Please click our sponsor
Distributed Attack Tools  
blitznet.tgz
Blitznet launches a distributed syn flood attack with spoofed source IP, without logging. By Phreeon
btodd-whitepaper.txt
Distributed Denial of Service Attacks have recently emerged as one of the most newsworthy, if not the greatest, weaknesses of the Internet. This paper attempts to explain how they work, why they are hard to combat today, and what will need to happen if they are to be brought under control. Plain text format, PS and HTML available at the homepage, here. By Bennett Todd
cisco-newsflash.htm
Cisco Newsflash - Distributed Denial of Service. Contains information to help you understand how DDoS attacks are orchestrated, recognise programs used to launch DDoS attacks, and apply measures to prevent the attacks (including anti-spoofing commands, egress filtering, RPF and CEF, ACL's, rate limiting for SYN packets). Also contains information on gathering forensic information if you suspect an attack, and learning more about host security.
ddos-routing.txt
Distributed Deniel Of Service attacks - A proposal based on routing. This paper describes a technique that -hopefully- can be used to defeat the recent DDOS attacks. The solution presented here is bases on routing. It requires a certain amount of extra network infrastructure. By Fernando P. Schapachnik
ddos-thought.txt
Some thoughts on the solutions to Distributed Attack Technology - Distribited ownership tools [DOT] exist that scan numerous hosts for vunerabilities that allow agents to be installed automatically. Potential solutions include more host based security, fixing ipv4, legislation, and fighting fire with fire. By The Cat
ddosping.zip
DDoSPing v1.03 is a Win 9x/NT GUI scanner for the DDoS agents Wintrinoo, Trinoo, Stacheldraht and TFN. Changes: Added buttons to switch between Windows and UNIX default configurations for Trinoo. Homepage here. By Robin Keir
DDSA_Defense.htm
Distributed Denial of Service Defense Tactics - This paper details some practical strategies that can be used by system administrators to help protect themselves from distributed denial of service attacks as well as protect themselves from becoming unwitting attack nodes against other companies. Homepage here. By Simple Nomad
denial_of_service.ht..>
CERT FAQ on Denial of Service attacks. Homepage here.
distributed_metastas..>
A new model of computer penetration: distributed metastasis, increases the possible depth of penetration for an attacker, while minimizing the possibility of detection. Distributed Metastasis is a non-trivial methodology for computer penetration, based on an agent based approach, which points to a requirement for more sophisticated attack detection methods and software to detect highly skilled attackers. By Andrew J. Stewart
dscan-0.4.tar.gz
A simple distributed port scanner that uses many computers to conduct a port scan which should make it harder to trace the source. This release of dscan has many improvements of the last release, for a full list see the HISTORY file in the archive. Dscan started off as proof of concept code and has now turned into a project for testing new techniques such as linked lists. This release does not come with UDP port scanning support but a patch file should be available in a few days time to add UDP support. By Andrew Kay
dsit_workshop.pdf
Results of the Distributed-Systems Intruder Tools Workshop (Nov 2-4, 1999). Several distributed intruder tools are in widespread use now, and the technology is maturing. As a result, a single command from an attacker can result in tens of thousands of concurrent attacks. By Clarissa Cook, Richard Kemmerer, and David Dittrich
find_ddosV2.tar.Z
Find_ddos Version 2 - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools, including the trinoo daemon, trinoo master, enhanced tfn daemon, tfn daemon, tfn client, tfn2k daemon, tfn2k client, and the tfn-rush client. Changes: Detects TFN2k. Homepage here.
find_ddos_v31_intel...>
Find_ddos Version 3.1 (solaris intel) - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools including tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. Homepage here.
find_ddos_v31_linux...>
Find_ddos Version 3.1 (linux) - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools including tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. Homepage here.
find_ddos_v31_sparc...>
Find_ddos Version 3.1 (sparc) - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools including tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. Homepage here.
find_ddos_v3_intel.t..>
Find_ddos Version 3 (intel) - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools. Changes: Detects tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. This new version (find_ddosV3) is now available for Solaris on Sparc or Intel platforms and will no longer improperly identify itself or any previous version as a DDOS program. Homepage here.
find_ddos_v3_sparc.t..>
Find_ddos Version 3 (sparc) - In response to a number of recent distributed denial-of-service (DDOS) attacks that have been reported, the NPIC has developed a tool to assist in combating this threat. The tool (called "find_ddos") is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system. The tool will detect several known denial-of-service attack tools. Changes: Detects tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. This new version (find_ddosV3) is now available for Solaris on Sparc or Intel platforms and will no longer improperly identify itself or any previous version as a DDOS program. Homepage here.
