Case Study - Distributed Denial-of-Service Attacks
AttacksDistributed denial-of-service attacks differ in their capabilities and
complexities but all share the common goal of attempting to
overwhelm a victim with an abundant amount of traffic, which is either
difficult to detect or to filter. The evolution of these attack tools, such as
TFN, Trin00, TFN2k and Stacheldraht, has introduced encryption and
additional tiers to avoid their detection and increase their scalability.
Tribal Flood Network (TFN)
TFN was the first highly visible DDoS attack tool to surface on the
Internet. It has been nicknamed Tribal Flood Network or Teletubby
Flood Network. It exhibits a two-tier architecture, involving a client
that controls the targeting and options of the attack system, and
multiple daemons which function as listeners for the client’s commands
and perform the actual DoS attacks, chosen from a variety provided in
the tool.
TFN daemon runs as a hidden service on the machine it uses, able to
receive commands from the client hidden subliminally in standard
network communications/protocols. It also hides the client and
daemon’s source in all communications and attacks.
Trin00
Trin00 moved to a three tier architecture, including a client (telnet or
netcat) used by the attacker, that sends it commands, including targets,
to master servers, which control multiple daemons, which forward
commands received from the client.
This additional tier made this tool harder to be traced back to the
attacker, adding an additional layer to the communication. However,
Trin00 did not take advantage of all of the TFN technology to hide
itself, communicating using its own proprietary channels and failing
the source of the attack traffic. Trin00 was also limited to only one form
of DoS attack, unlike TFN, which had a variety.
No comments:
Post a Comment