Distributed denial of attack (DDOS) software tfn2k attack and defense

Distributed denial of attack (DDOS) software tfn2k attack and defense

First of all, the purpose of my writing this article is not what I want to be hacker and so on, and I do not encourage anyone to use it to do something detrimental to others, I just want one more

Some people pay attention to network security, together research and defense of DOS. Because I was hurt by it: (, so, this article is only for technical reference, for you to study the use of DDoS defense.) If you use it to

Do something illegal, the result has nothing to do with me.
A denial-of-service attack (dos,denial of service) can refer to any operation that does not provide the service properly. such as software bugs, operation errors and so on. But now, as a result of faulty operation,

DOS, the likelihood is very small, more is the malicious attack behavior. Now denial of service attacks has evolved into a distributed Denial-of-service attack (ddos,distributed denial of

Service), using more agents to focus on attacking targets, the greater the harm.
We all know that the TCP/IP protocol has now become the entire Internet framework agreement, and it can be said that without TCP/IP, at least the Internet will not be as popular as it is now, or even



There may be an Internet. Everything has two sides, TCP/IP benefits us all, and because of the problems of the protocol itself, it also becomes a tool for others to attack us. We use TCP three

Handshake establishes the connection process to illustrate.

One. TCP SYN Flood

1. Clients (client) send a TCP packet containing SYN (synchronize) to the server, which contains basic information such as client port and TCP serial number.
2. After the server receives the SYN package, a SYN-ACK packet is sent to confirm it.
3. After receiving the server's Syn-ack package, the client will send a loopback ack to the server, if the server receives the packet, the TCP connection is established and the two sides can communicate (feel like

, a bride ... Two RAK ' Gaotang ... Sent to the bridal chamber ... haha

The problem is in the 3rd step, if the server does not receive the client's ACK packet, it will wait, this state is called a semi-join state. It will stay a certain amount of time (different operating system at specific time)

If the SYN request exceeds the limit that the server can hold and the buffer queue is full, the server will no longer receive the new request and the other legitimate user's connection is rejected. This

Attacks tend to be half ' sin ' times, lethality is very strong.

Of course, Dos attacks have a variety of methods, such as: UDP Flood,icmp/ping,icmp/smurf ..., the introduction of the specific principles you can go to
Href=http://www.chinaitlab.com/www/special/ciwddos.asp>http://www.chinaitlab.com/www/special/ciwddos.asp to see, there are very detailed

The principle and the commonly used attack software introduction. However, when it comes to Dos attack software, there is nothing more representative than Tfn2k (tribe Flood Network 2000), whose author is the famous Mixter of Germany (

its homepage http://mixter.void.ru/papers.html), as if recently is immersed in what tfn3k, ah ~ ~, I do not know how many people sleep difficult to Ann ...

Two. Tfn2k attack principle

1.tfn2k's attack system.

Tfn2k should be considered as a representative of the DDoS attack, its ability to achieve a stunning, breathtaking ... (The awe of it is like the surging River, continuing ...) Come look at it.

's architecture.
The main control---run the TFN client to remotely control and specify the attack target and change the attack method. Heinous
The proxy end---was implanted and ran the victim of the TD process, receiving TFN's command, and attacking the perpetrators. It should be noted that an attacker often controls multiple agents to complete an attack, while

And its system is more unix,linux and so on. (The poor victim)
Target host---Attacked host or network, has been DDoS has Yahoo, Amazon, CNN, E-bay and so on. (The biggest victim, depressed like me)

2.tfn2k characteristics.
The master sends commands to the proxy host via TCP, UDP, ICMP, or randomness using one of the packets (default. Random), and the attack methods include Tcp/syn, UDP,

Icmp/ping, mixed attack, TARGA3 and so on.
The main control end of the communication with the agent to take a one-way, that is, the main control end only to the agent to send commands, and will take random header information, and even virtual source address information, the proxy will not

Send any information to the main control side in reverse.
All commands are CAST-256 by the algorithm, and the keyword is the password that is entered when the program is compiled. And this password is the only certificate of authentication.