• Trinoo (also called Trin00)
  Trin00 is a distributed SYN DoS attack, where communication between clients, handlers and agents via unencrypted UDP. The following ports are used as default port numbers: 1524 tcp, 27665 tcp, 27444 udp, 31335 udp. The attack method is UDP flood.
  
  More information:
  

  David Dittrich, "The DoS Project's "trinoo" distributed Denial of Service attack tool, October 21, 1999,
  http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt



• The Tribe Flood Network (TFN)
  TFN started to appear after trinoo. TFN client and daemon programs implement a DDoS network capable of employing a number of attacks, such as ICMP flood, SYN flood, UDP flood, and SMURF style attacks. TFN is noticeably different than trinoo in that all communication between the client (attacker), handlers, and agents use ICMP ECHO and ECHO REPLY packets. Communication from the TFN client to daemons is accomplished via ICMP ECHO REPLY packets. The absence of TCP and UDP traffic sometimes makes these packets difficult to detect because many protocol monitoring tools are not even configured to capture and display the ICMP traffic.
  
  More information:
  

  David Dittrich, The "Tribe Flood Network" distributed denial of service attack tool, October 21, 1999
  http://staff.washington.edu/dittrich/misc/tfn.analysis.txt



• Stacheldraht (German for "barbed wire")
  Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. It also contains some advanced features, such as encrypted attacker-master communication and automated agent updates. The possible attacks are similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks.
  
  More information:
  
  David Dittrich, The "stacheldraht" distributed denial of service attack tool, December 31, 1999
  http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
  


• Trinity
  Trinity is capable of launching several types of flooding attacks on a victim site, including UDP, fragment, SYN, RST, ACK, and other floods. Communication from the handler or intruder to the agent, however, is accomplished via Internet Relay Chat (IRC) or AOL's ICQ; Trinity appears to use primarily port 6667 and also has a backdoor program that listens on TCP port 33270.
  
  More information:
  
  Michael Marchesseau, "Trinity" Distributed Denil of Service Attack Tool, September 11, 2000
  http://rr.sans.org/malicious/trinity.php



• Shaft
  A Shaft network looks conceptually similar to a trinoo; it is a packet flooding attack and the client controls the size of the flooding packets and duration of the attack. One interesting signature of Shaft is that the sequence number for all TCP packets is 0x28374839.
  
  More information:
  
  An Analysis of the "Shaft" Distributed Denial of Service Tool
  http://www.sans.org/y2k/shaft.htm



• Tribe Flood Network 2K (TFN2K)
  TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP. TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.
  
  More information:
  

  Jason Barlow and Woody Thrower, Axent Security Team, "TFN2K - An Analysis", March 7, 2000
  http://www.securiteam.com/securitynews/5YP0G000FS.html



• MStream
  The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication is not encrypted and is performed through TCP and UDP packets. Access to the handler is password protected. This program has a feature not found in other DDoS tools. It informs all connected users of access, successful or not, to the handler(s) by competing parties.
  
  More information:
  

  NIPC ADVISORY 00-044 "MStream Distributed Denial of Service Tool", NIPC, May 24, 2000
  http://www.nipc.gov/warnings/advisories/2000/00-044.htm

  David Dittrich, George Weaver, Sven Dietrich, and Neil Long, The "mstream" distributed denial of service attack tool, May 1, 2000,
  http://staff.washington.edu/dittrich/misc/mstream.analysis.txt

  Carnegie Mellon Software Engineering Institute. "CERTŪ Incident Note IN-2000-05 "mstream" Distributed Denial of Service Tool, May 2, 2000
  http://www.cert.org/incident_notes/IN-2000-05.html

