DDoS attack tools
- Trinoo (also called Trin00)
Trin00 is a distributed SYN DoS attack, where communication between clients, handlers and agents via unencrypted UDP. The following ports are used as default port numbers: 1524 tcp, 27665 tcp, 27444 udp, 31335 udp. The attack method is UDP flood.
More information:
David Dittrich, "The DoS Project's "trinoo" distributed Denial of Service attack tool, October 21, 1999,
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt - The Tribe Flood Network (TFN)
TFN started to appear after trinoo. TFN client and daemon programs implement a DDoS network capable of employing a number of attacks, such as ICMP flood, SYN flood, UDP flood, and SMURF style attacks. TFN is noticeably different than trinoo in that all communication between the client (attacker), handlers, and agents use ICMP ECHO and ECHO REPLY packets. Communication from the TFN client to daemons is accomplished via ICMP ECHO REPLY packets. The absence of TCP and UDP traffic sometimes makes these packets difficult to detect because many protocol monitoring tools are not even configured to capture and display the ICMP traffic.
More information:
David Dittrich, The "Tribe Flood Network" distributed denial of service attack tool, October 21, 1999
http://staff.washington.edu/dittrich/misc/tfn.analysis.txt - Stacheldraht (German for "barbed wire")
Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. It also contains some advanced features, such as encrypted attacker-master communication and automated agent updates. The possible attacks are similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks.
More information:
David Dittrich, The "stacheldraht" distributed denial of service attack tool, December 31, 1999
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
- Trinity
Trinity is capable of launching several types of flooding attacks on a victim site, including UDP, fragment, SYN, RST, ACK, and other floods. Communication from the handler or intruder to the agent, however, is accomplished via Internet Relay Chat (IRC) or AOL's ICQ; Trinity appears to use primarily port 6667 and also has a backdoor program that listens on TCP port 33270.
More information:
Michael Marchesseau, "Trinity" Distributed Denil of Service Attack Tool, September 11, 2000
http://rr.sans.org/malicious/trinity.php - Shaft
A Shaft network looks conceptually similar to a trinoo; it is a packet flooding attack and the client controls the size of the flooding packets and duration of the attack. One interesting signature of Shaft is that the sequence number for all TCP packets is 0x28374839.
More information:
An Analysis of the "Shaft" Distributed Denial of Service Tool
http://www.sans.org/y2k/shaft.htm - Tribe Flood Network 2K (TFN2K)
TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP. TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.
More information:
Jason Barlow and Woody Thrower, Axent Security Team, "TFN2K - An Analysis", March 7, 2000
http://www.securiteam.com/securitynews/5YP0G000FS.html - MStream
The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication is not encrypted and is performed through TCP and UDP packets. Access to the handler is password protected. This program has a feature not found in other DDoS tools. It informs all connected users of access, successful or not, to the handler(s) by competing parties.
More information:
NIPC ADVISORY 00-044 "MStream Distributed Denial of Service Tool", NIPC, May 24, 2000
http://www.nipc.gov/warnings/advisories/2000/00-044.htmDavid Dittrich, George Weaver, Sven Dietrich, and Neil Long, The "mstream" distributed denial of service attack tool, May 1, 2000,
http://staff.washington.edu/dittrich/misc/mstream.analysis.txtCarnegie Mellon Software Engineering Institute. "CERT® Incident Note IN-2000-05 "mstream" Distributed Denial of Service Tool, May 2, 2000
http://www.cert.org/incident_notes/IN-2000-05.html
0 komentar:
Posting Komentar