Rule: -- Sid: 229 -- Summary: This event is generated when a Stacheldraht agent attempts to contact a known handler. -- Impact: This indicates that a Stacheldraht agent may exist on the source host and a handler may exist on the destination host. -- Detailed Information: The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. Once a host becomes a Stacheldraht agent, it will attempt to contact a list of known handlers using an ICMP echo reply with an ICMP identification number of 666 and a string of "skillz" in the payload. -- Affected Systems: Any Stacheldraht compromised host. -- Attack Scenarios: A compromised host that has become a Stacheldraht agent will attempt an initial communication with all known handlers. -- Ease of Attack: Simple. Stacheldraht code is freely available. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. Rebuild a confirmed compromised host. Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. -- Contributors: Original rule written by Max Vision Sourcefire Research Team Judy Novak -- Additional References: Arachnids: http://www.whitehats.com/info/IDS190 --
