GEN:SID 1:226
Message DDOS Stacheldraht server response
Summary This event indicates that a Stacheldraht handler exists on the source host and an agent on the destination host.
Impact Serious. A Distributed Denial of Service attack maybe in progress.
Detailed Information The Stacheldraht DDoS uses a tiered structure of compromised hosts to
coordinate and participate in a denial of service attack.  There are
"handler" hosts that are used to coordinate the attacks and "agent"
hosts that launch the attack.  When a host becomes a Stacheldraht agent
it makes an initial contact with each of its known handlers.  A handler
should respond with an ICMP echo reply with an ICMP identification
number of 667 and a string of "ficken" in the payload.
Affected Systems Any Stacheldraht compromised host.
Attack Scenarios A host on which a Stacheldraht agent has been installed attempts to
contact the list of known handlers.  
Ease of Attack Simple. Stacheldraht code is freely available.
Corrective Action Turn of all unnecessary services on hosts.

Upgrade to the latest patch level.

Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References Arachnids:
http://www.whitehats.com/info/IDS191
Rule References arachnids: 191