On Thu, 16 Mar 2000, Sven Dietrich wrote:
> Note: this is also available at:
> http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt
> An analysis of the ``Shaft'' distributed denial of service tool
>
Hi,
There is a minor error in the detection code that will keep ddos-shaft.c
from compiling; a line in listener() is repeated accidentally in the
Bugtraq post and on the website (remove one of the repeated lines):
printf("Unexpected UDP packet received on port %d from %s\n",
shaft_rctport, inet_ntoa(from.sin_addr));
- shaft_rctport, inet_ntoa(from.sin_addr));
Based on the "shaft" writeup I have added Snort IDS signatures to
arachNIDS (http://whitehats.com/ids/) that should detect the traffic of
this known configuration.
direct links:
http://whitehats.com/IDS/252 ddos-shaft-synflood-incoming
http://whitehats.com/IDS/253 ddos-shaft-synflood-outgoing
http://whitehats.com/IDS/254 ddos-shaft-client-to-handler
http://whitehats.com/IDS/255 ddos-shaft-handler-to-agent
http://whitehats.com/IDS/256 ddos-shaft-agent-to-handler
I have also updated the Whitehats online self-scanning tool. It can be
used to quickly test your browsing system for this configuration of Shaft,
as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo. The
self-scan tools can be found at:
http://dev.whitehats.com/scan/ddos/
I have also collected related DDOS tools, media commentary, and a small
forum for discussion, found at the same URL.
Max Vision
http://whitehats.com/
