Description: This event is generated when a DDoS Shaft client communicates with a Shaft handler. It is also possible that this event may be generated when any host attempts to discover or detect a Shaft handler.
Impact: Attempted DDoS. If the listed source IP is in your network, it may be a Shaft client or a host attempting to discover Shaft handlers. If the listed destination IP is in your network, it may be a Shaft handler.
Corrective: Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. Rebuild a confirmed compromised host. Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.