DDoS attacks are designed to saturate network links with spurious data. This
data can overwhelm an Internet link, causing legitimate traffic to be dropped.
DDoS uses attack methods similar to standard DoS attacks but operates on a much
larger scale. Typically hundreds or thousands of attack points attempt to
overwhelm a target. Examples of DDoS attacks include the following:
- Smurf
- Tribe Flood Network (TFN)
- Stacheldraht
SMURF Attack
The Smurf attack starts with a perpetrator
sending a large number of spoofed ICMP echo, or ping, requests to broadcast
addresses, hoping that these packets will be magnified and sent to the spoofed
addresses
. If the routing
device delivering traffic to those broadcast addresses performs the Layer 3
broadcast-to-Layer 2 broadcast function, most hosts on that IP network will
each reply to the ICMP echo request with an ICMP echo reply, multiplying the
traffic by the number of hosts responding. On a multi-access broadcast network,
there could potentially be hundreds of machines replying to each echo
packet.
Assume the network has 100 hosts and that the attacker has a T1
link. The attacker sends a 768-kbps stream of ICMP echo, or ping packets, with
a spoofed source address of the victim, to the broadcast address of the
"bounce site". These ping packets hit the bounce site broadcast
network of 100 hosts, and each of them takes the packet and responds to it,
creating 100 outbound ping replies. A total of 76.8 megabits per second (Mbps)
of bandwidth is used outbound from the bounce site after the traffic is
multiplied. This is then sent to the victim, or the spoofed source of the
originating packets.
Turning off directed broadcast capability in the
network infrastructure prevents the network from being used as a bounce
site.
Tribe Flood Network (TFN)
Tribe Flood Network (TFN) and Tribe
Flood Network 2000 (TFN2K) are distributed tools used to launch coordinated DoS
attacks from many sources against one or more targets. A TFN attack has the
capability to generate packets with spoofed source IP addresses. An intruder
instructing a master to send attack instructions to a list of TFN servers or
daemons carries out a DoS attack using a TFN network. The daemons then generate
the specified type of DoS attack against one or more target IP addresses.
Source IP addresses and source ports can be randomized, and packet sizes can be
altered. Use of the TFN master requires an intruder-supplied list of IP
addresses for the daemons.
Stacheldraht Attack
Stacheldraht, German for "barbed
wire", combines features of several DoS attacks, including Tribe Flood
Network (TFN). It also adds features such as encryption of communication
between the attacker and stacheldraht masters, and automated update of the
agents. There is an initial mass-intrusion phase, in which automated tools are
used to remotely root-compromise large numbers of systems to be used in the
attack. This is followed by a DoS attack phase, in which these compromised
systems are used to attack one or more site
.