Distributed denial of service (DDoS) attacks are network-based. Instead of running a single attack tool, the hacker communicates with many remote attack servers, which bombard the target with packets. In other words, one attacker remotely controls tens or hundreds of attack servers, multiplying the effect of the DoS attack.

These types of tools have been around since 1998. They were initially used against IRC users or servers, with an attack that hit an IRC server at the University of Minnesota in the summer of 1999 being a prime example. This attack flooded the university right off the Internet with the volume of packets sent.

One tool is named trin00, which consists of masters and daemons. The masters have a list of daemons and command them to send out UDP packets to random ports on targeted systems. Source addresses are not spoofed.

The second-best-known tool, Tribal Flood Network, uses source address spoofing and supports several different network DoS attacks (UDP flood, SYN flood, and ICMP floods, as well as smurfing or mixes of these attacks). Detection of communication between the control client and the attack servers is very difficult.