Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module 백서
In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised
hosts. The hosts are usually Linux and SUN computers; but, the tools can be ported to other platforms as well.
The process of compromising a host and installing the tool is automated. The process can be divided into
these steps, in which the attackers:
hosts. The hosts are usually Linux and SUN computers; but, the tools can be ported to other platforms as well.
The process of compromising a host and installing the tool is automated. The process can be divided into
these steps, in which the attackers:
Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed
for a known vulnerability.
for a known vulnerability.
1.
Compromise the vulnerable hosts to gain access.
2.
Install the tool on each host.
3.
Use the compromised hosts for further scanning and compromises.
4.
Because an automated process is used, attackers can compromise and install the tool on a single host in under
five seconds. In other words, several thousand hosts can be compromised in under an hour.
five seconds. In other words, several thousand hosts can be compromised in under an hour.
Characteristics of Common Programs Used to Facilitate
Attacks
Attacks
These are common programs that hackers use in order to facilitate distributed denial of services attacks:
Trinoo
Communication between clients, handlers and agents use these ports:
1524 tcp
27665 tcp
27444 udp
31335 udp
Note: The ports listed above are the default ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.
example only, because the port numbers can easily be changed.
•
TFN
Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY
packets.
packets.
•
Stacheldraht
Communication between clients, handlers and agents use these ports:
16660 tcp
65000 tcp
ICMP ECHO
ICMP ECHO REPLY
Note: The ports previously listed are the default ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.
example only, because the port numbers can easily be changed.
•
TFN2K
Communication between clients, handlers and agents does not use any specific port , for example, it
may be supplied on run time or it is chosen randomly by a program, but is a combination of UDP,
ICMP and TCP packets.
may be supplied on run time or it is chosen randomly by a program, but is a combination of UDP,
ICMP and TCP packets.
For a detailed analysis of DDoS programs, read these articles.
•
Note: Theaw links point to external web sites not maintained by Cisco Systems.