Analysis of the "mstream" distributed denial of service attack tool, based on the source code of "stream2.c", a classic point-to-point DoS attack tool. mstream is more primitive than any of the other DDoS tools.
243feec66f24ccdbce5b93711153f7ee5460dd38368a1916c04ed718db01e1b5
Mstream, the newest of DDoS tools to be circulated, has been analyzed and has been found to be more primitive than any of the other DDoS tools available. Examination of reverse engineered and recovered C source code reveals the program to be in early development stages, with numerous bugs and an incomplete feature set compared with any of the other listed tools. The effectiveness of the stream/stream2 attack itself, however, means that it will still be disruptive to the victim (and agent) networks even with an attack network consisting of only a handfull of agents.
f99e0a8ce4955dd57c4447e0fb53ba79f318ed5fd1ecacfd76efa2782fd75770
An analysis of the "Shaft" distributed denial of service tool. Shaftnode was recovered initially in November, 1999. Distinctive features are the ability to switch handler servers and handler ports on the fly, making detection by intrusion detection tools difficult from that perspective, a "ticket" mechanism to link transactions, and the particular interest in packet statistics, showing the "yield" of the DDoS network as a whole.
0af9ed12f935a568a43097d26109b009fa5aa5c7d137a97c98d2ea3460c2395a
"gag" is a program to remotely scan for "stacheldraht" agents, which are part of an active "stacheldraht" network. It will not detect trinoo, the original Tribe Flood Network (TFN), or TFN2K agents. Tested on linux/solaris/AIX/BSD.
e5c6d78b9d6ac27ed84bc86b8f0e2a5db68ea378ec8fb8c63b06436eae38fe13
The following is an analysis of "stacheldraht", a distributed denial of service attack tool, based on source code from the "Tribe Flood Network" distributed denial of service attack tool. Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.
bc4c022ff592ac5a5e926474eabe73cf1b4c0adf026de3eb391f6a929b9213ec
Results of the Distributed-Systems Intruder Tools Workshop (Nov 2-4, 1999). Several distributed intruder tools are in widespread use now, and the technology is maturing. As a result, a single command from an attacker can result in tens of thousands of concurrent attacks.
8b00c34553af24954aaa094e37bc7bc7c6a40a85b44fbaa778b7a8dd07d54f5e
The following is an analysis of the "Tribe Flood Network", or "TFN", by Mixter. TFN is ai powerful distributed attack tool and backdoor currently being developed and tested on a large number of compromised Unix systems on the Internet. TFN source available here.
d193538a169810294d7efa1f1fe84ac8f4f4364fdd347856fd7ca36bf6ad472c
The following is an analysis of the DoS Project's "trinoo" (a.k.a. "trin00") master/slave programs, which implement a distributed network denial of service tool. Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems, and probably being set up on hundreds, perhaps thousands, of systems on the Internet that are being compromised by remote buffer overrun exploitation.
ade704fd58270cb096e8fa0562d14e34c0c9912b911df5400f01ed222fd8dcf2
This program gathers as much information as possible about an intruder's system, using nmap, netcat.
7fca0b443490617ba3841442000f3ebafb5f0e00c1a78ac1e854c05579a4ffb8