This white paper contains information to help you understand how DDoS attacks are orchestrated, recognize programs used to facilitate DDoS attacks, apply measures to prevent the attacks, gather forensic information if you suspect an attack, and learn more about host security.
Understanding the Basics of DDoS Attacks
Refer to the following illustration:
Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.
Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht.
In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:
- Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability.
- Compromise the vulnerable hosts to gain access.
- Install the tool on each host.
- Use the compromised hosts for further scanning and compromises.
Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour.
Characteristics of Common Programs Used to Facilitate Attacks
The following are common programs that hackers use to facilitate distributed denial of services attacks:
- Trinoo
Communication between clients, handlers and agents use the following ports:
1524 tcp 27665 tcp 27444 udp 31335 udp
Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.
- TFN
Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY packets.
- Stacheldraht
Communication between clients, handlers and agents use the following ports:
16660 tcp 65000 tcp ICMP ECHO ICMP ECHO REPLY
Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.
- TFN2K
Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets.
For a detailed analysis of DDoS programs, read the following articles.
Note: The following links point to external web sites not maintained by Cisco Systems
