 |
|
|
|
|
|
|
| Name of Tool |
Flooding Capabilities |
Short Description |
|
|
|
|
|
|
|
| Trinoo |
UDP |
Only
initiates UDP attacks to random ports. Communication between master and
slave is via unencrypted TCP and UDP. No IP spoofing. Uses UDP ports
27444 and 31335. |
|
|
|
|
|
|
|
| TFN |
UDP, ICMP Echo, TCP SYN, Smurf |
Uses IP spoofing. Uses ICMP Echo reply packets to communicate between zombie and master. |
|
|
|
|
|
|
|
|
Stacheldracht v4 |
UDP, ICMP, TCP SYN, Smurf |
Uses
encryption for communications (but not for ICMP heartbeat packets that
zombie sends to master) and has an auto-update feature (via rcp). Has
ability to test (via ICMP Echo) if it can use spoofed IP addresses. |
|
|
|
|
|
|
|
| Stacheldracht v2.666 |
UDP, ICMP, TCP SYN, Smurf, TCP ACK, TCP NUL |
Uses
encryption for communications (but not for ICMP heartbeat packets that
zombie sends to master) and has an auto-update feature (via rcp). Has
ability to test (via ICMP Echo) if it can use spoofed IP addresses. |
|
|
|
|
|
|
|
| TFN 2K (Tribal Flood Network) |
UDP, ICMP Echo, TCP SYN, Smurf |
Same
as TFN - but the slave is silent so difficult to spot. No return info
from slave. Zombie to master communication is encrypted. |
|
|
|
|
|
|
|
| FAPI |
UDP, TCP SYN, TCP ACK, ICMP |
Can spoof IP addresses |
|
|
|
|
|
|
|
| Carko (Stacheldraht v1.666 + antigl + yps) |
UDP, ICMP, TCP SYN, Smurf, TCP ACK, TCP NUL |
Uses the backdoor hole of snmpXdmid and uses UDP port 530. |
|
|
|
|
|
|
|
| Freak88 |
ICMP |
NT specific zombie. No spoofing capabilities. Sends ICMP 1500 octet packets marked as fragments. |
|
|
|
|
|
|
|
| Shaft |
UDP, ICMP, TCP SYN |
Uses UDP ports 18753 and 20433. Has optional IP spoofing capabilities (needs root). Can set ICMP/UDP packet size. |
|
|
|
|
|
|
|
| Mstream |
TCP ACK |
Usually
uses TCP port 12754 but can use any port. Master connects via telnet to
zombie. Communication between zombie and controller is not encrypted.
The target gets hit by ACK packets and sends TCP RST to non-existent Ip
addresses. Routers will return ICMP unreachable causing more bandwidth
starvation. |
|
|
|
|
|
|
|
| Blitznet |
TCP SYN |
Can spoof IPs and do IP flooding |
|
|
|
|
|
|
|
| Ramen |
Multicast |
Ramen
is a worm that propagates by using a newly compromised system to scan
Class B (/16) wide address spaces, searching for port 21 (FTP) and
looking for new vulnerable hosts. SYN scanning performed by Ramen can
disrupt network traffic when scanning the multicast network range. |
|
|
|
|
|
|
|
| Targa |
ANY |
Works by sending malformed IP packets known to slow down or hangup many TCP/IP network stacks. |
|
|
|
|
|
|
|
| Spank |
Multicast |
Will only work on a multicast enabled network. Similar to Mstream. |
|
|
|
|
|
|
|
| Stick |
Any |
Stick
uses the straightforward technique of firing numerous attacks at
random, from random source IP addresses to purposely trigger IDS
events. Stick is a DoS tool against IDS systems. |
|
|
|
|
|
|
|
| Trank |
|
|
|
|
|
|
|
|
|
| Omega |
TCP ACK, UDP, ICMP, IGMP |
Can spoof IPs and has a chat option between attackers |
|
|
|
|
|
|
|
| NAPHTA |
TCP |
Naptha
attacks exploit weaknesses in the way some TCP stacks and applications
handle large numbers of connections in states other than "SYN RECVD,"
including "ESTABLISHED" and "FIN WAIT-1." |
|
|
|
|
|
|
|
| Trinity (also called MyServer and Plague) |
UDP, TCP Fragment, TCP SYN, TCP RST, TCP RandomFlag,TCP ACK, Establish, NULL |
Listens to TCP port 33270. When idle it connects to Undernet IRC server on port 6667. |
|
|
|
|
|
|
|
| IRC bots |
ICMP, UDP |
Zombie systems controlled via a central IRC channel. Sub7 trojan used to maintain control over the zombie. |
|
|
|
|
|
|
|
| HTTPSmurf |
TCP HTTP |
Using
public IIS servers as unsuspecting zombies, it sends a string of data
to multiple webservers and they reflect the data to the target. |
|
|
|
|
|
|
|
|
Code Red |
TCP HTTP |
Using
a known IIS bug to infect Web servers, this trojan dDoS will only
attack whitehouse.org but it will utilize 225,000 infected IIS systems.
It exploits a vulnerability in the Indexing Service on systems running
Microsoft IIS. |
|
|
|
|
|
|
|
| Power worm |
TCP HTTP |
Utilizing an IIS hole in regards to Unicode support, this worm uses IRC as a back channel to control an army of zombies. |
|
|
|
|
|
|
|
|
Cisco |
ICMP |
Use a Cisco router as a zombie for an ICMP based ping attack. |
|
|
|
|
|
|
|
| Nimda |
TCP HTTP |
Worm utilzing yet another MS IIS hole. |
|
|
|
|
|
|
|
| SQL — Voyager Alpha |
TCP HTTP |
SQL with no password (default). The hacker takes over the system and uses it as part of IRC botnet to DDOS victims. |
|
