Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Analysis of the Shaft distributed denial of service tool
From: vision () WHITEHATS COM (Max Vision)
Date: Fri, 17 Mar 2000 08:15:53 -0800

On Thu, 16 Mar 2000, Sven Dietrich wrote:
Note: this is also available at:
        An analysis of the ``Shaft'' distributed denial of service tool


There is a minor error in the detection code that will keep ddos-shaft.c
from compiling; a line in listener() is repeated accidentally in the
Bugtraq post and on the website (remove one of the repeated lines):

     printf("Unexpected UDP packet received on port %d from %s\n",
     shaft_rctport, inet_ntoa(from.sin_addr));
-    shaft_rctport, inet_ntoa(from.sin_addr));

Based on the "shaft" writeup I have added Snort IDS signatures to
arachNIDS (http://whitehats.com/ids/) that should detect the traffic of
this known configuration.

  direct links:
  http://whitehats.com/IDS/252    ddos-shaft-synflood-incoming
  http://whitehats.com/IDS/253    ddos-shaft-synflood-outgoing
  http://whitehats.com/IDS/254    ddos-shaft-client-to-handler
  http://whitehats.com/IDS/255    ddos-shaft-handler-to-agent
  http://whitehats.com/IDS/256    ddos-shaft-agent-to-handler

I have also updated the Whitehats online self-scanning tool.  It can be
used to quickly test your browsing system for this configuration of Shaft,
as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo.  The
self-scan tools can be found at:


I have also collected related DDOS tools, media commentary, and a small
forum for discussion, found at the same URL.

Max Vision

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]