Table 3-18 shows the summary information for the DDoS attack.

Table 3-18. DDoS

Attack name



Flood/network flooding

Sample implementations

Tribe Flood Network 2000 (TFN2K) Shaft


Ability to infect large numbers of systems to build a zombie network

Pertinent vulnerability


Typical use

Overwhelm the victim's Internet connection

Attack result

Denial of service

Likely follow-up attack


OSI layers



IDS, log analysis


CAR, specific filtering, ISP options (through prearranged agreements)

Detection difficulty


Ease of use






Overall rating


As the family of attacks that brought down some prominent Internet company websites in 2000, DDoS attacks have a fair degree of notoriety. Before amplification flood attacks (smurf and DDoS, for example), a network only required more bandwidth than the attacker to be immune to network flooding. Now, with amplification attacks, the attacker can have much more bandwidth available than the victim. Significant DDoS attacks occur weekly and sometimes daily on sites around the world.

A diagram of a Stacheldraht DDoS attack is shown in Figure 3-12. Stacheldraht (which means "barbed wire" in German) is a three-tier DDoS attack in that the attacker communicates with handlers, who communicate with agents. Think of it like an army with a general, lieutenants, and troops. Stacheldraht was one of the earliest DDoS attacks, and as such it received a fair amount of detailed analysis. Many newer attacks have eliminated the "handler" role and instead have agents registering themselves on an IRC channel, which makes detection very difficult. The Stacheldraht attack works like this:

1. Attacker infects a number of systems around the Internet and puts the DDoS handler software on each of them.

2. These handler systems attempt to infect portions of the Internet and recruit the infected systems as agents. The attack method used to compromise agents can be anything from a Trojan horse email to exploiting a vulnerability in application or operating system code.

3. At the appropriate time, the attacker sends the attack order to the handler systems, which in turn direct their agents to flood a particular IP address.

4. The victim network is consumed with bogus network traffic (most likely from spoofed sources). Legitimate users stand a low chance of getting their requests processed.

Figure 3-12. Stacheldraht Attack

Figure 3-12. Stacheldraht Attack

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook

Post a comment