Short Name |
DDOS:SHAFT:HANDLER-TO-AGENT |
---|---|
Severity |
Minor |
Recommended |
No |
Category |
DDOS |
Keywords |
Shaft Handler to Agent |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects the command string "alive tijgu" in a UDP packet from port 18753. This can indicate that a Shaft handler is attempting to communicate with a Shaft agent using the password "tijgu." When the Shaft agent starts, it reports to its default Shaft handler by sending a "new <upshifted password>" command; the default password "shift" upshifts to "tijgu." All subsequent messages carry the password. Attackers can use Shaft, a distributed-denial-of-service (DDoS) attack tool, to flood IP addresses with packets from forged source addresses.
An attacker could control the handler servers and agent hosts to execute Distributed Denial of Service attacks.