GEN:SID 1:225
Message DDOS Stacheldraht gag server response
Summary This event is generated when the Stacheldraht DDoS tool is used.
Impact This indicates that a Stacheldraht agent exists on the source host and a handler exists on the destination host.
Detailed Information The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler may probe for a Stacheldraht agent.  There is also "gag" program used to scan for Stacheldraht agents.  A response to a "gag" request will be an ICMP echo reply with an ICMP identification number of 669 and a string of "sicken" in the payload.  
Affected Systems Any Stacheldraht compromised host.
Attack Scenarios A handler may probe for a Stacheldraht agent or the "gag" program can be used to discover Stacheldraht agents.  The "gag" program can be run by a defender of a network if there is a suspected Stacheldraht agent on the network. An attacker could also run the "gag" program to find an agent.

Ease of Attack Simple. The "gag" script is freely available.
Corrective Action Turn of all unnecessary services on hosts.

Upgrade to the latest patch level.

Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References Arachnids:
http://www.whitehats.com/info/IDS195
Rule References arachnids: 195