Security Incidents mailing list archives
ddos-stacheldraht server-spoof alerts ( Was: What is this?)
From: Rod Longanilla <SecTraqs () nm2 com>
Date: Wed, 14 Feb 2001 16:54:09 -0800
Hello, A client of mine has recieved over 2000 alerts from 1600+ unique IP's with this same signature in less than 1 months time. Most of the IP's are from cable modems, a/dsl lines, and even dialups. The IP's usually hit 1-8 times, then (rarely) never again. The ID is 666, and Payload is of Length 4, with: 000 : 3F 3F 3F 3F ???? Snort matches the ID, but the payload doesn't seem to match what is listed on Whitehats. All systems behind the firewall are mainly Apple Macs or Windows (NT/2k) boxes, and we have detected nothing to indicate ddos scripts/zombies running.
From Andreas post, I believe too that these are false positives and probably
from napster. The clients site has a few Napster users, and in the last 3 days the ddos alerts have picked up. However, I can't seem to find any alerts for napster use (snort records them too) corresponding to the ddos entries. I'll have to test a few scenarios out. I'm still watching and recording the alerts until it can be absolutely proven these particular alerts are just false positives. So if anyone has further information what can possibly be generating these, please post/reply. Thanks, -Rod Longanilla -----Original Message----- From: Andreas Östling Sent: Wednesday, February 14, 2001 2:56 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: What is this? On Wed, 14 Feb 2001, Max Gribov wrote:
above, is a piece of bugtraq archive with stacheldraht analysis. if your network is infected, it means all infected machines on your network will be happily flooding some innocent server somewhere on the internet sometime soon. On Wed, 14 Feb 2001, Simeon Johnston wrote:We have been getting this in our snort logs for some time now and I am wondering exactly what it is. I searched for it on security focus and they say is that it is part of some ddos packages. IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)
Simeon, you are probably using this Snort rule: alert ICMP any any -> any any (msg: "IDS193/ddos-stacheldraht server-spoof"; itype: 8; icmp_id: 666;) This rule doesn't check for any specific packet content and it might be a false positive. Some Napster clients seem to often send ICMP packets with ID 666. Check the payload (if you have it) in the logged packets for clues, and run find_ddos on your suspect hosts. Regards, Andreas Östling
Current thread:
- What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Andreas Östling (Feb 14)
- ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- [no subject] Osvaldo J. Filho (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Andreas Östling (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Simeon Johnston (Feb 15)