Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
A distributed attack denial of service
Material posted: -Publication date: 21-08-2001

One of the many types of remote attacks on the computer systems known as "attack with denial of service (Denial-of-Service, DoS). This type of attack aims to prevent legitimate users access to resources of the information system. Traditional attacks denial of service use of software bugs related to buffer overflow, exhaustion of system resources or exploiting defects in the system, causing the system "falls" and some time is necessary for her recovery.

A brief overview

In the summer of 1999 was registered by new type of attack on information system using the Internet. It is called "distributed attack denial of service (Distributed Denial of Service, DDoS). A number of well-known Internet sites was successfully attacked with the use of this type of attack. Among them are eBay, Yahoo! etc.

A distributed attack denial of service uses multiple computers working together, and affecting the network or network segment that is selected as a target. Little can be done if your information system has become a target for DDoS attacks. The nature of these attacks creates so much extra network traffic that the network is overloaded, and there is no way to block hostile data packets.

Additional hazard this type of attack on computer systems for a long time been the subject of research of many laboratories dealing with the protection of information.

The results of one study conducted in National laboratory Lawrence Livermore of the U.S. Department of energy, was published in February 2000. This report served as the basis for preparing the materials of this article.

The article discusses the principles of organization of DDoS-attacks, the work of their organization, as well as methods of detecting such attacks.


The topology of distributed attacks denial of service

The first instrumental means of organizing this type of attack software were Trin00 and Tribe Flood Network (tfn). They spawned the next generation of tools for the organization of DdoS-attacks: the Tribe Flood Network 2000 (TFN2K) and STACHELDRAHT. The means of carrying out distributed attacks denial of service was created to block one or more nodes of the network, flooding the target of a large flow of data packets organized from many nodes and remotely controlled by a single computer.

Most of today's means of organizing DDoS attacks based on the same basic concepts and topology. We emphasize that these tools are not used for data capture or entry into a computer system. They are used exclusively for the destruction of the normal traffic in the area of host-target.

These attacks are extremely difficult to trace the effect of implemented tools in the techniques of masking their activities, as we describe in more detail below. Some tools uses encryption to conceal their communications, and change their source address that allows you to hide their true location.

Generally speaking, the organization of DDoS-attacks are managed remotely. If the administrator of the site, if attacked, will be able to trace 'agents', the output on the initiator of an attack he will also need to trace the traffic to the node Manager, and only after that he will be able to reach the attacker.

A DDoS attack involves two stages. As a rule, the enemy spends a lot of time in preparation for the first stage (Fig.1.) attack.


Fig.1. The first stage of the attack

This stage of the attack is to compromise as many computers. The attacker needs a large number of computers that then generate a flood of bogus packets needed for "flooding" of the selected target.

Most of the considered tools of attack, you are running Linux or Solaris while TFN2K can function on both Windows and Linux and Solaris.


Fig.2. The second stage of the DDoSattacks

 Thus, the attacker needs to find a lot of computer systems with poor protection, to enable it to penetrate into them and install the required DDoS Toolkit, as well as to hide the presence of these funds. Hence the first rule of fight against attacks of this kind: to protect your system from becoming a generator of false packets it is important that you maintain the required level of security of your computer systems and react promptly to the detection in the software of new channels of influence.

The second stage of this attack can not be implemented until, until a lot of machines compromised for the formation of a powerful flow of about packages.

It is the second stage - the actual implementation of the attack with denial of service. The compromised system to generate attacking traffic on the network to block the normal operation of the target site, or subnet. These compromised systems are considered secondary victims of the attack.

Generated traffic uses the TCP Protocol. Target that is bombarded by this thread, can not immediately handle all the incoming packets and distributes them under subsequent processing of some resource. Ultimately, this leads to a complete depletion of resources and the system lock, which is the target of the attack. In many cases, does not matter how the packages are processed, since the amount of packets is so large that the network is overwhelmed by traffic generated that does not allow you to pass legitimate traffic.

The topology of the distributed attack denial of service (Fig. 3) consists of four levels. Compromised systems play the role of "leaders" of groups of "agents" and agents themselves. The agents are actually those computers where the attacker originates the packet stream. One or more executives manage these agents. Managers have a list of all agents. Leaders also signal the agents when to begin the attack and determine the method of attack. The attacker controls one or more supervisors, and each agent can answer the request more than one head. There is a common name for compromised during the preparation of a DDoS attack computers – "zombies".

Fig. 3. The topology of the distributed attack

Communication between managers and agents in the earlier two tools, Trin00 and TFN, was done using TCP/IP Protocol. These communications did not use encryption with the exception of elementary password used to hide the commands. The latest tools, TFN2K and Stacheldraht, the most encrypt communications between managers and agents using the encryption algorithms Blowfish or CAST.

