DDoS 공격관련 문서와 툴

http://staff.washington.edu/dittrich/misc/ddos/

Analyses and talks on attack tools

• The DoS Project's "trinoo" distributed denial of service attack tool, by David Dittrich
• RAZOR analysis of WinTrinoo
• Report of Windows version of trinoo DDOS tool by Gary Flynn, James Madison University
• The "Tribe Flood Network" distributed denial of service attack tool, by David Dittrich
• The "stacheldraht" distributed denial of service attack tool, by David Dittrich
• TFN2K - An Analysis, by Jason Barlow and Woody Thrower, Axent Security Team
• "Trinity" Distributed Denil of Service Attack Tool, by Michael Marchesseau, September 11, 2000
• Notes of talk given at CERT Distributed-Systems Intruder Tools Workshop, November 2, 1999
• An analysis of the "Shaft" distributed denial of service tool, by Sven Dietrich, Neil Long, and David Dittrich
  [BUGTRAQ followup post by Richard Wash] (PDF Version from Information Security Bulletin magazine)
• Analysis of a Shaft Node and Master, by Rick Wash and Jose Nazario, March 26, 2000
• "Analyzing Ditributed Denial of Service Attack Tools: The Shaft Case" (PDF), by Sven Dietrich, Neil Long, and David Dittrich, Presented at LISA 2000 (GZIP PostScript)
• Steve Bellovin's NANOG presentation on DDOS Attacks, February 7, 2000
• Presentation at DDoS BoF, NANOG Meeting, February 7, 2000
• The "mstream" distributed denial of service attack tool, by David Dittrich, George Weaver, Sven Dietrich, and Neil Long
• Invited Talk, "DDoS: Is There Really a Threat?," USENIX Security Symposium, August 16, 2000
• Analysis of the "Power" bot, by David Dittrich
• GT Bot (Global Threat), by Lockdown Corp.
• kaiten.c (no analysis, just code)
• knight.c (no analysis, just code)
• X-DCC (IRC "warez" bots often combined with DDoS)
  • CanSecWest talk on disassembling malware networks by Dave Dittrich, May 2002 (see xdcc-analysis.txt for analysis)
  • XDCC - An .EDU Admin's Nightmare, by TonikGin, Sept. 11 2002
• ocxdll.exe / mIRC Trojan Analysis, by Kyle Lai, September 5, 2002
• Honeynet Project Reverse Challenge binary ([not?] surprisingly, this is a DDoS agent)
• Robert Graham's analysis of the Blaster worm
• sdbot command reference
• rxbot command reference
• Inside the Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, IEEE Security & Privacy (Vol 1 No 4)
• Phatbot Trojan Analysis, by LURHQ

Defensive Tools

• RID, by David Brumley
• National Infrastructure Protection Center; Trinoo/Tribal Flood Net/Stacheldraht/tfn2k detection tool
• BindView's Zombie Zapper
• Index of Distributed Tools at Packet Storm
• dds -- a trinoo/TFN/stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, George Weaver, David Brumley, and others. [In BETA testing.] (Use RID instead.)
• gag -- a stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, and others. (Use RID instead.)
• Ramenfind (Identification and cleanup tool for the Ramen worm, which was modified to install DDoS agents in February 2001.)
• IP Source Tracking on Cisco 12000 Series Internet Routers (PDF version), Cisco Systems