On Thu, 30 Dec 1999, Dave Dittrich wrote: > ========================================================================== > > The "stacheldraht" distributed denial of service attack tool > > ========================================================================== For those who are using this analysis for IDS signatures, etc., there is a typo in the analysis. > In addition to finding an active handler, the agent performs a test > to see if the network on which the agent is running allows packets to > exit with forged source addresses. It does this by sending out an > ICMP_ECHOREPLY packet with a forged IP address of "3.3.3.3", an ID of ^^^^^^^^^^^^^^ > 666, and the IP address of the agent system (obtained by getting the > hostname, then resolving this to an IP address) in the data field of > the ICMP packet. (Note that it also sets the Type of Service field to > 7 on this particular packet, while others have a ToS value of 0.) > ... > These packets (as seen by tcpdump and tcpshow) are shown here: > > ------------------------------------------------------------------------------ > # tcpdump icmp > . . . > 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7] > 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply > . . . > ------------------------------------------------------------------------------ The tcpdump trace is correct. The 3.3.3.3 spoof test packet is an ICMP_ECHO packet, not an ICMP_ECHOREPLY. Thanks to bkubeshat_private for pointing this out. -- Dave Dittrich Client Services dittrichat_private Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrichat_private [PGP Key]</a> PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:30 PDT