The answers

In this section I'll present my answers on the stated questions in an easy-readable fashion. In the section The analysis I've discussed things more in-depth.

  1. What is the operating system of the honeypot? How did you determine that?

    The honeypot runs SunOS 5.8 (Solaris 8) on a Sun Ultra. I determined this in a few ways:

  2. How did the attacker(s) break into the system?

    Using an exploit for a bufferoverflow in the Subprocess Control Server (dtspcd) daemon running on the honeypot. The CERT advisory can be found here.

  3. Which systems were used in this attack, and how?

  4. Create a diagram that demonstrates the sequences involved in the attack

    Time From To What
    17:36:25 - 17:36:37 Buffer-overflow in dtscpd exploited, root-shell bound to port 1524
    17:36:37 - 18:00:00 Some tools and a rootkit downloaded from 2 systems. Rootkit installed, logs cleaned, some daemons patched
    17:42:42 - 17:45:13 'wget', 'dlp', 'solbnc' and 'ipv6sun' are downloaded
    17:45:29 - 17:52:40 'sol.tar.gz' downloaded
    17:54:25 - 17:58:32 Two downloads of official Sun patches for a couple of daemons
    18:04:07 - 18:12:40 The attacker configuring the bouncer, letting it connect with (an IRCnet server in the US), letting it join #agropoli2
    18:12:39 - 19:01:17 Sending invalid commands to the IRC-server, idling in #agropoli2 and #bobz

  5. What is the purpose/reason of the ICMP packets with 'skillz' in them?

    They are sent by the agents of 'Stacheldraht', a DDoS-tool. Every agent sends such a packet every 10 seconds to notify the so-called 'handlers' of their presence. See this for details.

  6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on an IPv4 network. Can you identify that protocol and why it was used?

    This protocol is IPv6. It's encapsulated in IPv4, creating a so-called 'tunnel'. The attacker used it to get on IRC, using '' as server.

  7. Can you identify the nationality of the attacker?

    Yes, the attacker is Italian.

  8. What are the implications of using the unusual IP protocol to the Intrusion Detection industry?

    They need to adjust all their tools to make them IPv6-compatible. Encapsulation should be considered too.

  9. What tools exist that can decode this protocol?

    Both ethereal and tcpdump can decode IPv6-traffic. Snort doesn't appear to do so, however, I heard there's been done some work on this.