In these tools, the method of attack varies. Trin00 only attacks with the use of UDP flood. All other tools allow the attacker to choose between streams UDP, SYN and ICMP. Attached to TFN2K targa3 method of attack and a mixed attack, which uses UDP, SYN and ICMP flows in equal proportions.


A description of the means of carrying out distributed attacks denial of service


The agent software can be installed on Linux and Solaris systems. On some systems the method used to install the Trin00 agent, uses crontab entry to continually renew the process, this allows the program again to resume operation if the local system completes it.

Typically, the server-Manager is installed on the systems, which typically have fairly high traffic and a large number of TCP and UDP connections, the server type names in order to disguise the activity Trin00 server. Compromised systems usually have tools that hide the presence of programs and files on the system, type of rootkit. The program Director maintains a list of agents with whom she can get in touch, this list contains in a hidden file "..." (three dots).

The creators of the program have provided a password to establish the connection. If recorded attempt to establish another connection to the same server while someone is already connected with the head, the first is sent when an alarm with an IP address of the second connection. For example, if a local system administrator or somebody else make an attempt when with the head, while with him is already connected to the attacker, and sent him an alarm.

Trin00 attacks a system on a random UDP ports. For this reason, not feasible to block all UDP traffic. However, you can block the standard UDP ports that the Manager and agents use for communication (typically, this ports 27444 and 31335).

Detection of the Trin00 quite difficult. There are many names Trin00-agent: ns, http, rpc. Trin00, rpc.listen, trinix, rpc.irix, and irix. Agents can be detected by monitoring crontab files. Scripts used for automated installation of Trin00 network, use the UNIX command "rcp".

The server-Manager to detect even more difficult. The only effective method of detection is to look for a hidden file "...", which is a typical name of file for known agents with which the Manager can manage. This file is located in the same directory as the binary code of the server Manager.

When the agent is found, the list of IP addresses of the heads can also be found by using the UNIX command "string" on the binary file of the agent. Further, when it and the head was found, the location of agents can be established, using a list of known hosts. If the file was encrypted, then you need to take control of the computer head. Remember, it sends an alarm signal to the attacker, if it is connected to the system together with you!

When the Trin00 agent is activated, it announces its readiness by sending a UDP packet containing the string "*HELLO*" on the programmed IP address of Trin00 his head. Agents receive the answer of the head with a UDP packet containing the string "PONG". The control of the two UDP communication ports (27444 and 31335) to determine the presence of these lines can give good results.



Action Tribe Flood Network (tfn) is similar to that of Trin00. Managers have a list of known agents (named "iplist") with whom they can get in touch. In the current version of the program "iplist", but according to reports, in the past discovered installations of tfn agents identified signatures, which pointed to the fact that the author added Blowfish encryption.

Managing managers is made using command line. This can be accomplished by various methods. The agent and Manager communicate through ICMP_ECHOREPLY packets. Many network monitoring tools do not show the data portion of ICMP packets, so it is quite difficult to control the communication between the agent and the supervisor.

TFN can launch an attack using four different protocols: UDP flood, TCP flood with SYN, ICMP flood and etc. Another "feature" TFN - what "on demand" root shell can be "linked" to a TCP port.

Interaction with the client is established by transferring a 16-bit binary number in the ID field ICMP_ECHOREPLY packet. These numbers can easily be changed in the program source text. Any parameters can be traced as ASCII text in the data field of the ICMP_ECHOREPLY packet.

The relationship between the Manager and the agents is implemented using the processed ICMP_ECHOREPLY packets. It is very difficult to block all ICMP traffic without having to not disrupt the normal operation of most programs in the segment of Internet. Operational monitoring for "rcp"connections (514/TCP) from multiple systems in your network in search of a single IP address outside your network is a good signal when an attack is detected.

Software intrusion detection can be configured to detect a large number of ICMP packets with different source IP addresses sent on the same IP address.


Tribe Flood Network 2000

The Creator of TFN2K designed this tool attacks to illustrate the fact that tools of cyber criminals are becoming more sophisticated. The developer chose to attack with denial of service because in this case the results of the most eloquent.

The tool was developed so that it was possible to compile it on different operating systems. The source text can be compiled under Linux, Solaris, most UNIX flavors and Windows.

TFN2K uses the classic types of attacks denial of service type of ICMP flood, SMURF flood, SYN-flood and UDP-flood. In addition to these, it also uses the Targa3 attack, and mixed attack.

Targa3 uses a random non-standard IP packets, which destroy some IP stacks or lead to incorrect operation. The combined attack sends UDP, SYN and ICMP packets in equal proportions. This leads to unpredictable results on some routers, networking software, intrusion detection and etc.

