Understanding a tribal flood attack
Suppose for a moment, that malicious user Bob wants to deny service to a company (we'll call NewCo). If Bob has a faster connection than NewCo, this task is trivial - Bob need only send enough PING requests to NewCo, flooding his connection. As Bob's connection is faster, he is then free to run amuck with the remaining bandwidth. Should Bob's connection be as fast as NewCo's, he can attempt this attack, but the attempt will render his own connection useless.
One solution to Bob's problem is the teardrop attack. Consider first the broadcast address on a router. A router manages a subnet. There are at least three reserve addresses on a subnet, one of which is known as a broadcast address. Typically, this is the highest or lowest number on the subnet. In the non-security conscious days of yore, the router would forward every request to the broadcast address to every non-broadcast address on the subnet. Consider how Bob can take advantage of this. Bob sends a PING request to the broadcast address of a router, forging the return address as that of NewCo's. The router than dutifully forwards this PING request to every machine on the subnet - each machine on the subnet then replies to Joe Bob. Joe Bob's machine will throw out all of these PING replies, not recognizing them, but this does not matter. Provided that the subnet in question is big enough, Joe Bob's connection will be flooded with the replies to the PING request, denying him service.
For a teardrop attack to succeed, the subnets harnessed must be large enough to flood the connection. If NewCo is something big, such as Yahoo, Bob will need a very large network. Enter the Tribal Flood Attack. To execute a tribal flood attack, you recruit a pool of "slaves", either through actual social connections or such programs as BackOrifice (a program that targets and attaches to MS BackOffice products), and have each of these execute a teardrop attack to NewCo.
All these computers PINGing in concert provide the power and bandwidth of every server to overwhelm NewCo's bandwidth - flooding its network with an overwhelming number of PINGs.
Barrie Sosinsky ([email protected])is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.