DDoS Do's and Don'ts

The recent spate of Distributed Denial of Service attacks on such major Web players as Amazon, CNN Interactive,, eBay, and others has raised consciousness of network security. While the attacks ravaged the giants of e-business over the last week, they have also brought about an equal amount of awareness that could reduce vulnerability to such attacks in the future.

Distributed Denial of Service (DDoS) attacks carry standard Denial of Service (DoS) attacks a step further. DoS attacks involve massive bandwidth consumption that prevents normal network traffic from being carried to and from the targeted machines. The attacker will send repeated requests, or pings, to the target machine with a spoofed IP address as the source. Often the spoofed address will appear to be one from inside the target machine's network. The flood of network requests shuts down normal network traffic. If the attack does not shut down the network, often the ISP will shut down the network to all traffic in order to weed out the attackers.

DDoS attacks involve the same sort of bandwidth flooding, but with requests coming from, or appearing to come from, several sources rather than a single source. Additionally, in a DDoS attack, the various sources of requests can be remotely managed rather than directly managed by a user. Because the attacks come from many sources, the network routers are slow to detect a DoS attack and deflect the requests. The result is a downed network.

The recent attacks have led to the discoveries of new hacking software. Trin00 and TFN are already well-known DDoS systems designed to implement an attack. The recent discovery of the TFN2K and Stacheldracht systems helps to explain, if not resolve, the rash of attacks. Both of the new hacker tools are based on the TFN and Trin00 attacks. Both systems use remote client management to send out packets from several machines simultaneously to the targets.

Despite their capacity for remote client management, Russ Cooper, owner and administrator of the NT BugTraq ( mailing list and Web site, is not convinced the attacks originated from remote clients. In a statement on the NT BugTraq Web site, Cooper says that because the attacks occurred in "prime time," and the request packets appeared to be sent at intervals that would be too distant to have been sent by an automated remote system, the attacks originated from machines that were actively manned by hackers.

No one had taken credit for the high-profile attacks as of today.

What can Windows NT/2000 and IIS users do to combat these attacks? Analyst Dennis Szerszen of the Hurwitz Group ( says that while these types of attacks are mostly more Unix-oriented than Windows-oriented because of their network nature, generally they are OS-neutral, striking machines that are on the targeted networks regardless of operating system. Carnegie Mellon University's CERT ( recommends a tool developed to detect Trin00 and TFN on some systems, distributed by the FBI, and a Perl script called "gag" which can detect Stacheldracht agents running on the local network. -- Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.