Re: Analysis of the Shaft distributed denial of service tool

[vision () WHITEHATS COM (Max Vision)]

On Thu, 16 Mar 2000, Sven Dietrich wrote:
> Note: this is also available at:
> http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt
>         An analysis of the ``Shaft'' distributed denial of service tool
Hi,

There is a minor error in the detection code that will keep ddos-shaft.c
from compiling; a line in listener() is repeated accidentally in the
Bugtraq post and on the website (remove one of the repeated lines):

     printf("Unexpected UDP packet received on port %d from %s\n",
     shaft_rctport, inet_ntoa(from.sin_addr));
-    shaft_rctport, inet_ntoa(from.sin_addr));

Based on the "shaft" writeup I have added Snort IDS signatures to
arachNIDS (http://whitehats.com/ids/) that should detect the traffic of
this known configuration.

  direct links:
  http://whitehats.com/IDS/252    ddos-shaft-synflood-incoming
  http://whitehats.com/IDS/253    ddos-shaft-synflood-outgoing
  http://whitehats.com/IDS/254    ddos-shaft-client-to-handler
  http://whitehats.com/IDS/255    ddos-shaft-handler-to-agent
  http://whitehats.com/IDS/256    ddos-shaft-agent-to-handler

I have also updated the Whitehats online self-scanning tool.  It can be
used to quickly test your browsing system for this configuration of Shaft,
as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo.  The
self-scan tools can be found at:

  http://dev.whitehats.com/scan/ddos/

I have also collected related DDOS tools, media commentary, and a small
forum for discussion, found at the same URL.

Max Vision
http://whitehats.com/