Distributed Denial-of-Service Tools
The presence of a distributed denial-of-service tool is a powerful threat to the
entire network. It could also be used to attack other networks, and the owner of the infected
network could be held responsible. The presence of a distributed denial-of-service
tool is also an indication that the system has already been compromised.
Distributed denial-of-service is a type of attack in which a large number
of hosts are used to flood a single target with unwanted traffic. The target
becomes unusable while it is processing the flood of traffic. An attacker
who breaks into many hosts on a network and sets up such a distributed
denial-of-service attack can create a threat that is very powerful and
difficult to defend against.
Trinoo is one such distributed denial-of-service tool. A trinoo network
consists of a master host and many broadcast hosts. When an
attacker wishes to launch a denial-of-service attack, he or she issues
commands to the master host using a TCP connection. The master then communicates with all of
the broadcast hosts via UDP, telling them to send a flood of UDP packets
to random ports on the specified target host. The flood of UDP packets coming
from the broadcast hosts causes denial of service to the target
host. An attacker must have prior access
to a host in order to install a trinoo master or broadcast, either by breaking
in or by some other means.
Tribe Flood Network (TFN) is another distributed denial-of-service tool,
consisting of a client host and many daemon hosts.
It is similar to trinoo, but communicates using ICMP, and is capable of
launching ICMP flood, UDP flood,
SYN flood, and
Smurf attacks. A newer version of TFN called TFN2K includes
many additional features, such as encryption, stealth attacks, denial-of-service
attacks designed to crash the target host, and the ability to send
shell commands to the daemons.
Stacheldraht is a similar tool which consists of a handler and
many agents. It communicates using TCP and ICMP, offers the same
attacks as TFN, and features encrypted sessions between the attacker and
Although a distributed denial-of-service tool can be easily eradicated from a
single system, its presence is an indication of a much bigger problem.
The fact that it was installed on one system makes
it likely to be installed on many more systems. The entire network should
Furthermore, the presence of the tool means that the system was probably compromised.
Trinoo, TFN, and stacheldraht are often associated with breakins resulting from vulnerabilities
but could have been put on the system no matter how the compromise occurred.
An infected system should be taken off the network until all vulnerabilities
have been corrected and the system has been inspected for other backdoors and
To eradicate trinoo, TFN, or stacheldraht from a single system,
kill the process and delete the executable file from the system. The
processes have the following names by default, but the intruder could
easily have chosen a different name, or could even have hidden the
files and processes using a rootkit.
- Master: master
- Broadcast: ns
- Client: tfn
- Daemon: td
- Handler: mserv
- Agent: td
Where can I read more about this?
More information about trinoo and TFN can be found in the
Alert and in
CERT Incident Note 99-07. Developments in the area
of distributed denial-of-service tools are reported in
2000-01. For detailed technical information, see David Dittrich's
This tutorial was derived from SAINT 1.5.