www.pudn.com > sickenscan.tar > README
gag - a stacheldraht agent detector "gag" is a program to scan for "stacheldraht" agents, which are part of an active "stacheldraht" network. It will NOT detect trinoo, the original Tribe Flood Network (TFN), or TFN2K agents. A newer tool that scans for these other tools as well is "dds": http://staff.washington.edu/dittrich/misc/ddos_scan.tar To be honest, I would recommend using an even newer and more general tool, RID, by David Brumley of Stanford University. You can find a link to RID source, and other resources on DDoS attacks, on the following page: http://staff.washington.edu/dittrich/misc/ddos/ For a background on detecting trinoo and Tribe Flood Network, see those analyses: http://staff.washington.edu/dittrich/misc/trinoo.analysis http://staff.washington.edu/dittrich/misc/tfn.analysis (Why "gag"? Its supposed to be a running joke I started in the trinoo analysis. trinoo/trinot, "tribe"/civilize, gag/sicken&gesundheit!. Read the ddos trilogy to find out!) See CHECKSUMS.asc for PGP signed MD5 checksums. ------------------------------------------------------------------------- NOTE: "gag" is continuing to undergo development, in the form of a new, more general program named "dds" (for "Distributed DoS Scanner") that scans for active trinoo, TFN, and stacheldraht agents. This program is still in beta testing, but can be found at: http://staff.washington.edu/dittrich/misc/ddos_scan.tar ------------------------------------------------------------------------- Usage ===== This program is known to compile and run on at least the following operating systems: * Linux (kernel 2.2.x) * Solaris 2.6 or higher (Solaris 2.5 seems to be missing inet_aton()) * Digital Unix 4.0d * IBM AIX 4.2 * FreeBSD 3.3-Release You may need to edit the Makefile to define the libraries necessary to compile the program. The default should work for Sun Solaris systems. You must run "gag" as root, as it needs to open a raw mode socket. (If you don't trust running the code as root, which you *should* be wary of doing if someone asks you, the source file is there to check.) Say you have a network of subnets, all sharing a common network address of 198.162. To scan this entire /16 network, you would use the command: # ./gag 198.162.0.0/16 If you instead wish to just scan the 24 bit subnet 198.162.1, you would use the command: # ./gag 198.162.1.0/24 To scan a single host, just give its IP address (/32 is assumed): # ./gag 198.162.1.1 If gag is able to find an active stacheldraht agent, it will report as follows: # ./gag 192.168.1.0/24 Received sicken from 192.168.1.202 If gag does not find an active stacheldraht agent, it will return nothing. You can use verbose mode if you really want to see it report each time it sends a packet, like this: # ./gag -v 192.168.1.0/24 Mask: 24 Target: 192.168.1.0 gag $Revision: 1.8 $ - scanning... Probing address 192.168.1.1 Probing address 192.168.1.2 . . . Received sicken from 192.168.1.202 . . . Probing address 192.168.1.254 If you do this, realize that scanning a /24 subnet will generate 254+ lines, so you will probably need to run "script" to capture all the output. If gag receives an ICMP_ECHOREPLY packet that happens to have the same ID value (669) as a stacheldraht agent produces, but without the word "sicken" in the data portion of the packet, it just reports that it "Got a packet from ..." This is not the same as detecting a stacheldraht agent. Please read the analysis of stacheldraht to understand what this tool is doing. Caveats ======= This program MAY NOT DETECT agents that are not part of an active network. In other words, if a staacheldraht agent is installed on a system, but there is no handler currently running to control it, it may not respond to the packets sent by this program. This program WILL NOT DETECT agents which have had the default values changed for handler/agent "command" communication. Because of these limitations, a negative response DOES NOT GUARANTEE you have no agents on your network. Even if you do detect stacheldraht agents, you may find it difficult to locate them due to "root kits" installed on the system. This may require that you use file system integrity checking techniques, or otherwise identify the modified files. A write-up on root kits can be found at: http://staff.washington.edu/dittrich/misc/faq/rootkits.faq A complementary tool that will scan the local filesystem for handlers/agents on Solaris systems is provided by the National Infrastructure Protection Center. See: http://www.fbi.gov/nipc/trinoo.htm For more information, see: http://www.cert.org/advisories/CA-2000-01.html http://www.cert.org/reports/dsit_workshop.pdf You should take care to NOT SCAN networks that you do NOT OWN AND CONTROL. People will get very angry with you if you do this. This tool was intended to be used by network administrators and incident response teams for scanning internal networks. You should also coordinate your activities with other groups that share the use of, or administration of, your network. If you find agents with this tool, you have identified the bottom tier of a distributed network, which may contain hundreds (as many as a thousand) of other agents at various sites. Proper forensic procedures, to gather evidence about which computers (most likely at other sites) are acting as the handlers of the network, which will then lead to the other agents. You should remove the system from the network, and perform a backup of the system immediately, to ensure you take the system out of the control of the attackers who compromised it, and to preserve evidence. More information on responding to root level compromise can be found in the CERT advisory mentioned above. CREDITS ======= I can only take credit for the analysis of stacheldraht, and the initial version of this program, which was hacked together from the stacheldraht source code. Significant modifications were made by Marcus Ranum of Network Flight Recorder and others. It would not have been possible to get the program to this level, this fast, without their assistance (which is greatly appreciated!) LEGALESE ======== This software should only be used in compliance with all applicable laws and the policies and preferences of the owners of any networks, systems, or hosts scanned with the software The developers and licensors of the software provide the software on an "as is" basis, excluding all express or implied warranties, and will not be liable for any damages arising out of or relating to use of the software. THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.