Problem solve Get help with specific problems with your technologies, process and projects.

Understanding a tribal flood attack

The tribal flood attack is a new and improved denial of service attack that took down Yahoo! and other major networks in the summer of 2000. The tribal flood attack is a massively parallel form of the teardrop attack that gained notoriety earlier this year. It works by taking advantage of poorly secured business networks. Due to the cunning nature of this particular attack, your company may be held liable for making these attacks. Here is how it works.

Suppose for a moment, that malicious user Bob wants to deny service to a company (we'll call NewCo). If Bob has a faster connection than NewCo, this task is trivial - Bob need only send enough PING requests to NewCo, flooding his connection. As Bob's connection is faster, he is then free to run amuck with the remaining bandwidth. Should Bob's connection be as fast as NewCo's, he can attempt this attack, but the attempt will render his own connection useless.

One solution to Bob's problem is the teardrop attack. Consider first the broadcast address on a router. A router manages a subnet. There are at least three reserve addresses on a subnet, one of which is known as a broadcast address. Typically, this is the highest or lowest number on the subnet. In the non-security conscious days of yore, the router would forward every request to the broadcast address to every non-broadcast address on the subnet. Consider how Bob can take advantage of this. Bob sends a PING request to the broadcast address of a router, forging the return address as that of NewCo's. The router than dutifully forwards this PING request to every machine on the subnet - each machine on the subnet then replies to Joe Bob. Joe Bob's machine will throw out all of these PING replies, not recognizing them, but this does not matter. Provided that the subnet in question is big enough, Joe Bob's connection will be flooded with the replies to the PING request, denying him service.

For a teardrop attack to succeed, the subnets harnessed must be large enough to flood the connection. If NewCo is something big, such as Yahoo, Bob will need a very large network. Enter the Tribal Flood Attack. To execute a tribal flood attack, you recruit a pool of "slaves", either through actual social connections or such programs as BackOrifice (a program that targets and attaches to MS BackOffice products), and have each of these execute a teardrop attack to NewCo.

All these computers PINGing in concert provide the power and bandwidth of every server to overwhelm NewCo's bandwidth - flooding its network with an overwhelming number of PINGs.

Barrie Sosinsky ([email protected])is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was last published in September 2000

Dig Deeper on Network Security Best Practices and Products