xyz" in a UDP packet sent from port 27444. This can indicate a Trin00 master is attempting to command a Trin00 daemon to DoS multiple specified IP addresses using random (0-65534) UDP ports. Attackers can use Trin00, a distributed-denial-of-service (DDoS) attack tool, to flood IP addresses with packets from forged source addresses.

Extended Description

Trin00 enables an attacker to cause a DDoS or crash the target system by controlling master server(s) and daemon host(s).

References

• CVE: CVE-2000-0138
• URL: http://staff.washington.edu/dittrich/misc/trinoo.analysis