Quick Tips on Zombie Zapper Usage
---------------------------------

Here are a few simple tips on the usage of ZZ.


What It Does
------------

Zombie Zapper works against Trinoo, TFN, and Stacheldraht. Assuming
that the default passwords have not been changed, you can simply use
the same commands that an attacker would use to stop the flood. On
Trinoo, it does stop the daemon entirely (although it is typically
set to be restarted by cron, silently awaiting more commands), but
on TFN and Stacheldraht the flooding just stops. This gives you the
advantage of telling the daemon to stop flooding without stopping
the daemon, allowing you to take a little more time in tracking down
where they are, and more importantly, how they got there in the first
place.

ZZ assumes the passwords have not been changed. There are numerous
examples of detection code that all do the same thing, except simply
tell you that you have zombies on your network. All depend on the
default passwords being in place.

This is why this software will not work against TFN2K, which forces
you to use a new password during setup.


Help
----

Running ZZ with the -h option reveals the following:
USAGE: ./zz [-a 0-3] [-c class C] [-d dev] [-f sec] [-h] [-s src] [-u sport] [-v] hosts

  -a antiddos type to kill:
       0  all three (default)
       1  trinoo
       2  tfn
       3  stacheldraht
  -c class C in x.x.x.0 form
  -d grab local IP from dev (default eth0)
  -f time in second to send packets (default 1)
  -h this help screen
  -s spoofed source address (just in case)
  -u UDP source port for trinoo (default 53)
  -v verbose mode
  host(s) are target hosts (ignored if using -c)

Let me explain each option in a little more detail. 

 - The -a option is mainly for testing. Not using that option, or 
   using -a 0 will send all three packets toward the specified targets.
 - The -c option allows you to specify a class C for sending packets
   to. It does so in x.x.x.0 through x.x.x.255 order.
 - The -d option allows you to specify which device to grab the
   local IP address from (Unix only). Useful for unix boxes with
   more than one interface.
 - The -f sets up a timer to send packets. Trying to reach a zombie
   sending packets requires you to send your own flood back, depending
   on topology. zz allows for 10 packets per second, and you can
   alter the timer with this option. 
 - The -s option allows you to spoof your source address (Unix only).
   This is useful for getting into your DMZ, and to also help hide
   where you are coming from in case attackers have sniffers running.
 - The -u option allows you to alter the source UDP port on the 
   trinoo check. Once again, useful for getting into the DMZ.
 - The -v option is verbose mode. For the curious who wish to see
   lots of stuff roll by during program execution.
 - Everything that is not an option is considered a target host on
   the command line. It is recommended that you us IP addresses, but
   host names will work just fine. If using the -c option, command line
   target hosts are ignored.


Against Your Own Network
------------------------

You check your firewall logs, you notice a slowdown on your Internet 
access, you see a bunch of packets flying out toward another site.
Somewhere on your network a number of machines are flooding a target.
Where do you start to look for zombies to shut them down? Run zombie
zapper against your own IP addresses, and assuming the default passwords
on the distributed denial of service code has not changed, you can shut 
them down immediately.

For example, if you have 192.168.1.x and 192.168.2.x, you could do the
following:

  ./zz -c 192.168.1.0
  ./zz -c 192.168.2.0

If you have a list of IP addresses in a file, try the following:

  ./zz `cat ip_file.txt | tr '\n' '  '`

Now they are quickly shut down.


Against Others
--------------

While it is possible to run this against a site that is flooding
*you*, there are a few things to keep in mind:

 - The site flooding you could have routing rules and firewall code
   in place that would prevent you from running ZZ against them, in
   spite of the fact that an attacker is able to do so.
 - The packets could be forged, so you could be running it against
   the wrong site.
 - It is very possible that the zombie site flooding you could think
   that *you* are the attacker, and you could be visited by the Feds
   (try explaining *that* to your boss!).
 - Misusing the -f option will probably get the Feds involved anyway.

In other words, use this against another site at your own risk. It is
not condoned.

That being said, there is nothing to prevent you from sending the
packets to the offending addresses. If you are collecting them from
logs you can easily send the commands to those addresses to try and
get the floods to stop.

The more militant may wish to use ZZ as a "strike back" defense tied
in with IDS or firewall software (especially open-sourced solutions
that support or can be modified to support other open-sourced
solutions).


Shouts and Thanks
-----------------

Dan Walsh, Benny Czarny, Kostia Grebelsky, Alexey Piskovatskov, Leon
Zborovsky and Dima Netes of BindView Development for porting and
testing the code to NT. The BindView RAZOR Team for helping with testing,
adding comments and insights, and technical assistance.
