[13312] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Analysis of "stacheldraht"

daemon@ATHENA.MIT.EDU (Dave Dittrich)
Wed Jan 12 12:33:54 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.GUL.4.21.0001112023410.26994-100000@red8.cac.washington.edu>
Date:         Tue, 11 Jan 2000 20:38:17 -0800
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.GUL.4.21.9912301323250.20803-100000@red5.cac.washington.edu>

On Thu, 30 Dec 1999, Dave Dittrich wrote:

> ==========================================================================
>
>       The "stacheldraht" distributed denial of service attack tool
>
> ==========================================================================

For those who are using this analysis for IDS signatures, etc.,
there is a typo in the analysis.

> In addition to finding an active handler, the agent performs a test
> to see if the network on which the agent is running allows packets to
> exit with forged source addresses.  It does this by sending out an
> ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of
  ^^^^^^^^^^^^^^
> 666, and the IP address of the agent system (obtained by getting the
> hostname, then resolving this to an IP address) in the data field of
> the ICMP packet.  (Note that it also sets the Type of Service field to
> 7 on this particular packet, while others have a ToS value of 0.)
> ...
> These packets (as seen by tcpdump and tcpshow) are shown here:
>
> ------------------------------------------------------------------------------
> # tcpdump icmp
>  . . .
> 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7]
> 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply
>  . . .
> ------------------------------------------------------------------------------

The tcpdump trace is correct.  The 3.3.3.3 spoof test packet is an
ICMP_ECHO packet, not an ICMP_ECHOREPLY.

Thanks to bkubesh@cisco.com for pointing this out.

--
Dave Dittrich                 Client Services
dittrich@cac.washington.edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB  49 A1 0C D0 8E 0C D0 BE  C8 38 CC B5
home help back first fref pref prev next nref lref last post