Trinoo Detection

• Look for clients listening to UDP port 27444

• Look for TCP servers on port 27664

• Look for SYN attacks with signature:

  SYN packet 1 port: x
  
  SYN packet 2 port: y= (srandom(x); rand())
  SYN packet 3 port: z= (srandom(y); rand())

• Look for string “l44adsl” or “betalmostdone” in network traffic

Previous slide

Next slide

Back to first slide

View graphic version