TFN2k

TFN2k
TFN2k, while not displaying a three-tier architecture like Trin00, added
encryption to its communication between the two tiers, clients and
daemons, making it harder to detect. TFN2k also added a new type of
DoS attack, called Targa3.
Stacheldraht
Stacheldraht took Trin00 and TFN’s technology and combined them,
hiding the source addresses of its traffic and adding the variety of
denial-of-service attacks from TFN, while adding the three-tier
architecture of Trin00. A new version of Stacheldraht has emerged with
additional technology to hide its presence and communications.
TFN2k in more detail
The TFN2K distributed denial of service system consists of a client/
server architecture.
The client is used to connect to master servers, which can then perform
specified attacks against one or more victim machines. Commands are
sent from the client to the master server within the data fields of ICMP,
UDP, and TCP packets. The data fields are encrypted using the CAST
algorithm and base64 encoded. The client can specify the use of
random TCP/UDP port numbers and source IP addresses. The system
can also send out ’decoy’ packets to non-target machines. These factors
make TFN2K more difficult to detect than the original TFN program.
The master server parses all UDP, TCP, and ICMP echo reply packets
for encrypted commands. The master server does not use a default
password when it is selected by the user at compile time.
The attack is initiated with the TFN2K client sending various
commands to the master for execution, including commands to flood a
target machine or set of target machines within a specified address
range. The client can send commands using UDP, SYN, ICMP echo, and
ICMP broadcast packets. These flood attacks cause the target machine
to slow down because of the processing required to handle the
incoming packets, leaving little or no network bandwidth.

TFN2K runs on Linux, Solaris, and Windows platforms.
Defence
Some options for dealing with DDoS attacks are aimed at reducing the
effect of an attack, others at detecting the attack, still others are aimed at
providing forensic information. Strategies are discussed on how to
attempt to prevent the attack altogether.