The DDoS Tools

• Trinoo
  • UDP packet flood attack
  • No source address forgery
  • Some bugs, but full control features

• TFN
  • Some bugs, limited control features
  • UDP packet flood attack ("trinoo emulation")
  • TCP SYN flood attack
  • ICMP Echo flood attack
  • Smurf attack
  • Either randomizes all 32 bits of IP source address, or just the last 8 bits

• TFN2K
  • Same attacks as TFN, but can randomly do them all at once
  • Encryption added to improve security of the DDoS network
  • Control traffic uses UDP/TCP/ICMP
  • Same source address forgery features as TFN

• Stacheldraht/StacheldrahtV4
  • Some bugs, full control features
  • Same basic attacks as TFN
  • Same source address forgery features as TFN/TFN2K

• Stacheldraht v2.666 (not publically discussed yet)
  • Fewer bugs than original
  • Same basic attacks as Stacheldraht
  • Adds TCP ACK flood attack
  • Adds TCP NUL (no flags) flood attack
  • Adds Smurf attack with 16,702 amplifiers (already inet_aton()ed for speed!)
  • Same source address forgery features as stacheldraht/TFN/TFN2K

• shaft
  • Some bugs, but full control features
  • Adds statistics
  • UDP flood attack
  • TCP SYN flood attack
  • ICMP flood attack
  • Randomize all three attacks

• mstream
  • Many bugs, with very limited control features
  • TCP ACK flood (very efficient)
  • Randomizes all 32 bits of IP address

Tools and Analyses

[Next] | [Prev] | [Top]