All attacks use a simulated IP addresses. The connection between the attacker and the head is made with a random selection protocols (TCP, UDP, or ICMP), so that no recognizable pattern (the signature) could not be found in such packages. This approach gives the possibility to pass through any filtering mechanisms. A special Protocol, called Tribe Protocol, is contained in the data fields of the packets. This Protocol is encrypted by using the algorithm CAST-256 and is encoded using Base64 and then decoded and decrypted by the head. Unlike other DDoS tools there is no feedback to the attacker. Instead, the attacking computer generates commands every 20 cycles, relying on the probability that the head will make at least one of them.

Can also be used packages of lures that are generated with every real packet when the participants exchange messages. It completely obscures the relationship "forward-head", making extremely difficult the identification of the true location of the attacking hosts. There are no default passwords in the source text. All team – single character, so it is extremely difficult to recognize it in batches. The developer added that it is encryption of the body of the package.

These characteristics make utility written by Dave Dittisham and David Brumley, ineffective. The NIPC tool in this case is also inapplicable.

The creators TFN2K declare that there are no lines that can be found in the executable program leader, but there are lines that can be found in the agent. The designer continues to comment that there are public programs that convert binary files into self-extracting programs. This makes the strings undetectable tools search for the signature.

However, some security experts say that there is one feature of information encoding using base64. At the end of every TFN2K packet, regardless of Protocol and encryption algorithm, there is a sequence of 0x41, which is translated as "A".



This program combines features of Trin00 and TFN, and adds encrypted communication between the client and the supervisor, as well as automated remote update of the agents. Like the tools discussed above, Stacheldraht runs on Linux and Solaris. The topology is the same as TFN and Trin00.

The attacker uses an encrypted communication session, such as telnet, to connect with leaders. There is a limit of 6,000 agents, which the handler can control. The handler and agent can communicate in ICMP_ECHOREPLY. The connection between the attacker and the handler is done with symmetric key encryption.

Stacheldraht also provides the possibility to modify the agents remotely on demand. This feature allows the attacker to continually change the port passwords and command values.

There are many lines that can be used in identifying the binaries in the file system. Therefore, a tool NIPC effectively upon detection of the agents of this system. However, if binary files are compressed, the tool is ineffective.

When agents aktiviziruyutsya, they are trying to read the configuration file of the list Manager, to discover which of them currently runs the agent. This file and the list of IP addresses encrypted with blowfish algorithm. If this file cannot be detected, there is a default handler IP addresses. As soon as the agent receives a list of potential leaders, it starts sending ICMP_ECHOREPLY packets with the field ID equal to 666 and a date field containing the string "skillz". As practice shows, this was true for 1.1 version and still in 4.0 version. The head responds with the string "ficken" and value 667 in the ID field. All this communication is done in clear text and could be intercepted.

As noted in several publications. Stacheldraht is much harder to detect than any of the previous methods of attack.

This tool communicates among the participants of the communication session mainly using ICMP_ECHOREPLY packets. As noted above, it is difficult to block these packets without disrupting normal operation of most programs that use ICMP. Software intrusion detection might look at ICMP signatures _ECHO-traffic. However, it will be increasingly difficult with increasing network size because the number of normal traffic will increase.

The lack of authentication of ICMP packets to the agent and the refusal of the developer to encrypt the specified rows in the ICMP packet, is the only weak link of this tool. If the ports, passwords and the command value has not been changed, system agents can be prevented by various scanning tools written by Dave Dittisham and David Brumley.


The detection and prevention of DDoS-attacks

The most important aspect of distributed attacks is that the attacker needs compromised computer systems to implement an attack. If the Internet, as a community, will be sure that each of the subnets is safe, then there is no place for intruders, placing my tools in poorly supported systems. To increase security, enter a strong use of rules to generate passwords for all users, as criminals use weak passwords to gain unauthorized access to systems.

One of the methods of disguise used by means of DDoS attacks is spoofed IP source address in the header of IP packets. Spoofed source address prevents the target site from a network of knowledge where in fact the attack comes. The router can be configured so that packets are not routed, if the sender address is not inside the subnet serviced by the router.


Detection tools DDoSattack

Today, the Internet is available, at least three utilities that will help you discover in your system agent computers and computers-managers, and simply "zombie" that is able to signal to launch a massive attack on selected victim.

The first tool was created by the National center of infrastructure protection (NIPC) in the U.S., and was named "find_ddosv31". This utility operates under the operating system Solaris version 2.5.1, 2.6, 7 for Sparc processors and Intel and for Linux on the Intel platform.

Version 3.1 of the tool detects TFN2K server, TFN2K, Trin00 agent, Trin00-Director, TFN agent, TFN server, Stacheldraht server, Stacheldraht-head, Stacheldraht agent and TFN-client. This utility detects the agents and managers use the search known binary sequences (signatures) characteristic of attack tools. The program should run locally on every node to detect the presence of the attack tools.

