Chapter 1. Summary

A new Distributed Denial of Service (DDoS) tool has been detected in the wild. The tool was captured on a compromised system at Honeypot University and analyzed by our staff.

The "honeyp" DDoS tool is a new development in a line of DDoS tools such a "trinoo", "Tribe Flood Network" and "stacheldraht". To use this tool, the attacker must already have full "root" access to the system. Once installed on a compromised system, the "honeyp" tool acts as a "back door" and gives the attacker full remote access to the machine. Another function of the tool is the ability to launch Denial of Service attacks against other hosts on the Internet, specified by the attacker.

The impact of the tool is significant both to Honeynet University and to the Internet as a whole. Distributed Denial of Service attacks have been used in the past to disrupt key services on the Internet. In February 2000, a DDoS attack rendered many high-profile sites such as,, and inaccessible for a period of a few days. It is our responsibility to prevent such attacks in the future and the Honeynet Computer Security Center staff is working hard to make the Internet a safer place.