[14346] in bugtraq
Re: Analysis of the Shaft distributed denial of service tool
daemon@ATHENA.MIT.EDU (Max Vision)
Mon Mar 20 05:42:22 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Enip.BSO.23.0003170625420.21663-100000@www.whitehats.com>
Date: Fri, 17 Mar 2000 08:15:53 -0800
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003161619.LAA28427@sled.gsfc.nasa.gov>
On Thu, 16 Mar 2000, Sven Dietrich wrote:
> Note: this is also available at:
> http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt
> An analysis of the ``Shaft'' distributed denial of service tool
>
Hi,
There is a minor error in the detection code that will keep ddos-shaft.c
from compiling; a line in listener() is repeated accidentally in the
Bugtraq post and on the website (remove one of the repeated lines):
printf("Unexpected UDP packet received on port %d from %s\n",
shaft_rctport, inet_ntoa(from.sin_addr));
- shaft_rctport, inet_ntoa(from.sin_addr));
Based on the "shaft" writeup I have added Snort IDS signatures to
arachNIDS (http://whitehats.com/ids/) that should detect the traffic of
this known configuration.
direct links:
http://whitehats.com/IDS/252 ddos-shaft-synflood-incoming
http://whitehats.com/IDS/253 ddos-shaft-synflood-outgoing
http://whitehats.com/IDS/254 ddos-shaft-client-to-handler
http://whitehats.com/IDS/255 ddos-shaft-handler-to-agent
http://whitehats.com/IDS/256 ddos-shaft-agent-to-handler
I have also updated the Whitehats online self-scanning tool. It can be
used to quickly test your browsing system for this configuration of Shaft,
as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo. The
self-scan tools can be found at:
http://dev.whitehats.com/scan/ddos/
I have also collected related DDOS tools, media commentary, and a small
forum for discussion, found at the same URL.
Max Vision
http://whitehats.com/
