Quick Tips on Zombie Zapper Usage
---------------------------------

Here are a few simple tips on the usage of ZZ.


What It Does
------------

Zombie Zapper works against Trinoo, TFN, Stacheldraht, Troj_Trinoo (the
trinoo daemon ported to Windows), and Shaft. Assuming that the default
passwords have not been changed, you can simply use the same commands that
an attacker would use to stop the flood. On Trinoo, it does stop the
daemon entirely (although it is typically set to be restarted by cron,
silently awaiting more commands), and with Troj_Trinoo the daemon is
unusable until a reboot, but with the rest of the DDoS tools the flooding
just stops. This gives you the advantage of telling the daemon to stop
flooding without stopping the daemon, allowing you to take a little more
time in tracking down where they are, and more importantly, how they got
there in the first place.

ZZ assumes the passwords have not been changed. There are numerous
examples of detection code that all do the same thing, except simply
tell you that you have zombies on your network. All depend on the
default passwords being in place.

This is why this software will not work against TFN2K, which forces
you to use a new password during setup.


Help
----

Running ZZ with the -h option reveals the following:

Zombie Zapper v1.2 - DDoS killer
Bugs/comments to thegnome@razor.bindview.com
More info and free tools at http://razor.bindview.com
Copyright (c) 2000 BindView Development

USAGE:
./zz [-a 0-5] [-c class C] [-d dev] [-h] [-m host] [-s src] [-u udp] [-v]
hosts

  -a antiddos type to kill:
       0  types 1-4 (default)
       1  trinoo
       2  tfn
       3  stacheldraht
       4  trinoo on Windows
       5  shaft (requires you use the -m option)
  -c class C in x.x.x.0 form
  -f time in seconds to send packets (default 1)
  -d grab local IP from dev (default eth0)
  -h this help screen
  -m my host being flooded (used with -a 5 above, only one host)
  -s spoofed source address (just in case)
  -u UDP source port for trinoo (default 53)
  -v verbose mode (use twice for more verbosity)
  host(s) are target hosts (ignored if using -c)

Let me explain each option in a little more detail. 

 - The -a option is for specifying the type of DDoS you wish to zap. Not
   specifying the -a option or using -a 0 will assume types 1 through 4
   since they do not require additional input. Using -a 5 will require you
   to specify the hostname of the system being flooded.
 - The -c option allows you to specify a class C for sending packets
   to. It does so in x.x.x.0 through x.x.x.255 order.
 - The -d option allows you to specify which device to grab the
   local IP address from (Unix only). Useful for unix boxes with
   more than one interface.
 - The -f sets up a timer to send packets. Trying to reach a zombie
   sending packets requires you to send your own flood back, depending
   on topology. zz allows for 50 packets per second, and you can
   alter the timer with this option.
 - The -m option allows you to specify the name of a host you wish a Shaft
   agent to stop flooding. Used with -a 5. 
 - The -s option allows you to spoof your source address (Unix only).
   This is useful for getting into your DMZ, and to also help hide
   where you are coming from in case attackers have sniffers running.
 - The -u option allows you to alter the source UDP port on the 
   trinoo check. Once again, useful for getting into the DMZ.
 - The -v option is verbose mode. For the curious who wish to see
   lots of stuff roll by during program execution. Use twice for tons of
   useless stuff on the screen.
 - Everything that is not an option is considered a target host on
   the command line. It is recommended that you us IP addresses, but
   host names will work just fine. If using the -c option, command line
   target hosts are ignored.


Against Your Own Network
------------------------

You check your firewall logs, you notice a slowdown on your Internet 
access, you see a bunch of packets flying out toward another site.
Somewhere on your network a number of machines are flooding a target.
Where do you start to look for zombies to shut them down? Run zombie
zapper against your own IP addresses, and assuming the default passwords
on the distributed denial of service code has not changed, you can shut 
them down immediately.

For example, if you have 192.168.1.x and 192.168.2.x, you could do the
following:

  ./zz -c 192.168.1.0
  ./zz -c 192.168.2.0

If you have a list of IP addresses in a file, try the following:

  ./zz `cat ip_file.txt | tr '\n' '  '`

Now they are quickly shut down.


Against Others
--------------

While it is possible to run this against a site that is flooding
*you*, there are a few things to keep in mind:

 - The site flooding you could have routing rules and firewall code
   in place that would prevent you from running ZZ against them, in
   spite of the fact that an attacker is able to do so.
 - The packets could be forged, so you could be running it against
   the wrong site.
 - It is very possible that the zombie site flooding you could think
   that *you* are the attacker, and you could be visited by the Feds
   (try explaining *that* to your boss!).
 - Misusing the -f option will probably get the Feds involved anyway.

In other words, use this against another site at your own risk. It is
not condoned.

That being said, there is nothing to prevent you from sending the
packets to the offending addresses. If you are collecting them from
logs you can easily send the commands to those addresses to try and
get the floods to stop.

The more militant may wish to use ZZ as a "strike back" defense tied
in with IDS or firewall software (especially open-sourced solutions
that support or can be modified to support other open-sourced
solutions).


Shouts and Thanks
-----------------

Dan Walsh, Benny Czarny, Kostia Grebelsky, Alexey Piskovatskov, Leon
Zborovsky and Dima Netes of BindView Development for porting and
testing the original version of zz to NT. The BindView RAZOR Team for
helping with testing, adding comments and insights, and technical
assistance, especially Seth McGann and Todd Sabin for their work on the
Windows Trinoo Trojan. And more kudos to Todd who now handles the NT
version.
