Bugtraq mailing list archives
Re: Analysis of "stacheldraht"
From: dittrich () CAC WASHINGTON EDU (Dave Dittrich)
Date: Tue, 11 Jan 2000 20:38:17 -0800
On Thu, 30 Dec 1999, Dave Dittrich wrote:
========================================================================== The "stacheldraht" distributed denial of service attack tool ==========================================================================
For those who are using this analysis for IDS signatures, etc., there is a typo in the analysis.
In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of
^^^^^^^^^^^^^^
666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet. (Note that it also sets the Type of Service field to 7 on this particular packet, while others have a ToS value of 0.) ... These packets (as seen by tcpdump and tcpshow) are shown here: ------------------------------------------------------------------------------ # tcpdump icmp . . . 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7] 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply . . . ------------------------------------------------------------------------------
The tcpdump trace is correct. The 3.3.3.3 spoof test packet is an ICMP_ECHO packet, not an ICMP_ECHOREPLY. Thanks to bkubesh () cisco com for pointing this out. -- Dave Dittrich Client Services dittrich () cac washington edu Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich () cac washington edu [PGP Key]</a> PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- Re: Analysis of "stacheldraht" Dave Dittrich (Jan 11)