A Brief History of DoS
- Classic resource consumption/crash
- Disc space, fork() bomb, recursive directories
- Remote resource consumption/crash
- Fragment reassembly, illegal TCP flag combo, SYN flood, etc.
- Coordinated attack
- Combination attack
- Rape, targa (include bonk, jolt, nestea, newtear,
syndrop, teardrop, winnuke in one tool)
- Still point-to-point
- Distributed attack tools
- fapi (May 1998)
- UDP, TCP (SYN and ACK), ICMP Echo floods
- "Smurf extension"
- Runs on Windows and Unix
- UDP communication
- One client spoofs source addr, the other doesn't
- Built-in shell feature
- Not designed for large networks (<10)
- Not easy to setup/control network
- fuck_them (ADM Crew, June 1998)
- Daemon written in C, client is a shell script
- ICMP Echo Reply flooder
- Attacker supplied source address or R.R.R.R (0<=R<=255)
- Trinoo
- All C source
- UDP packet flood attack
- No source address forgery
- Some bugs, but full control features
- TFN
- Some bugs, limited control features
- UDP packet flood attack ("trinoo emulation")
- TCP SYN flood attack
- ICMP Echo flood attack
- Smurf attack
- Either randomizes all 32 bits of IP source address, or just
the last 8 bits
- TFN2K
- Same attacks as TFN, but can randomly do them all at once
- Encryption added to improve security of the DDoS network
- Control traffic uses UDP/TCP/ICMP
- Same source address forgery features as TFN
- Stacheldraht/StacheldrahtV4
- Some bugs, full control features
- Same basic attacks as TFN
- Same source address forgery features as TFN/TFN2K
- Stacheldraht v2.666 (not publically discussed yet)
- Fewer bugs than original
- Same basic attacks as Stacheldraht
- Adds TCP ACK flood attack
- Adds TCP NUL (no flags) flood attack
- Adds Smurf attack with 16,702 amplifiers (already
inet_aton()ed for speed!)
- Same source address forgery features as stacheldraht/TFN/TFN2K
- shaft
- Some bugs, but full control features
- Adds statistics
- UDP flood attack
- TCP SYN flood attack
- ICMP flood attack
- Randomize all three attacks
- mstream
- Many bugs, with very limited control features
- TCP ACK flood (very efficient)
- Randomizes all 32 bits of IP address
Resources
[Next]
|
[Prev]
|
[Top]
Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Sat Jul 22 02:43:01 PDT 2000