Bugtraq mailing list archives
Re: Analysis of the Shaft distributed denial of service tool
From: vision () WHITEHATS COM (Max Vision)
Date: Fri, 17 Mar 2000 08:15:53 -0800
On Thu, 16 Mar 2000, Sven Dietrich wrote:
Note: this is also available at: http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt An analysis of the ``Shaft'' distributed denial of service tool
Hi, There is a minor error in the detection code that will keep ddos-shaft.c from compiling; a line in listener() is repeated accidentally in the Bugtraq post and on the website (remove one of the repeated lines): printf("Unexpected UDP packet received on port %d from %s\n", shaft_rctport, inet_ntoa(from.sin_addr)); - shaft_rctport, inet_ntoa(from.sin_addr)); Based on the "shaft" writeup I have added Snort IDS signatures to arachNIDS (http://whitehats.com/ids/) that should detect the traffic of this known configuration. direct links: http://whitehats.com/IDS/252 ddos-shaft-synflood-incoming http://whitehats.com/IDS/253 ddos-shaft-synflood-outgoing http://whitehats.com/IDS/254 ddos-shaft-client-to-handler http://whitehats.com/IDS/255 ddos-shaft-handler-to-agent http://whitehats.com/IDS/256 ddos-shaft-agent-to-handler I have also updated the Whitehats online self-scanning tool. It can be used to quickly test your browsing system for this configuration of Shaft, as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo. The self-scan tools can be found at: http://dev.whitehats.com/scan/ddos/ I have also collected related DDOS tools, media commentary, and a small forum for discussion, found at the same URL. Max Vision http://whitehats.com/
Current thread:
- FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
- Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
- Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)