Security Incidents mailing list archives

ddos-stacheldraht server-spoof alerts ( Was: What is this?)

From: Rod Longanilla <SecTraqs () nm2 com>
Date: Wed, 14 Feb 2001 16:54:09 -0800

Hello,

A client of mine has recieved over 2000 alerts from 1600+ unique IP's with
this same signature in less than 1 months time.  Most of the IP's are from
cable modems, a/dsl lines, and even dialups.  The IP's usually hit 1-8
times, then (rarely) never again.  The ID is 666, and Payload is of Length
4, with:
  000 : 3F 3F 3F 3F  ????

Snort matches the ID, but the payload doesn't seem to match what is listed
on Whitehats.  All systems behind the firewall are mainly Apple Macs or
Windows (NT/2k) boxes, and we have detected nothing to indicate ddos
scripts/zombies running.

From Andreas post, I believe too that these are false positives and probably

from napster.  The clients site has a few Napster users, and in the last 3
days the ddos alerts have picked up.  However, I can't seem to find any
alerts for napster use (snort records them too) corresponding to the ddos
entries.  I'll have to test a few scenarios out.

I'm still watching and recording the alerts until it can be absolutely
proven these particular alerts are just false positives.  So if anyone has
further information what can possibly be generating these, please
post/reply.

Thanks,
  -Rod Longanilla



-----Original Message-----
From: Andreas Östling
Sent: Wednesday, February 14, 2001 2:56 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: What is this?


On Wed, 14 Feb 2001, Max Gribov wrote:

above, is a piece of bugtraq archive with stacheldraht analysis. if your
network is infected, it means all infected machines on your network will
be happily flooding some innocent server somewhere on the internet
sometime soon.

 On Wed, 14 Feb 2001,
Simeon Johnston wrote:

We have been getting this in our snort logs for some time now and I am
wondering exactly what it is.  I searched for it on security focus and
they say is that it is part of some ddos packages.
IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)


Simeon, you are probably using this Snort rule:

alert ICMP any any -> any any (msg: "IDS193/ddos-stacheldraht server-spoof";
itype: 8; icmp_id: 666;)

This rule doesn't check for any specific packet content and it might be
a false positive. Some Napster clients seem to often send ICMP
packets with ID 666. Check the payload (if you have it) in the logged
packets for clues, and run find_ddos on your suspect hosts.

Regards,
Andreas Östling

Current thread:

What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
  - Re: What is this? Andreas Östling (Feb 14)
    - ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
    - [no subject] Osvaldo J. Filho (Feb 16)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Geoff the UNIX guy (Feb 14)
- Re: What is this? Jason Potopa (Feb 15)
  - Re: What is this? Simeon Johnston (Feb 15)