Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:226 |
| Message | DDOS Stacheldraht server response |
| Summary | This event indicates that a Stacheldraht handler exists on the source host and an agent on the destination host. |
| Impact | Serious. A Distributed Denial of Service attack maybe in progress. |
| Detailed Information | The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. When a host becomes a Stacheldraht agent it makes an initial contact with each of its known handlers. A handler should respond with an ICMP echo reply with an ICMP identification number of 667 and a string of "ficken" in the payload. |
| Affected Systems | Any Stacheldraht compromised host. |
| Attack Scenarios | A host on which a Stacheldraht agent has been installed attempts to contact the list of known handlers. |
| Ease of Attack | Simple. Stacheldraht code is freely available. |
| Corrective Action | Turn of all unnecessary services on hosts. Upgrade to the latest patch level. Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. |
| Additional References | Arachnids: http://www.whitehats.com/info/IDS191 |
| Rule References | arachnids: 191 |
--
DID:453094
--
http://www.aanval.com/