Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:222 |
Message | DDOS tfn2k icmp possible communication |
Summary | This event is generated when ICMP traffic is sent between Tribe Flood Network 2000 (TFN2K) hosts. |
Impact | Attempted DDoS. It is possible there is a TFN2K host in your network. |
Detailed Information | When TFN2K hosts communicate using ICMP, they may use an ICMP echo reply with an ICMP identification number of 0 and with a sequence of A's in the payload. The tell-tale sequence of A's is a problem with the Base 64 encoding that was employed. |
Affected Systems | Any TFN2K infected host. |
Attack Scenarios | TFN2K hosts communicate with each other for various reasons for the ultimate purpose of attacking a target. |
Ease of Attack | Simple. TFN2K is freely available. |
Corrective Action | Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. Rebuild a confirmed compromised host. Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS425 |
Rule References | arachnids: 425 |
--
DID:558822
--
http://www.aanval.com/