stacheldraht

• Attacks:
  • UDP flood
  • ICMP flood
  • TCP SYN flood
  • "Smurf"
  • Detects and automatically enables source address forgery
• Communication:
  • TCP session from attacker to handler
  • ICMP_ECHOREPLY packets between agents and handlers
  • Agent commands sent in ICMP_ECHOREPLY id field
  • Arguments sent in data payload
• Encryption:
  • TCP client encrypts traffic from attacker to handler using Blowfish
  • Handler encrypts agent list using Blowfish
  • Handler execution protected by crypt() encrypted password
  • Agent command arguments not (yet) encrypted
• Priviledges:
  • Root not required for handler client (high port TCP)
  • Root required for handlers/agents (uses raw ICMP sockets)
• Forensics:
  • Default handler IP addresses visible (+)
  • Enough strings to recognize agent/handler easily (+)
  • Listening TCP ports/ICMP sockets can be seen with "lsof" (+)
  • "Root Kits" hide processes/files/directories (-)
  • Ethernet switches make monitoring TCP & ICMP traffic difficult (-)
• [Analysis]

[Next] | [Prev] | [Top]