Distributed Coordinated Attacks



In typical Denial of Service Attacks, the attacker uses a single server to attempt to tie up a network's connection, denying its users access to or from the Internet (Lemos, 1999). The complexity of this type of attack increases when the attacker uses several servers to attack a single victim. When the attacker does this, it then becomes a Distributed Coordinated Attack (DCA).

DCA's can be defined as a set of attackers using a set of intermediary systems to attack a set of victims (Cohen, 1999). This paper will focus specifically on Distributed Denial of Service attacks (DDoS) and some of the tools used by attackers to accomplish this task.

Distributed Denial of Service Attacks

DDoS are relatively new considering DoS attacks have been around for decades (Kessler, 2000). The first well documented DDoS attack was in 1999 when the DDoS too Trinoo was used on at least 227 systems to flood a single computer on the University of Minnesota campus, which was disabled for more than two days (Dittrich, 1999). Generally, DDoS attacks are made up of two phases:

1. Mass intrusion phase - tools are used to remotely root compromise systems and the DDoS agents are

installed on these compromised systems (Ditterich, 1999).

The process of compromising these systems is as follows (Cisco, 2000):

-Initiate a scan phase where a large number of hosts are probed for known vulnerabilities.

-Compromise to gain access.

-Install the tool on each host (in as little as five seconds).

-Use compromised hosts for further scanning and compromises.

2. Actual DDoS Attack - The compromised systems are used to initiate a massive DoS attack against one or more sites (Ditterich, 1999).


There are a variety of tools that attackers use in DDoS attacks. Following are some of the more typical tools used. They vary in their complexity and some are easier to trace than others.


A trinoo network consists of a small number of servers (masters) and a large number of clients (daemons). The attacker connects to a trinoo master and instructs that master to launch a DoS attack against one or more IP addresses. The master then instructs the daemons to attack the IP address for a certain amount of time (CERT, 2001). This type of attack does not spoof addresses, therefore it is easier to trace than some of the more sophisticated types.


TFN appeared after trinoo. TFN is made up of client and daemon programs and uses Internet Control Message Protocol (ICMP) echo replies to communicate between client and agents, which is how TFN differs from trinoo. The TFN server usually runs as a root and the source may be spoofed which makes it hard to trace (Farrow, 2000). Some DoS attacks include SYN floods, UDP floods, ICMP floods, and Smurfing (or Ping attacks) (Kessler, 2000).

STACHELDRAHT (German for "barbed wire")

This tool started to appear in the late summer of 1999 and combines features of the trinoo DDoS tool with TFN. (Kessler, 2000). It also adds encryption of communication between the attacker and the Stacheldraht masters and automated agent updates.


In addition to flooding as in TFN, TFN2K also is designed to crash or introduce instabilities in systems by sending malformed or invalid packets (e.g. Teardrop attack, and Land attack) (Kessler, 2000). TFN2K handlers can test source address spoofing by sending a test packet to themselves. Then, if it does not work they adjust by telling the agent to spoof only the lower eight bits of an IP address, so the spoofed address will not be blocked (Farrow, 2001). TFN2K uses a combination of UDP, ICMP and TCP packets (Cisco, 2000).

This attack is difficult to stop because although the packets may be stopped by a firewall, they may overwhelm the incoming side of the Internet connection, succeeding in DoS (Farrow, 2000).


Omega is similar to Stacheldraht but can flood Internet Group Message Protocol (IGMP) as well. Shaft can return statistics from agents to the handler, essentially keeping track of the attacker's effectiveness. Some statistics that can be ascertained are number of packets sent from each agent, volume of packets sent during the attack, and when the agent is discovered so the attacker can then take it offline (Farrow, 2001).


In October of 1999, ZNET News reported that over the past six weeks US network servers had been coming under attack by a "new" form of cyber attack called Distributed Denial of Service attacks (Lemos, 1999). Barbara Fraser explained one of the key problems in these attacks as being the average home computer user not knowing much about computer security and the "always on" connections used on home computers. Thomas Longstaff (Researcher for Software Engineering Institute at Carnegie Mellon Institute) went on to say "It will never be hard to find a thousand servers that don't have the most up to date (security systems in place)."

