Stacheldraht distributed denial of service tool

stacheldraht-dos (3757) The risk level is classified as HighHigh Risk

Description:

Stacheldraht is a distributed denial of service tool based on the source code of the Tribe Flood Network (TFN) and Trin00 tools. In addition to providing the features of these tools, Stacheldraht encrypts most of its communication between clients, master servers (sometimes known as handlers), and agents. Although stacheldraht does encrypt the control channel between master and agent, it does not encrypt the ICMP heartbeat packets that the agent sends to the master. Stacheldraht can also remotely upgrade agents with an account and server name using the rcp command.

Stacheldraht was designed to be built and installed on compromised Linux and Solaris systems, but it potentially could be installed on any system by modifying the source code.

Platforms Affected:

  • Compaq, Tru64
  • Data General, DG/UX
  • HP, HP-UX 10.20
  • HP, HP-UX 11
  • HP, HP-UX
  • IBM, AIX 4
  • IBM, AIX
  • Linux, Kernel
  • RedHat, Linux 7
  • RedHat, Linux 7.1
  • RedHat, Linux 7.2
  • RedHat, Linux 7.3
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris 2.6
  • Sun, Solaris 7.0
  • Sun, Solaris 8
  • Sun, Solaris
  • WindRiver, BSDOS

Remedy:

Remove the Stacheldraht program using the instructions below.

In addition to removing Stacheldraht, you can take several measures to prevent it from spreading:

  • Contact the originator(s) of the client ICMP Echo reply packets to inform them of the vulnerability.
  • Block ICMP packets from the address from which they originated.
  • Disable directed broadcasts on your network to prevent it from amplifying denial of service attacks.
  • Inform your ISP of the attack, so that they can take action to further prevent the attack from spreading.
  • Block well-known stacheldraht default ports of 16660/TCP and 65000/TCP at firewalls and/or routers.

Finding the Stacheldraht program might be difficult if the default name of the binary, td, has changed. To locate and remove the Stacheldraht server:

  1. Search for "td" in a process (by using the ps command).
  2. Did you find a td process?
    • Yes. Find the associated binary.
    • No. Try using the lsof command to find the right binary (it runs on raw sockets by default), or search through all the processes running on your system to identify which one could be the Stacheldraht server.
  3. Test the suspect binary to make sure it is the Stacheldraht program (see procedure below).
  4. Delete the binary from the system.

To test the suspected binary program:

  1. Run strings on the binary:
    strings [binary name]
  2. The strings output should be similar to the following:
    %d.%d.%d.%d
    ICMP
    Error sending syn packet.
    tc: unknown host
    3.3.3.3
    mservers
    randomsucks
    skillz
    rm -rf %s
    ttymon
    rcp %s@%s:sol.bin %s
    nohup ./%s
    X.X.X.X
    X.X.X.X
    lpsched
    sicken
    in.teln

Consequences:

Denial of Service

References:

Reported:

Aug 15, 1999

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page