On Thu, 30 Dec 1999, Dave Dittrich wrote:
> ==========================================================================
>
> The "stacheldraht" distributed denial of service attack tool
>
> ==========================================================================
For those who are using this analysis for IDS signatures, etc.,
there is a typo in the analysis.
> In addition to finding an active handler, the agent performs a test
> to see if the network on which the agent is running allows packets to
> exit with forged source addresses. It does this by sending out an
> ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of
^^^^^^^^^^^^^^
> 666, and the IP address of the agent system (obtained by getting the
> hostname, then resolving this to an IP address) in the data field of
> the ICMP packet. (Note that it also sets the Type of Service field to
> 7 on this particular packet, while others have a ToS value of 0.)
> ...
> These packets (as seen by tcpdump and tcpshow) are shown here:
>
> ------------------------------------------------------------------------------
> # tcpdump icmp
> . . .
> 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7]
> 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply
> . . .
> ------------------------------------------------------------------------------
The tcpdump trace is correct. The 3.3.3.3 spoof test packet is an
ICMP_ECHO packet, not an ICMP_ECHOREPLY.
Thanks to bkubesh_at_cisco.com for pointing this out.
--
Dave Dittrich Client Services
dittrich_at_cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich_at_cac.washington.edu [PGP Key]</a>
PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Received on Jan 12 2000
Intro
