Security Incidents mailing list archives
Re: What is this?
From: Jason Potopa <jpotopa () QWEST NET>
Date: Thu, 15 Feb 2001 07:38:26 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 14 February 2001 10:40, you wrote:
We have been getting this in our snort logs for some time now and I am wondering exactly what it is. I searched for it on security focus and they say is that it is part of some ddos packages. It has been going to our firewall and to another machine in our DMZ. These are the only machines that were hit. Is there any danger from this?
Yes it means one of your computers may be hacked and getting ready to participate in a ddos.
Is there a way to tell what port it is on?
Yes, If you take a look at your snort rule base you will see a line similar to this: alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) This means that it is seeing ICMP traffic from 3.3.3.3/32 on going to any ip outside of your network with icmp type 666.
Is this a snort configuration problem?
The following is an excerpt from http://www.sans.org/y2k/stacheldraht.htm In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP ECHO_REPLY packet with a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet. (Note that it also sets the Type of Service field to 7 on this particular packet, while others have a ToS value of 0. This is what the alert says is happening. Can you verify this with another network device?
Any known vulnerabilities?
Yes. Stacheldraht is a DDOS. It is set up on your network according to the alert you have.
I am running RedHat 6.2 on the firewall w/ IPChains. IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)
If you want help you can e-mail me direct. - -- Jason Potopa, Security Engineer Qwest Communications jpotopa () qwest net pgpkey: http://www.nether.net/~potopa/public.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6i9vTnEDAk2yp4E0RAkVRAJ44G7+Cf3Z8dIx8YiGZ3A/j7+d8dgCdGDFT FiaN9VHYO/BenA5QaKHvybc= =YNJv -----END PGP SIGNATURE-----
Current thread:
- What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Andreas Östling (Feb 14)
- ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- [no subject] Osvaldo J. Filho (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Andreas Östling (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Simeon Johnston (Feb 15)