Peek Under the Hood of Distributed Denial of Service Attack Software

Last week was quiet on the Windows security front. There was little excitement, unless you consider yet another piece of Distributed Denial of Service (DDoS) attack software to be a form of excitement.

The new code, "mstream," was found on a compromised computer at a major university. The discovery means that now a total of seven well-known DDoS tools are available on the Internet. Those seven packages include two versions of Tribal Flood Network (TFN), trinoo, two versions of stacheldraht, shaft, and the newly discovered mstream software.

When some of these DDoS tools surfaced late last year, consultant David Dittrich (who currently works at the University of Washington) performed detailed analyses of the tools and published his findings on the Internet. His findings helped everyone quickly learn how the attacks work, which is paramount for learning how to shut them down. In more recent efforts, Dittrich led a team that analyzed the mstream software and found that the code, although effective at disrupting a network, is still in an early development stage. We can expect that with the source code now published, mstream will be further developed and even morphed into similar attack tools.

It's relevant to point out that developing simple client/server applications is no longer beyond the reach of even novice programmers. With development platforms that come with sample client/server code and snap-in component packages that can perform almost any function imaginable, anyone vaguely familiar with socket-based development can create DDoS attack software. We can expect to discover more DDoS attack-oriented packages down the road, and we can expect more code analysis once those packages are discovered.

Analysis of these code sets helps us understand how a particular attack works overall, helps us identify the attack in the future, and might even help us recognize other vulnerabilities before someone exploits them. So in the future when a router starts rebooting or a server becomes very sluggish, an intrusion-detection system might be able to recognize an attack against those systems and minimize any possible effects.

If you haven't read the recently published mstream analysis, perhaps you should peek under the hood of this DDoS attack software (see the news item "New Distributed Denial of Service Software Discovered" in this issue of the newsletter). The information will help you understand what you're up against when trying to defend against DDoS attacks and trying to prevent your systems from becoming agents of a DDoS attack against a remote network. Until next time, have a great week.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.