Re: Analysis of "stacheldraht"

[dittrich () CAC WASHINGTON EDU (Dave Dittrich)]

On Thu, 30 Dec 1999, Dave Dittrich wrote:

> ==========================================================================
>
>       The "stacheldraht" distributed denial of service attack tool
>
> ==========================================================================

For those who are using this analysis for IDS signatures, etc.,
there is a typo in the analysis.

> In addition to finding an active handler, the agent performs a test
> to see if the network on which the agent is running allows packets to
> exit with forged source addresses.  It does this by sending out an
> ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of
  ^^^^^^^^^^^^^^
> 666, and the IP address of the agent system (obtained by getting the
> hostname, then resolving this to an IP address) in the data field of
> the ICMP packet.  (Note that it also sets the Type of Service field to
> 7 on this particular packet, while others have a ToS value of 0.)
> ...
> These packets (as seen by tcpdump and tcpshow) are shown here:
>
> ------------------------------------------------------------------------------
> # tcpdump icmp
>  . . .
> 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7]
> 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply
>  . . .
> ------------------------------------------------------------------------------

The tcpdump trace is correct.  The 3.3.3.3 spoof test packet is an
ICMP_ECHO packet, not an ICMP_ECHOREPLY.

Thanks to bkubesh () cisco com for pointing this out.

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB  49 A1 0C D0 8E 0C D0 BE  C8 38 CC B5