A serious disadvantage of this utility is that in the latest versions of the tools of DDoS attacks uses a technology called polymorphic viruses, it inhibits the search for the signature. This search tool hostile software can be downloaded from the NIPC website

One of the experts at Washington University, David Dittrich, has developed a tool, called them "DDoS_scan". This utility detects Trin00 agent, tfn agent, and Stacheldraht agent. The current version of the program does not detect TFN2K components of the complex. The utility works by scanning the network to identify the traffic control packets interaction Manager-agent", and finding in them the characteristic binary strings. This utility scans an entire subnet from a single network node.

If the source code of the attack was changed to establish connection with another communication port or have changed the passwords, this tool will not successfully cope with its functions. It can be found at

Another tool was developed by David Bromley from Stanford University. They implemented a remote detector - "Rid", to search for Trin00 agent, tfn agent, and Stacheldraht agent. This tool also scans the standard ports and passwords used by tools attacks.

Rid searches all the nodes in the network (either for a limited list of hosts) from one of the nodes. This program uses a configuration file to modify the ports and the signature that he is looking for, and a list of hosts that are reviewed. The specified file can be easily changed if the tool attacks already detected by other means. The ports and passwords can be entered in the configuration file by adding to the search list.

This tool can be found at



To discourage the use of your systems as "zombies", you must ensure that all security updated latest "patches" from the developer. Make sure a good password policy is implemented on each machine in the network, use the one-time password scheme or encryption to prevent an attacker access to any machine on the network and to prevent the installation of supporting software (like a sniffer) and information to access the rest of the network. Turn off all unnecessary services. Attackers are constantly improving the means of penetration on the basis of detected software vulnerabilities of information systems. As soon as a new technology, and once there is a new vulnerability that was quickly accepted into service by an attacker. Make sure all servers and routers keep logs of all events.

According to some experts, the tool David Brumley, rid, is the most promising at present. It is identical to the program Dave Dittrich in the method of detection agents. The information security specialists recommended using rid after applying DDoS_scan, because of the ability to add to the search parameters through the configuration file of the new data. Most of the users could modify this file, while for DDoS_scan modification of the source code - the only way the search parameters can be changed.

The NIPC tool is quite successful in detecting the binary signatures for all of the attack tools running Solaris.

It should be further noted that a firewall should be installed on the outer edge of the networks. These screens can be configured to filter and log incoming and outgoing traffic. They will allow you to prevent the use of certain protocols in the input or exit from the subnet. For example, all ICMP traffic can be blocked from entry or exit subnet. This allows you to disrupt the communications used by agents for communication and coordination of work.

As recommended by a number of experts, the routers should be configured so that all outbound traffic was checked, to ensure that the source IP of the packet belongs to the subnet that the router serves. Unit computer security Lawrence Livermore National laboratory U.S. Department of energy. Developed a guidance document RFC 2267, which discusses how you can use the above technique in limiting the effectiveness and capabilities of the DDoS attack (see That wouldn't stop a DDoS attack, but the inquest selling tracking packets to their source and stopping an attack. This configuration could serve as an early warning system in case a subnet is used to attack.

Any of the methods of attack and provokes significant traffic back to the agent. This traffic needs to trigger the generation of signal software intrusion detection and initiate tracking of packages, and possibly to break the connection to the router so as not to harm the target network segment.

Cisco has published a White paper on how the DDoS attacks can be prevented, and how to collect the necessary investigation information by changing the configuration of the routers on each subnet. It can be found at*prevention.

Finally, when your network is already participating in a DDoS attack against another site of the network, disconnect the systems acting as agents from the core network. If agents can not be quickly discovered, it may be necessary to disable and the router to the external network. This will stop the majority of destructive packages towards the goal, at that time, as the agents will continue to generate traffic that will give the possibility to calculate them. It is necessary to remember that the attacker has nearly complete control over the computer-zombies.



  1. Paul Criscuolo – Distributed Denial of Service, CIAC-2319, Feb. 14, 2000.
  2. Axent Technologies - TFN2K - An Analysis by Jason Barlow and Woody Thrower
  3. David Dittrich - The DoS Projects trinoo" distributed Denial of Service attack tool
  4. David Dittrich - The "Tribe Flood Network" distributed Denial of Service attack tool
  5. David Dittrich - The "stacheldraht" distributed Denial of Service attack tool
  6. ISS X Force Alert - Denial of Service Attack using the Trin00 and Tribe Flood Network programs,
  7. Results of the Distributed-System Intruder Tools Workshop Pittsburgh, Pennsylvania USA November 2-4, 1999,

Tags: security , threat

RELATED MATERIALS: Defence and security