A Brief History of DoS

• Classic resource consumption/crash
  • Disc space, fork() bomb, recursive directories

• Remote resource consumption/crash
  • Fragment reassembly, illegal TCP flag combo, SYN flood, etc.

• Coordinated attack

• Combination attack
  • Rape, targa (include bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke in one tool)
  • Still point-to-point

• Distributed attack tools
  • fapi (May 1998)
    • UDP, TCP (SYN and ACK), ICMP Echo floods
    • "Smurf extension"
    • Runs on Windows and Unix
    • UDP communication
    • One client spoofs source addr, the other doesn't
    • Built-in shell feature
    • Not designed for large networks (<10)
    • Not easy to setup/control network

  • fuck_them (ADM Crew, June 1998)
    • Daemon written in C, client is a shell script
    • ICMP Echo Reply flooder
    • Attacker supplied source address or R.R.R.R (0<=R<=255)

  • Trinoo
    • All C source
    • UDP packet flood attack
    • No source address forgery
    • Some bugs, but full control features

  • TFN
    • Some bugs, limited control features
    • UDP packet flood attack ("trinoo emulation")
    • TCP SYN flood attack
    • ICMP Echo flood attack
    • Smurf attack
    • Either randomizes all 32 bits of IP source address, or just the last 8 bits

  • TFN2K
    • Same attacks as TFN, but can randomly do them all at once
    • Encryption added to improve security of the DDoS network
    • Control traffic uses UDP/TCP/ICMP
    • Same source address forgery features as TFN

  • Stacheldraht/StacheldrahtV4
    • Some bugs, full control features
    • Same basic attacks as TFN
    • Same source address forgery features as TFN/TFN2K

  • Stacheldraht v2.666 (not publically discussed yet)
    • Fewer bugs than original
    • Same basic attacks as Stacheldraht
    • Adds TCP ACK flood attack
    • Adds TCP NUL (no flags) flood attack
    • Adds Smurf attack with 16,702 amplifiers (already inet_aton()ed for speed!)
    • Same source address forgery features as stacheldraht/TFN/TFN2K

  • shaft
    • Some bugs, but full control features
    • Adds statistics
    • UDP flood attack
    • TCP SYN flood attack
    • ICMP flood attack
    • Randomize all three attacks

  • mstream
    • Many bugs, with very limited control features
    • TCP ACK flood (very efficient)
    • Randomizes all 32 bits of IP address

Resources

• INTRODUCTION TO DENIAL OF SERVICE (1996 - Old Skool DoS attacks)
• CERT's Denial of Service Attacks FAQ
• Distributed Denial of Service (DDoS) Attacks/Tools

[Next] | [Prev] | [Top]