No subject

Thu Nov 23 16:36:19 EST 2017

In addition to finding an active handler, the agent performs a test
to see if the network on which the agent is running allows packets to
exit with forged source addresses.  It does this by sending out an
ICMP ECHO packet with a forged IP address of "", an ID of
666, and the IP address of the agent system (obtained by getting the
hostname, then resolving this to an IP address) in the data field of
the ICMP packet.  (Note that it also sets the Type of Service field to
7 on this particular packet, while others have a ToS value of 0.)

If the master receives this packet, it replies to the IP address
embedded in the packet with an ICMP_ECHOREPLY packet containing an ID
of 1000 and the word "spoofworks" in the data field.  If the agent
receives this packet, it sets a spoof_level of 0 (can spoof all 32
bits of IP address).  If it times out before receiving a spoof reply
packet, it sets a spoof_level of 3 (can only spoof the final octet).


On Sat, 31 Mar 2001, Siddhartha Jain wrote:

> Hi,
> I got 302 "ddos-stacheldraht server-spoof" alerts from 235 unique IPs to 4
> destination IPs in 3 days. Is every alert one packet containing the attack
> signature? Does this look like the beginning of a real ddos? This is typical
> packet triggering the alert :-
> [**] IDS193/ddos-stacheldraht server-spoof [**]
> 03/30-21:10:18.123939 0:3:31:BA:A8:A8 -> 0:A0:C9:FC:2D:7C type:0x800
> len:0x3C
> -> dd.dd.dd.dd ICMP TTL:238 TOS:0x0 ID:16641 IpLen:20 DgmLen:32
> DF
> Type:8  Code:0  ID:666   Seq:1  ECHO
> ????
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> ----------snip --------------------
> Siddhartha
> _________________________________________________________
> Do You Yahoo!?
> Get your free address at
> _______________________________________________
> Snort-users mailing list
> Snort-users at
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:

More information about the Snort-users mailing list