Security Incidents mailing list archives

Re: What is this?

From: Jason Potopa <jpotopa () QWEST NET>
Date: Thu, 15 Feb 2001 07:38:26 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 14 February 2001 10:40, you wrote:

We have been getting this in our snort logs for some time now and I am
wondering exactly what it is.  I searched for it on security focus and
they say is that it is part of some ddos packages.  It has been going to
our firewall and to another machine in our DMZ.  These are the only
machines that were hit.  Is there any danger from this?

Yes it means one of your computers may be hacked and getting ready to
participate in a ddos.

Is there a way to tell what port it is on?

Yes, If you take a look at your snort rule base you will see a line similar
to this:

alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"IDS193 - DDoS -
Stacheldraht server-spoof"; itype: 0; icmp_id: 666;)

This means that it is seeing ICMP traffic from 3.3.3.3/32 on going to any ip
outside of your network with icmp type 666.

Is this a snort configuration problem?


The following is an excerpt from http://www.sans.org/y2k/stacheldraht.htm

In addition to finding an active handler, the agent performs a test to see if
the network on which the agent is running allows packets to exit with forged
source addresses. It does this by sending out an ICMP ECHO_REPLY packet with
a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the
agent system (obtained by getting the hostname, then resolving this to an IP
address) in the data field of the ICMP packet. (Note that it also sets the
Type of Service field to 7 on this particular packet, while others have a ToS
value of 0.

This is what the alert says is happening.  Can you verify this with another
network device?

Any known vulnerabilities?

Yes.  Stacheldraht is a DDOS.  It is set up on your network according to the
alert you have.

I am running RedHat 6.2 on the firewall w/ IPChains.

IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)


If you want help you can e-mail me direct.
- --
Jason Potopa, Security Engineer
Qwest Communications
jpotopa () qwest net
pgpkey: http://www.nether.net/~potopa/public.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6i9vTnEDAk2yp4E0RAkVRAJ44G7+Cf3Z8dIx8YiGZ3A/j7+d8dgCdGDFT
FiaN9VHYO/BenA5QaKHvybc=
=YNJv
-----END PGP SIGNATURE-----

Current thread:

What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
  - Re: What is this? Andreas Östling (Feb 14)
    - ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
    - [no subject] Osvaldo J. Filho (Feb 16)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Geoff the UNIX guy (Feb 14)
- Re: What is this? Jason Potopa (Feb 15)
  - Re: What is this? Simeon Johnston (Feb 15)