Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Re: Analysis of "stacheldraht"

Re: Analysis of "stacheldraht"

Subject: Re: Analysis of "stacheldraht"
From: Dave Dittrich (dittrichCAC.WASHINGTON.EDU)
Date: Tue Jan 11 2000 - 22:38:17 CST

Next message: David Komanek: "IE 5.0 vs. XML-files"
Previous message: Oliver Friedrichs: "Re: L0pht Advisory: LPD, RH 4.x,5.x,6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 30 Dec 1999, Dave Dittrich wrote:

> ==========================================================================
>
> The "stacheldraht" distributed denial of service attack tool
>
> ==========================================================================

For those who are using this analysis for IDS signatures, etc.,
there is a typo in the analysis.

> In addition to finding an active handler, the agent performs a test
> to see if the network on which the agent is running allows packets to
> exit with forged source addresses. It does this by sending out an
> ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of
^^^^^^^^^^^^^^
> 666, and the IP address of the agent system (obtained by getting the
> hostname, then resolving this to an IP address) in the data field of
> the ICMP packet. (Note that it also sets the Type of Service field to
> 7 on this particular packet, while others have a ToS value of 0.)
> ...
> These packets (as seen by tcpdump and tcpshow) are shown here:
>
> ------------------------------------------------------------------------------
> # tcpdump icmp
> . . .
> 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7]
> 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply
> . . .
> ------------------------------------------------------------------------------

The tcpdump trace is correct. The 3.3.3.3 spoof test packet is an
ICMP_ECHO packet, not an ICMP_ECHOREPLY.

Thanks to bkubeshcisco.com for pointing this out.

-- Dave Dittrich Client Services dittrich

cac.washington.edu Computing & Communications University of Washington

<a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrichcac.washington.edu [PGP Key]</a>

PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Next message: David Komanek: "IE 5.0 vs. XML-files"
Previous message: Oliver Friedrichs: "Re: L0pht Advisory: LPD, RH 4.x,5.x,6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Jan 12 2000 - 12:29:50 CST