gag - a stacheldraht agent detector

"gag" is a program to scan for "stacheldraht" agents, which are part
of an active "stacheldraht" network.  It will NOT detect trinoo,
the original Tribe Flood Network (TFN), or TFN2K agents.
A newer tool that scans for these other tools as well is "dds":

	http://staff.washington.edu/dittrich/misc/ddos_scan.tar

To be honest, I would recommend using an even newer and more general
tool, RID, by David Brumley of Stanford University.  You can find a
link to RID source, and other resources on DDoS attacks, on
the following page:

	http://staff.washington.edu/dittrich/misc/ddos/

For a background on detecting trinoo and Tribe Flood Network, see
those analyses:

	http://staff.washington.edu/dittrich/misc/trinoo.analysis
	http://staff.washington.edu/dittrich/misc/tfn.analysis

(Why "gag"?  Its supposed to be a running joke I started in the trinoo
analysis.  trinoo/trinot, "tribe"/civilize, gag/sicken&gesundheit!.
Read the ddos trilogy to find out!)

See CHECKSUMS.asc for PGP signed MD5 checksums.


-------------------------------------------------------------------------

NOTE:  "gag" is continuing to undergo development, in the form of
a new, more general program named "dds" (for "Distributed DoS
Scanner") that scans for active trinoo, TFN, and stacheldraht agents.
This program is still in beta testing, but can be found at:

	http://staff.washington.edu/dittrich/misc/ddos_scan.tar

-------------------------------------------------------------------------


Usage
=====

This program is known to compile and run on at least the following
operating systems:

	* Linux (kernel 2.2.x)
	* Solaris 2.6 or higher (Solaris 2.5 seems to be missing inet_aton())
	* Digital Unix 4.0d 
	* IBM AIX 4.2
	* FreeBSD 3.3-Release

You may need to edit the Makefile to define the libraries necessary
to compile the program.  The default should work for Sun Solaris
systems.

You must run "gag" as root, as it needs to open a raw mode socket.
(If you don't trust running the code as root, which you *should*
be wary of doing if someone asks you, the source file is there
to check.)

Say you have a network of subnets, all sharing a common network
address of 198.162.  To scan this entire /16 network, you would
use the command:

	# ./gag 198.162.0.0/16

If you instead wish to just scan the 24 bit subnet 198.162.1, you
would use the command:

	# ./gag 198.162.1.0/24

To scan a single host, just give its IP address (/32 is assumed):

	# ./gag 198.162.1.1

If gag is able to find an active stacheldraht agent, it will report as
follows:

	# ./gag 192.168.1.0/24
	Received sicken from 192.168.1.202

If gag does not find an active stacheldraht agent, it will return
nothing.  You can use verbose mode if you really want to see it
report each time it sends a packet, like this:

	# ./gag -v 192.168.1.0/24
	Mask: 24
	Target: 192.168.1.0
	gag $Revision: 1.8 $ - scanning...

	Probing address 192.168.1.1
	Probing address 192.168.1.2
	 . . .
	Received sicken from 192.168.1.202
	 . . .
	Probing address 192.168.1.254

If you do this, realize that scanning a /24 subnet will generate
254+ lines, so you will probably need to run "script" to capture all
the output.

If gag receives an ICMP_ECHOREPLY packet that happens to have the same
ID value (669) as a stacheldraht agent produces, but without the
word "sicken" in the data portion of the packet, it just reports that
it "Got a packet from ..."  This is not the same as detecting a
stacheldraht agent.  Please read the analysis of stacheldraht to
understand what this tool is doing.


Caveats
=======

This program MAY NOT DETECT agents that are not part of an active
network.  In other words, if a staacheldraht agent is installed on a
system, but there is no handler currently running to control it, it
may not respond to the packets sent by this program.

This program WILL NOT DETECT agents which have had the default values
changed for handler/agent "command" communication.

Because of these limitations, a negative response DOES NOT GUARANTEE
you have no agents on your network.

Even if you do detect stacheldraht agents, you may find it difficult
to locate them due to "root kits" installed on the system.  This
may require that you use file system integrity checking techniques,
or otherwise identify the modified files.  A write-up on root kits
can be found at:

	http://staff.washington.edu/dittrich/misc/faq/rootkits.faq

A complementary tool that will scan the local filesystem for
handlers/agents on Solaris systems is provided by the National
Infrastructure Protection Center.  See:

	http://www.fbi.gov/nipc/trinoo.htm

For more information, see:

	http://www.cert.org/advisories/CA-2000-01.html
	http://www.cert.org/reports/dsit_workshop.pdf

You should take care to NOT SCAN networks that you do NOT OWN AND
CONTROL.  People will get very angry with you if you do this.  This
tool was intended to be used by network administrators and incident
response teams for scanning internal networks.

You should also coordinate your activities with other groups that
share the use of, or administration of, your network.

If you find agents with this tool, you have identified the bottom tier
of a distributed network, which may contain hundreds (as many as a
thousand) of other agents at various sites.  Proper forensic
procedures, to gather evidence about which computers (most likely at
other sites) are acting as the handlers of the network, which will
then lead to the other agents.  You should remove the system from the
network, and perform a backup of the system immediately, to ensure you
take the system out of the control of the attackers who compromised
it, and to preserve evidence.  More information on responding to root
level compromise can be found in the CERT advisory mentioned above.


CREDITS
=======

I can only take credit for the analysis of stacheldraht, and the
initial version of this program, which was hacked together from the
stacheldraht source code.  Significant modifications were made by
Marcus Ranum of Network Flight Recorder and others.  It would not
have been possible to get the program to this level, this fast,
without their assistance (which is greatly appreciated!)


LEGALESE
========

This software should only be used in compliance with all applicable laws and
the policies and preferences of the owners of any networks, systems, or hosts
scanned with the software

The developers and licensors of the software provide the software on an "as
is" basis, excluding all express or implied warranties, and will not be liable
for any damages arising out of or relating to use of the software.

THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE,
INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF
WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.                      