DDoS attack tool timeline

• May/June, 1998   First primitive DDoS tools developed in the underground -- small networks, only mildly worse than coordinated point-to-point DoS attacks
• July 22, 1999   CERT releases Incident Note 99-04 mentioning widespread intrusions on Solaris RPC services
• August 5, 1999   First evidence seen at the UW of programs being installed on Solaris systems in what appeared to be "mass" intrusions.
• August 17, 1999   Attack on the University of Minnesota reported to UW network operations and security teams.
• September 2, 1999   Contents of a stolen account used to cache files was recovered
• September 27, 1999   CERT provided with first draft of trinoo analysis
• Early October 1999   CERT goes through the painful process of reviewing hundreds of Solaris intrusion reports and finds many match the trinoo analysis. They arrange the Distributed System Intruder Tools Workshop (the first time they have done this.)
• October 15, 1999   CERT mails out invitations to the DSIT workshop.
• October 23, 1999   Final draft of trinoo analysis and TFN analysis finished in preparation for the DSIT workshop.
• November 2-4, 1999   DSIT workshop held in Pittsburgh. It is agreed by attendees that it is important to not panic people, but instead provide meaningful steps to deal with this new threat. All attendees are asked to keep information about DDoS programs private until we all finish a report on how to respond.
• November 18, 1999   CERT releases Incident Note 99-07 mentioning DDoS tools. Work is still continuing on DSIT Workshop report.
• November 29, 1999   SANS NewsBytes Vol. 1 Num. 35 mentions trinoo/TFN in the context of widespread Solaris intrusion reports they were getting that were consistent with CERT IN-99-07 and involving ICMP_ECHOREPLY packets.
• December 7, 1999   ISS releases an advisory on trinoo/TFN after first non-technical mention of DDoS tools in a USA Today article. CERT rushes out the final report of the DSIT workshop. I publish my analyses of trinoo and TFN to the BUGTRAQ email list.
• December 8, 1999   (According to USA Today article) NIPC sends a note briefing FBI Director Louis Freeh for the first time.
• December 17, 1999   (According to USA Today article) NIPC director Michael Vatis briefs Attorney General Janet Reno as part of an overview of preparations being made for Y2K
• December 27, 1999   As final work on analysis of "stacheldraht", a scan of the UW network was made with "gag" (included in the stacheldraht analysis), which found three active agents which were traced to a handler in the southern US. The ISP and their upstream provider were able to identify over 100 agents in this network.
• December 28, 1999   CERT releases Advisory 99-17 on Denial-of-Service Tools (covers TFN2K and MacOS 9 DoS exploit).
• December 30, 1999   I publish my analysis of stacheldraht to the BUGTRAQ email list. NIPC issues a press release on DDoS programs and releases, Distributed Denial of Service Attack Information (TRINOO/Tribal Flood Net, including a tool for scanning local file systems/memory for DDoS programs.)
• January 3, 2000   CERT and FedCIRC jointly publish Advisory 2000-01 on Denial-of-Service Developments. Discusses stacheldraht and NIPC scanning tool.
• January 4, 2000   SANS asks its membership to use published DDoS detection tools to determine how widely these tools are being used. Reports of successful searches start coming in within hours.
• January 5, 2000   Sun releases bulletin #00193, "Distributed Denial-of-Service Tools"
• January 14, 2000   Attack on OZ.net in Seattle affects Semaphore and UUNET customers (affecting as much as 70% of Puget Sound Internet users, and possibly other sites in the US -- no national press attention until January 18.)
• January 17, 2000   ICSA.net organizes Birds of a Feather (BOF) session on Distributed Denial of Service attacks at RSA 2000 conference in San Jose.
• February 7, 2000   Talk by Steve Bellovin on Denial of Service attacks, and another ICSA.net DDoS BOF at NANOG meeting in San Jose. First attacks on eCommerce sites begin.
• February 8 - 12, 2000   Attacks on eCommerce sites continue. Media feeding frenzy begins...

Page developed by yinjin@indiana.edu

107 S. Indiana Ave., Bloomington, IN 47405-7000 (812) 855-4810

Comments: ptlabs@iu.edu
© 2001, The Trustees of Indiana University