[Snort-sigs] (no subject)

Mike Bell mikebell at ...468...
Sat Mar 23 19:00:24 EST 2002


# This is a template for submitting snort signature descriptions to 

# the snort.org website 

# 

# Ensure that your descriptions are your own

# and not the work of others. References in the rules themselves # should be used for linking to other's work. 

# 

# If you are unsure of some part of a rule, use that as a commentary 

# and someone else perhaps will be able to fix it. 

# 

# $Id$ 

# 

# 



Rule: DDOS shaft client to handler

-- 

Sid: 230

-- 

Summary: Possible communication of DDOS shaft client to handler.

-- 

Impact: 

-- 

Detailed Information: Shaft is a Distributed Denial of Service tool. Clients establish a session via Telnet to masters (handlers) on TCP port 20432. Clients request attacks by passing masters information specifying the victims, the duration of the attack, and the type of attack (UDP, TCP SYN, or ICMP floods, or a combination of the three). Masters then distribute this information to Daemons to perform the requested attacks.

-- 

Attack Scenarios:. 

-- 

Ease of Attack: 

-- 

False Positives: The rule is not content specific, and the port 20432 may be used as an ephemeral port for normal traffic. 

-- 

False Negatives: 

-- 

Corrective Action: Where possible, block SYN packets destined to port 20432 to hosts within your network. Scans of the network for hosts listening on port 20432 may also be conducted as this may indicate a compromised host.

-- 

Contributors: 

-- 

Additional References: 

Mike Bell, CCSA, CCSE, GCIA
Piggly Wiggly Carolina
Technical Support Manager
843-554-9880 x 3428
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020323/95cc5142/attachment.html>


More information about the Snort-sigs mailing list