Re: Possible stacheldraht variant/probe

[dbrumley () RTFM STANFORD EDU (David Brumley)]

Someone w/ my rid-1.0 tool could alter the config.txt to send out packets
such as this fairly easily.

begin newscan
  send icmp id=668 data="gesundheit!"
end newscan
begin newscan2
  send icmp id=669 data=""
end newscan2

rid-1.0 is available from many place, including what will be it's new home
at http://www.theorygroup.com/Public/DDOS

I'm still developing the site, so don't worry if some of the other
unrelated links are broken/inaccurate/etc.  Oh, and all this will continue
to be free.  The whole reason for the Public area is to host some groups
I've been participating in for a while (such as the argus mailing list).

cheers,
david

On Wed, 9 Feb 2000, Stephen P. Berry wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Earlier today I observed some traffic which appears to be obviously
> related to stacheldraht (as described by Dave Dittrich), but
> which has several additional features which I haven't seen mentioned
> elsewhere.
>
> The traffic consists of three type of packets, presented here in order
> of receipt:
>
>       -An ICMP_ECHO_REPLY containing the ASCII string `gesundheit!'
>       -An ICMP_ECHO_REPLY with an IP ID one greater than
>        the `gesundheit!' packet and lacking the the `gesundheit'
>        string (the packet is 12 bytes shorter)
>       -An UDP packet with an IP ID one greater than the second ICMP
>        packet and an 11 byte long data segment
>
> This pattern is repeated many times.  The source address remains constant.
> The destination addresses cover a 24-bit network.  Interestingly,
> the scanner appears to treat 24-bit networks as if they consist of
> two 25-bit networks:  The first three packets are directed at x.y.z.127;
> the scanner then walks through the first half of the class C, only
> hitting hosts that actually exist[0]; it then hits every address between
> x.y.z.127 (including .127 itself, again) and x.y.z.255, in sequence.
>
> The scanner is not coy:  the entire exercise lasts less than ten seconds.
>
>
> This does not appear to be a vanilla stacheldraht scan as reported
> by Mr Dittrich, nor does it appear to be one of the tools designed
> to look for stacheldraht installs (e.g., gag).
>
> Is this a known (to everyone but me) variant of stacheldraht, or is
> this new behaviour?
>
>
>
>
>
>
> - -Steve
>
> - -----
> 0     This is of course an interesting fact.  Also interesting is that
>       it doesn't send to any unused IP addresses, but it does miss
>       a couple IPs which are in use.
>       The target selection doesn't appear to be DNS-related:  all of
>       the addresses in the class C resolve---most to boring hostnames
>       in the form a-b-c-d.foo.bar.  Some of the addresses hit have
>       more interesting names (www.foo.bar), but not all of the addresses
>       hit have `interesting' names, and not all of the `interesting'
>       names were hit.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE4ogoOG3kIaxeRZl8RAmQoAJ9JFhxwr65uCfOnfAjt1tP6dHk3IQCg4cLz
> b9n2bNRPUxo+q8GhK28dnlg=
> =l4W/
> -----END PGP SIGNATURE-----

--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."