TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
365
Signature ID: 4095
Mstream DDOS tool handler to client traffic detection
Threat Level: Severe
Industry ID: CVE-2000-0138
Nessus: 10501
Signature Description: Mstream is a distributed denial of service attack tool. Denial of service attacks can crash the
target system. The mstream network, like trinoo and shaft, is made up of one or more handlers and a large set of agents.
An attacker sends instructions to handlers which in turn control the agents. Hence, the true source of the attack is nearly
untraceable. Attacker to handler communication is at present unencrypted over TCP, with handler to agent
communication unencrypted over UDP. This signature detects the mstream handler communication with a client over
port 12754.
Signature ID: 4096
Mstream handler ping to agent DDOS vulnerability
Threat Level: Severe
Industry ID: CVE-2000-0138 Nessus: 10501
Signature Description: The Mstream DDOS tool, one of the less sophisticated DDOS tools.The mstream network, like
trinoo and shaft, is made up of one or more handlers and a large set of agents. Attacker to handler communication is at
present unencrypted over TCP, with handler <-> agent communication unencrypted over UDP. Possible DDOS
mstream handler ping to agent detected, this event detects mstream DDoS client communicates with a handler.
Signature ID: 4097
Mstream handler to agent DDOS vulnerability
Threat Level: Severe
Industry ID: CVE-2000-0138 Nessus: 10501
Signature Description: The Mstream DDOS tool, one of the less sophisticated DDOS tools.The mstream network, like
trinoo and shaft, is made up of one or more handlers and a large set of agents.Attacker to handler communication is at
present unencrypted over TCP, with handler <-> agent communication unencrypted over UDP. This event is generated
when mstream handler directs an mstream agent to begin an attack against a specified target.
Signature ID: 4098
Mstream DDOS tool handler to client traffic detection
Threat Level: Severe
Industry ID: CVE-2000-0138
Nessus: 10501
Signature Description: Mstream is a distributed denial of service attack tool. Denial of service attacks can crash the
target system. The mstream network, like trinoo and shaft, is made up of one or more handlers and a large set of agents.
An attacker sends instructions to handlers which in turn control the agents. Hence, the true source of the attack is nearly
untraceable. Attacker to handler communication is at present unencrypted over TCP, with handler to agent
communication unencrypted over UDP. This signature detects the mstream handler communication with a client over
port 15104.
Signature ID: 4099
Shaft DDOS tool client to handler login attempt
Threat Level: Warning
Industry ID: CVE-2000-0138
Nessus: 10501
Signature Description: A distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource
unavailable to its intended users using multiple attack machines. Shaft is a DDoS tool consists of handlers, clients and
agents. Agents and handlers are programs that are planted in compromised systems. Attacker controls handlers
listening on TCP port 20432 via a simple telnet connection using the shaft client. Handlers work as master to order
agents to launch DoS. Shaft agents are capable of doing UDP, TCP SYN, ICMP packet flooding, or the combination of