security

DDOS Attacks – Attack Tools

February 3, 2010

Denial of Service Attacks
Denial of service (DoS) attacks involve flooding a system or network with more data than it can handle, so the system crashes or network bandwidth is so clogged that legitimate communications cannot occur.

Distributed DoS (DDoS) attacks are more sophisticated. In such an attack, the attacker takes control of a number of computers over the Internet by secretly installing software on them that lets him control them remotely. Then he uses these slave or zombie computers to launch the DoS attack against another system or network. This approach keeps the attack from being traced to the real attacker. Unprotected systems are not only in danger of being the target of a DoS attack, but are also in danger of being used as an intermediary attacker in a DDoS attack.

There are a number of different technical methods for creating a denial of service. Names of common DoS/DDoS attacks include buffer overflow, SYN flood, teardrop attack, and Smurf attack. Unfortunately, hackers do not have to be highly skilled to launch attacks, because there are dozens of DoS/DDoS tools available on the Internet.

Attack Tools

General Description

During the last few years, in their increasing effort to raise havoc, the world wide community of hackers (also known as “crackers”) started developing attack platforms for lunching global Internet scale coordinated DDoS attacks.

Most of these tools were designed using client-server (master and slave) architecture. The attack network consists of large quantities of attack daemons, small software agents, capable of receiving command and generating different kind of packets (usually simulating some sort of attack). Those daemons are centrally controlled by a single or few master applications, servers capable of generating the required attack commands thus controlling the attack and the targets.

The attacker can use the server application to order the attack.

Command Distribution Methods

Peer to Peer Distribution

In this architecture the master is aware (has knowledge) of all available daemons. Either through lists of infected intermediate hosts constructed and administrated by hackers which installed them or by “keep alive” messages sent by the daemons upon installation to a predefined location.

When distributing an attack command the master connects all the required daemons by sending them command packets.

Broadcast or Multicast Distribution

In this architecture the master uses some sort of broadcast mechanism to connect and distribute attack commands.

Due to broadcast packets filtering done by edge and core routers the most popular method for broadcasting commands is using an application based protocol which provides multicast features, such as IRC protocol (used mainly for chat applications).

In this case when the intermediate host connects to the Internet and becomes on line. The daemon connects to a predefined IRC channel. The attacker then can connect to the IRC channel using some sort of chat application and simply type the necessary commands. IRC protocol takes the commands and distributes it to all the connected daemons.

Frequently Used Attack Tools

Trinoo

This distributed attack tool is installed on intermediate host using a buffer overrun bug in the popular programs: “statd”, “cmsd” and others. The daemon’s code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.

The basic trinoo daemon is cable of generating a UDP packets attack. The following packets parameters are controllable: destination address, packets sizes, attack duration.

The attack is generated against random UDP ports on the victim’s host. The contents of the packets are randomly generated from the intermediary host memory, thus packets sent from a certain daemon will have the same payload but different daemons generate different payloads. The daemon is cable of attacking multiple targets at once.

TFN (Tribe Flood Network)

TFN installation procedure is similar to that of Trinoo and is based on buffer overrun bug.
These tools use the same master-daemon architecture, and are capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks and a raw TCP packet generator. The daemon’s source code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.

Commands used by TFN are over ICMP protocol packets using fixed packet length (17 bytes).

Stacheldraht (“barbed wire”)

Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. The possible attacks generated by the daemons of this tool are similar to those of TFN, namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks. It does not provide an on demand root TCP port (that TFN provides).

Stacheldraht also provides some advanced features, such as encrypted attacker-master communication (which makes detection and overtaking of daemon-master communication harder) and automated daemons updates which enables changes of the attack network with no re-deployment of daemon or masters.

Stacheldraht daemon is capable of producing ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts. TCP-SYN packets are generated against random ports taken from selected range of port numbers.

Trinity

Trinity is capable of launching several types of flooding attacks on a victim host, including UDP, fragmentation, SYN, RST, ACK, and other floods. Communication from the master to the daemon is accomplished via Internet Relay Chat (IRC) or AOL’s ICQ.

IRC attack daemon (including Trinity) will go online by connecting to a predefined IRC server and join a predefined IRC chat room. There it will await incoming commands. IRC chat relays are used in this matter to broadcast and distribute attack commands.

The following attack parameters are controllable: packet size (possibly random), ports (possibly random).

TFN2K

TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP.

TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.

Commands sent between masters and daemons are sent using UDP, ICMP and TCP (or all three in random).

TFN2K generated traffic includes the following signatures: TCP and UDP header checksum contains errors, TCP header length is zero.

Shaft

A Shaft network looks conceptually similar to a trinoo. It provides the ability to generate TCP, UDP and ICMP (or all three combined) floods.

The attacker may control the following parameters: packet sizes, attack type, duration of the attack, list of targeted victims.

Shaft daemons also provide statistics on the attack (mainly packets generation rates) which enables the master to refine the list of targets.

MStream

The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication between masters and daemons is not encrypted and is performed through UDP packets, masters are controlled by TCP packets.

MStream is in early stages of development, which means it can be used for generating a limited number of attacks.

www.bestitdocuments.com