Analyzing Distributed Denial of Service Tools: The Shaft Case

In this paper we present an analysis of Shaft, an example of malware used in distributed denial of service (DDoS) attacks. This relatively recent occurrence combines well-known denial of service attacks (such as TCP SYN flood, smurf, and UDP flood) with a distributed and coordinated approach to create a powerful program, capable of slowing network communications to a grinding halt. Denial of service attack programs, root kits, and network sniffers have been around in the computer underground for a very long time. They have not gained nearly the same level of attention by the general public as did the Morris Internet Worm of 1988, but have slowly progressed in their development. As more and more systems have come to be required for business, research, education, the basic functioning of government, and now entertainment and commerce from people’s homes, the increasingly large number of vulnerable systems has converged with the development of these tools to create a situation that resulted in distributed denial of service attacks that took down the largest e-commerce and media sites on the Internet. In contrast, we provide a comparative analysis of several distributed denial of service tools (e.g., Trinoo, TFN, Stacheldraht, and Mstream), look at emerging countermeasures against some of these tools. We look at practical examples of these techniques, provide some examples from test environments and finally talk about future trends of these distributed tools.