CNN Attacks – Inside Two Dedicated DDoS Tools

A new DDoS tool to be used in the China vs CNN attacks has surfaced (thanks for the tip!) has been released. This one is more flexible than the first, it lets you specify what targets you want to hit, indicating more flexible attacks in the near future may be afoot. But first, a quick peek at the first dedicated DDoS tool released in this online skirmish.



This was the first of the two dedicated tools to be found and analyzed. As you would expect, it’s a dedicated tool against It opens a flood of HTTP connections and attempts to hurt the servers. All of the requests look like this:

GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp

And they’re against all of the IPs associated with The user can start or stop the attack at their will. This tool has been analyzed by others already.




This is the second of the two tools and just crossed my desk within the last hour. This one lets you specify a target server and a port, uses a simple connect() loop for the TCP flood. This has the advantage (for the defender) of making traceback and source /32-based blocking easy.


During installation a driver is installed, presumably for some of the attack traffic creation.


By default it installs in

c:Program FilesSattackerSDossdos.exe

. It uses the following registry keys to store information:

HKEY_CURRENT_USERSoftwareSattackSDosSDosRecent File List ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosRecent File List ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosRecent File List ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosRecent File List ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosSettings ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosConfig ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosConfig ""
HKEY_CURRENT_USERSoftwareSattackSDosSDosConfig ""

The tool apparently was written in MS Visual C++.

Overall similarities

Both tools are designed “for the masses”, ie people who may not be running their own botnet but are upset by events. This isn’t new, and has been done before, and will continue to be done. Both tools are user-friendly, and neither one has a backdoor (unlike other tools like this in the past).

UPDATE There’s a third tool that I will post info about tomorrow. Unlike these two, it has a backdoor for the attackers to abuse.

2 Responses to “CNN Attacks – Inside Two Dedicated DDoS Tools”

April 23, 2008 at 2:35 pm, DDoS to the people; inside two toolkits helping Chinese hackers « IT Spot said:

[…] a blog Tuesday, Dr. Jose Nazario of Arbor Networks says one of the toolkits is easier to use than the other although both are designed for “the […]

June 19, 2009 at 1:16 pm, ali said:


Comments are closed.