GEN:SID | 1:225 |
Message | DDOS Stacheldraht gag server response |
Summary | This event is generated when the Stacheldraht DDoS tool is used.
|
Impact | This indicates that a Stacheldraht agent exists on the source host and a handler exists on the destination host.
|
Detailed Information | The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler may probe for a Stacheldraht agent. There is also "gag" program used to scan for Stacheldraht agents. A response to a "gag" request will be an ICMP echo reply with an ICMP identification number of 669 and a string of "sicken" in the payload.
|
Affected Systems | Any Stacheldraht compromised host.
|
Attack Scenarios | A handler may probe for a Stacheldraht agent or the "gag" program can be used to discover Stacheldraht agents. The "gag" program can be run by a defender of a network if there is a suspected Stacheldraht agent on the network. An attacker could also run the "gag" program to find an agent.
|
Ease of Attack | Simple. The "gag" script is freely available.
|
Corrective Action | Turn of all unnecessary services on hosts.
Upgrade to the latest patch level.
Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
|
Additional References | Arachnids: http://www.whitehats.com/info/IDS195
|
Rule References | arachnids: 195
|