DDoS Do's and Don'ts

The recent spate of Distributed Denial of Service attacks on such major Web players as Amazon, CNN Interactive,, eBay, and others has raised consciousness of network security. While the attacks ravaged the giants of e-business over the last week, they have also brought about an equal amount of awareness that could reduce vulnerability to such attacks in the future.

Distributed Denial of Service (DDoS) attacks carry standard Denial of Service (DoS) attacks a step further. DoS attacks involve massive bandwidth consumption that prevents normal network traffic from being carried to and from the targeted machines. The attacker will send repeated requests, or pings, to the target machine with a spoofed IP address as the source. Often the spoofed address will appear to be one from inside the target machine's network. The flood of network requests shuts down normal network traffic. If the attack does not shut down the network, often the ISP will shut down the network to all traffic in order to weed out the attackers.

DDoS attacks involve the same sort of bandwidth flooding, but with requests coming from, or appearing to come from, several sources rather than a single source. Additionally, in a DDoS attack, the various sources of requests can be remotely managed rather than directly managed by a user. Because the attacks come from many sources, the network routers are slow to detect a DoS attack and deflect the requests. The result is a downed network.

The recent attacks have led to the discoveries of new hacking software. Trin00 and TFN are already well-known DDoS systems designed to implement an attack. The recent discovery of the TFN2K and Stacheldracht systems helps to explain, if not resolve, the rash of attacks. Both of the new hacker tools are based on the TFN and Trin00 attacks. Both systems use remote client management to send out packets from several machines simultaneously to the targets.

Despite their capacity for remote client management, Russ Cooper, owner and administrator of the NT BugTraq ( mailing list and Web site, is not convinced the attacks originated from remote clients. In a statement on the NT BugTraq Web site, Cooper says that because the attacks occurred in "prime time," and the request packets appeared to be sent at intervals that would be too distant to have been sent by an automated remote system, the attacks originated from machines that were actively manned by hackers.

No one had taken credit for the high-profile attacks as of today.

What can Windows NT/2000 and IIS users do to combat these attacks? Analyst Dennis Szerszen of the Hurwitz Group ( says that while these types of attacks are mostly more Unix-oriented than Windows-oriented because of their network nature, generally they are OS-neutral, striking machines that are on the targeted networks regardless of operating system. Carnegie Mellon University's CERT ( recommends a tool developed to detect Trin00 and TFN on some systems, distributed by the FBI, and a Perl script called "gag" which can detect Stacheldracht agents running on the local network. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.