| Simulation Tool | Protocol | Attack | Description |
| Trinoo | UDP | UDP flood | ・ Greatly used by research community ・ Bandwidth depletion tool that launches coordinated UDP floods against IP addresses ・ Does not spoof source address |
| Ddosflowgen [16] | UDP, TCP | UDP flood, TCP requests, Mirai scans | ・ Can handle attacks beyond 1Tbps(terabits per second) ・ Generates synthetic traffic datasets from N views ・ Ability to define number of attacking networks and adjust parameters like amplification factor, attack vectors, number of network attack sources ・ Human-readable topology |
| OMNET++ [17] | UDP, TCP, ICMP | Transport layer attack | ・ Capable of TCP/IP simulation ・ Manageable form a web server ・ Cannot generate traffic |
| Tribe Flood Network (TFN) | TCP protocol and UDP and ICMP protocols | TCP SYN and , ICMP flood, smurf | ・ Used to deplete bandwidth and resources ・ employs command line interface for attacker and control master communication ・ Unencrypted |
| TFN2K | TCP,UDP,ICMP | ICMP flood, SYN flood, UDP flood, smurf, | ・ Advanced version of TFN DDoS attack tool ・ Encrypts message among attack components ・ Uses CAST-256 algorithm to encrypt communication between attacker and control master program ・ Forges packets to appear to originate from close systems ・ Converts covert exercises to hide from intrusion detection systems |
| Stacheldraht | ICMP protocol and UDP and TCP | TCP SYN flood, UDP flood, ICMP echo request flood | ・ Combines features of TFN and Trinoo to eliminate weaknesses of TFN ・ Automatic agent updates ・ Encrypted telnet communication between handlers and attackers ・ Communicates via ICMP and TCP packets |
| Rnstream | TCP,UDP | TCP ACK flood | ・ Simple point-to-point TCP ACK flood tool that overpowers the fast routing routine table in switches ・ Unencrypted communication via TCP/UPD packets ・ Master connects to zombie via telnet ・ ACK packets hit target then and sends TCP RST to spoofed IP addresses ・ Routers responds with ICMP unreachable leading to bandwidth starvation ・ Creates random source IP address bits as a spoof approach |
| Shaft | ICMP, UDP, and TCP | TCP flood, UDP flood, ICMP flood | ・ It is the successor of Trinoo ・ Handlers and agents communicate via UDP ・ It randomizes source port and IP addresses in packets ・ Fixed packet size during attack ・ Switches control master servers and ports in real time thereby making it difficult for intrusion detection tools |
| LOIC | TCP, UDP, HTTP | UDP, TCP, HTTP flood | ・ IRC based anonymous attacking tool ・ Exists as either binary or web-based versions |