Understanding a tribal flood attack

Barrie Sosinsky

The tribal flood attack is a new and improved denial of service attack that took down Yahoo! and other major networks in the summer of 2000. The tribal flood attack is a massively parallel form of the teardrop attack that gained notoriety earlier this year. It works by taking advantage of poorly secured business networks. Due to the cunning nature of this particular attack, your company may be held liable for making these attacks. Here is how it works.

Suppose for a moment, that malicious user Bob wants to deny service to a company (we'll call NewCo). If Bob has a faster connection than NewCo, this task is trivial - Bob need only send enough PING requests to NewCo, flooding his connection. As Bob's connection is faster, he is then free to run amuck with the remaining bandwidth. Should Bob's connection be as fast as NewCo's, he can attempt this attack, but the attempt will render his own connection useless.

One solution to Bob's problem is the teardrop attack. Consider first the broadcast address on a router. A router manages a subnet. There are at least three reserve addresses on a subnet, one of which is known as a broadcast address. Typically, this is the highest or lowest number on the subnet. In the non-security conscious days of yore, the router would forward every request to the broadcast address to every non-broadcast address on the subnet. Consider how Bob can take advantage of this. Bob sends a PING request to the broadcast address of a router, forging the return address as that of NewCo's. The router than dutifully forwards this PING request to every machine on the subnet - each machine on the subnet then replies to Joe Bob. Joe Bob's machine will throw out all of these PING replies, not recognizing them, but this does not matter. Provided that the subnet in question is big enough, Joe Bob's connection will be flooded with the replies to the PING request, denying him service.

For a teardrop attack to succeed, the subnets harnessed must be large enough to flood the connection. If NewCo is something big, such as Yahoo, Bob will need a very large network. Enter the Tribal Flood Attack. To execute a tribal flood attack, you recruit a pool of "slaves", either through actual social connections or such programs as BackOrifice (a program that targets and attaches to MS BackOffice products), and have each of these execute a teardrop attack to NewCo.

All these computers PINGing in concert provide the power and bandwidth of every server to overwhelm NewCo's bandwidth - flooding its network with an overwhelming number of PINGs.

Barrie Sosinsky (barries@killerapps.com)is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

This was last published in September 2000

Dig Deeper on Network Security Best Practices and Products

denial-of-service attack A denial-of-service attack is a security event that occurs when an attacker prevents legitimate users from accessing specific computer systems, devices, services or other IT resources.

Troubleshoot a faulty Amazon VPC connection Many businesses prefer to operate some of their workloads within an Amazon VPC. While VPC offers an additional layer of security, connectivity issues could arise.

Police reject first draft of government ICT plan Police chiefs have rejected draft Home Office plans for a private company to manage police ICT because it was unworkable under police force rules.

IP address management -- from 'Network troubleshooting and diagnostics' Learn how IP address management and maintenance tools can help manage the scope of IP addresses on your network.

IP address management -- from 'Network troubleshooting and diagnostics' Learn how IP address management and maintenance tools can help manage the scope of IP addresses on your network. With typical Class C subnets consuming upwards of 254 addresses per subnet and most companies needing multiple subnets, the sheer number of addresses under management can grow huge as the number of subnets increases. Getting your arms around this task can be difficult, but the tools listed in this excerpt from "Network troubleshooting and diagnostics," Chapter 4 of "The Shortcut Guide to Network Management for the Mid-Market," can help.

Tools for identifying IP addresses A site member asks our networking expert what tools are available to identify IP addresses on his customer's LAN.

Understanding a tribal flood attack

Dig Deeper on Network Security Best Practices and Products

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchUnifiedCommunications

Microsoft Teams for Linux launches in public preview

Microsoft offers few upgrades for Skype server in 2019

CPaaS market evolves to meet changing business needs

SearchMobileComputing

Learn about Microsoft's changes to the Office mobile app

Mobile device security key trend in top 10 most read stories of 2019

How to install root CA certificates on iPhones and iPads

SearchDataCenter

Refresh your data center cooling lexicon

Comparing Linux distributions: Red Hat vs. Ubuntu

Get eco-friendly with LEED data center certification

SearchITChannel

RSA, Yubico dream of a password-free future

Vendors step up MSSP partner initiatives in 2020

CyberX launches partner program in IoT security market

Dig Deeper on Network Security Best Practices and Products

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.