Less than six months later several sites such as Yahoo!, eBay, Amazon.com, CNN, ZDNet, Buy.com, Etrade and Excite were attacked with DDoS tools (AP, 2000). The Director of the FBI confirmed that the tools TFN, trinoo and Straceldraht were used (AP, 2000). As an interesting note, although law enforcement did extensive work to bring the attacker to justice, the main reason they succeeded in catching him was simply because he bragged about this exploits in an Internet chat room (Messmer and Pappalardo, 2001). Law enforcement admitted that it would have been much more difficult had he remained anonymous.

One year after these attacks, it was reported that no one has found an easy way to defend against a flood of unwanted IP packets (Messmer and Pappalardo, 2001). The DDoS Working Group, which is a forum organized to plot network defenses, is doing what it can according to the report by Messmer and Pappalardo (2001) to gain cooperation among ISPs. The group planned to publish recommendations for automated DDoS defenses to further this.

After the attacks on Yahoo!, CNN, etc, new cases were opened by the FBI where copycats were instituting the same types of attacks on lesser known sites all around the world (AP, 2000). Many of these sites that were attacked were also e-commerce sites and many of these companies wanted their names withheld to protect their reputations or for fear of losing public confidence or seeing their stock price drop. Copycat crimes abound seemingly since the tools for these types of attacks can simply be downloaded from the Internet and implemented (Allen et al., 2000).

Summary, Conclusions and Further Work

Obviously DDoS attacks are a major concern and it is apparent why former Attorney General Janet Reno was pushing for cooperation between ISPs, the private sector, federal agencies and the FBI (AP, 2000). Not only do major companies stand to lose commerce during DDoS attacks, but also consumer confidence could drop significantly in the aftermath of an attack. Several agencies and groups such as the DDoS Working group are working to create better defenses against these kinds of attacks as well as to try and anticipate what cyber criminals might do next.

"One of the greatest short-comings in many organizations is that the highest levels of management do not truly understand the critical role that computers, networks, information and the Internet play in the very life of the organization" (Kessler, 2000). There are however, some recommendations that can be observed that can minimize the potential for these types of attacks (Kessler, 2000):

1. Know security vulnerabilities for all your site's hardware, operating systems and application and other software.

2. Use some form of "personal" firewall software to help detect an attack.

3. Monitor your system periodically to test for known operating system vulnerabilities.

4. Regularly monitor system logs for suspicious activity.

5. Use tools to audit system frequently (particularly servers) to ensure there have been no unauthorized changes to the file system, etc.

6. Do not download software from unknown, untrusted sites.


Kessler, G. (2000). Defenses against distributed denial of service attacks. [Online], Available: www.sans.org/infosecFAQ/threats/DDoS.htm

Messmer E., and Pappalardo, D. (2001). DoS attacks, vulnerabilities remain. [Online], Available: www3.cnn.com/2001/TECH/internet/02/08/ddos.anniversary.idg/

Associated Press (2000). FBI investigating more hack attacks. [Online], Available: www.usatoday.com/life/cyber/tech/cth398.htm

Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E. (2000). State of the practice of intrusion detection technologies. [Online], Available: www.sei.cmu.edu.publications.documents/99.reports/99tr028/99tr028exsum.html

Lemos, R. (1999). Cyber attacks - both old and new. [Online], Available: www.zdnet.com/zdnn/stories/news/0,4586,2376768,00.html

Cisco (2000). Strategies to protect against DDoS attacks. [Online], Available: www.cisco.com/warp/public/707/newsflash.html

Farrow, R. (2000). DDoS attacks. [Online], Available: www.networkmagazine.com/atrticle/NMG2000051250041

Farrow, R. (2000). DDoS is neither dead nor forgotten. [Online], Available: www.networkmagazine.com/article/NMG2001012550003

CERT (2001). CERT incidents note IN-99-07. [Online], Available: www.cert.org/incident_notes/IN-99-07.html