GEN:SID | 1:229 |
Message | DDOS Stacheldraht client check skillz |
Summary | This event is generated when a Stacheldraht agent attempts to contact a known handler.
|
Impact | This indicates that a Stacheldraht agent may exist on the source host and a handler may exist on the destination host.
|
Detailed Information | The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack.
There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. Once a host becomes a Stacheldraht agent, it will attempt to contact a list of known handlers using an ICMP echo reply with an ICMP identification number of 666 and a string of "skillz" in the payload.
|
Affected Systems | Any Stacheldraht compromised host.
|
Attack Scenarios | A compromised host that has become a Stacheldraht agent will attempt an initial communication with all known handlers.
|
Ease of Attack | Simple. Stacheldraht code is freely available.
|
Corrective Action | Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.
Rebuild a confirmed compromised host.
Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
|
Additional References | Arachnids: http://www.whitehats.com/info/IDS190
|
Rule References | arachnids: 190
|