firstaid.txt
Mixters guide to defending against DDOS - 10 Proposed 'first-aid' security measures which should be implemented by anyone at risk. Homepage here. By Mixter
Freak88.zip
Freak88's Distributed Attack Suite is a windows trojan similar to wintrin00. It can connect up to 3 infected machines and start 65000 byte ICMP floods. Auto starts from the registry and copies itself to c:\windows\system. Homepage here. By Freak88@dalnet
funtimeApocalypseWin..>
Dynamic IP's getting you down in your search for a better distributed attack? Don't think remote control, think "timed fuse". This is "concept code" designed to show the real danger of Windows systems being rooted en masse and used in a distributed attack scenario. Beta, no updates. By The Pull
icmpenum-1.1.tgz
This is a proof-of-concept tool to demonstrate possible distributed attacking concepts, such as sending packets from one workstation and sniffing the reply packets on another. Homepage here. By Simple Nomad
mio-star.tgz
The mio-star distributed multihosted unix password cracker v0.1 runs on all platforms where perl is installed. Comments and documentation is in German. By Drunken Monkey Style
mstream.analysis.txt
Analysis of the "mstream" distributed denial of service attack tool, based on the source code of "stream2.c", a classic point-to-point DoS attack tool. mstream is more primitive than any of the other DDoS tools. Homepage here. By Dave Dittrich
mstream.txt
mstream, a DDoS tool. It's been alleged that this source code, once compiled, was used by persons unknown in the distributed denial of service (DDoS) attacks earlier this year. Obviously such a thing cannot be confirmed aside from through a process of targeted sites making an appropriate comparison between the traffic this software would generate and the traffic they actually received. Submitted Anonymously.
Mstream_Analysis.txt
Mstream, the newest of DDoS tools to be circulated, has been analyzed and has been found to be more primitive than any of the other DDoS tools available. Examination of reverse engineered and recovered C source code reveals the program to be in early development stages, with numerous bugs and an incomplete feature set compared with any of the other listed tools. The effectiveness of the stream/stream2 attack itself, however, means that it will still be disruptive to the victim (and agent) networks even with an attack network consisting of only a handfull of agents. By David Dittrich
plague-beta1.tar.gz
Plague creates an environment that is capable of effectively coordinating a number of compromised hosts in a distributed attack. The nature of this attack ranges from denial of service to a sophisticated scan of the Internet for potential targets for future compromise. By Blazinweed
Project_ZombieZapper..>
Project_ZombieZapper.zip
Project_ZombieZapper..>
Project_ZombieZapper1.1.zip
Project_ZombieZapper..>
Project_ZombieZapper1.2.zip
razor.wintrinoo.txt
Razor has acquired a copy of the Windows Trojan Trinoo, the following is technical information gained from disassembling the binary. Homepage here. By Simple Nomad
rid-1_0.tgz
RID is a configurable remote DDOS tool detector which can remotely detect Stacheldraht, TFN, Trinoo and TFN2k if the attacker did not change the default ports. By David Brumley
rivat.tgz
Rivat is a distributed CGI scanner written in perl which scans for over 405 vulnerabilities. Homepage: http://www.r00tabega.com. By Xtremist
saltine-cracker-1.05..>
Saltine Cracker v1.05 is a TCP/IP Distributed Network Password Auditing Tool for NTHASH (MD4) and POSIX LibDES Crypt(3) passwords. With the incorporated cross-compatiblity, you can audit Win9X/NT client passwords attached to POSIX servers and vice-versa. By Ambient Empire.
shaftnode.txt
Analysis of a Shaft Node and Master - This analysis is in addition to Sven Dietrich's analysis of the Shaft DDoS tool. The analysis we provide here is a description of the rootkit used and the methods of distribution of the tool. Homepage here. By Richard Wash
shaft_analysis.txt
An analysis of the "Shaft" distributed denial of service tool. Shaftnode was recovered initially in November, 1999. Distinctive features are the ability to switch handler servers and handler ports on the fly, making detection by intrusion detection tools difficult from that perspective, a "ticket" mechanism to link transactions, and the particular interest in packet statistics, showing the "yield" of the DDoS network as a whole. Homepage here. By Sven Dietrich, David Dittrich, and Neil Long
sickenscan.tar
"gag" is a program to remotely scan for "stacheldraht" agents, which are part of an active "stacheldraht" network. It will not detect trinoo, the original Tribe Flood Network (TFN), or TFN2K agents. Tested on linux/solaris/AIX/BSD. By David Dittrich and Marcus Ranum
slurpie.tgz
Slurpie v2.0b - Slurpie is a passwd file cracker similar to CrackerJack and John the Ripper except that it runs in a distributed environment. It supports file based and generated dictionary comparison. By Adam Klosowicz.
snort-ids.trinoo.txt
Rules for the Snort IDS to detect trinoo. This rules work only as long as the ports/passwords/protocol aren't changed. Homepage here. By Stefan Aeschbacher
stachel.tgz
StacheldrahtV4 - (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.
stacheldraht.analysi..>
The following is an analysis of "stacheldraht", a distributed denial of service attack tool, based on source code from the "Tribe Flood Network" distributed denial of service attack tool. Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents. Homepage here. By David Dittrich
tfn.analysis.txt
The following is an analysis of the "Tribe Flood Network", or "TFN", by Mixter. TFN is ai powerful distributed attack tool and backdoor currently being developed and tested on a large number of compromised Unix systems on the Internet. TFN source available here. By David Dittrich
tfn.tgz
Distributed flood network client/server that can be installed on a large number of hosts and used to hit a target with high bandwidth simultaneously. communicates over icmp and supports udp, syn, icmp/8, smurf flood and more. Courtesy of Mixter.
tfn2k.tgz
Tribe Flood Network 2000. Using distributed client/server functionality, stealth and encryption techniques and a variety of functions, TFN can be used to control any number of remote machines to generate on-demand, anonymous Denial Of Service attacks and remote shell access. The new and improved features in this version include Remote one-way command execution for distributed execution control, Mix attack aimed at weak routers, Targa3 attack aimed at systems with IP stack vulnerabilities, Compatibility to many UNIX systems and Windows NT, spoofed source addresses, strong CAST encryption of all client/server traffic, one-way communication protocol, messaging via random IP protocol, decoy packets, and extensive documentation. Currently no IDS software will recognise tfn2k. Homepage here. By Mixter
tfn2kpass.c
Tfn2k password recovery tool - Tfn2k asks for a password during the build, which is used to prevent someone from recovering the password from the td or tfn binaries. Usefor for forensics, or to command a whole flood network to send you mail letting you know all the machines infected, or to command an attack to stop if you can recover a binary. Homepage here. By Simple Nomad
TFN2k_Analysis-1.3.t..>
This document is a technical analysis of the Tribe Flood Network 2000 (TFN2K) distributed denial-of-service (DDoS) attack tool, the successor to the original TFN Trojan by Mixter. Additionally, countermeasures for this attack are also covered. Changes: This revision includes several new discoveries, corrections, and clarifications. Many thanks to those who responded with feedback and comments to the original posting of this paper. Homepage here. By Jason Barlow
TFN2k_Analysis.htm
This document is a technical analysis of the Tribe Flood Network 2000 (TFN2K) distributed denial-of-service (DDoS) attack tool, the successor to the original TFN Trojan by Mixter. Homepage here. By Jason Barlow and Woody Thrower of the Axent Security Team
tfn3k.txt
TFN3k is a paper about the future of DDOS tools, how they can be used, and the dangerous features that can and probably will be implemented in the future. Also has information on establishing Network Intrusion Detection (NIDS) Rules for DDOS attacks. By Mixter
TFN_toolkit.htm
Analysis of TFN-Style Toolkit v 1.1 - One of our systems was compromised and prompt action by the local sysadmin prevented the hackers from running their cleanup scripts. Consequently, we were able to get the toolkit that they were using against us. This toolkit contains components that are similar to what is in the TFN toolkit. Homepage here. By Randy Marchany
trinokiller.c
This program remotely kills trino nodes on version 1.07b2+f3 and below. Homepage here.
trinoo.analysis.txt
The following is an analysis of the DoS Project's "trinoo" (a.k.a. "trin00") master/slave programs, which implement a distributed network denial of service tool. Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems, and probably being set up on hundreds, perhaps thousands, of systems on the Internet that are being compromised by remote buffer overrun exploitation. By David Dittrich
trinoo.tgz
Trinoo daemon source - Implements a distributed denial of service attack. Controlled via UDP.
Turner.mstream
In response to the surfacing of the mstream attack tool and the published analysis of its inner workings, a set of SNP-L scripts and attack signatures has been developed which allow one to detect and decode "mstream" network activity. By Elliot Turner
UDPer.asm
UDPer is a logic bomb written in ASM for Windows which floods a victim with packets at a certain date. By Frost_Byte
UW-CSE-00-02-01.tgz
This paper describes a technique for tracing anonymous attacks in the Internet back to their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by an attacker without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present one implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology. In pdf and postscript format. Homepage here. By Stefan Savage
yahoo.txt
Technical details of the attack on Yahoo! last week. Includes information on what kind of packets were sent, how they were affected, and how they fixed it.