It runs the same DOS attacks as Targa plus an additional five exploits. In addition, it is a DDOS tool, which means it can run in a distributed mode where several machines all across the Internet attack a single machine or network.
Because TFN2K is a DDOS application and runs in a distributed mode, there are two main pieces to the program: a client module and a server module. The client module is the piece that controls the servers; it tells
the servers when to attack and with what exploit. The server runs on a machine in listening mode and waits to get commands from the client.
It is important to note that to start and stop a TFN2K attack, the user of the program must supply a password. The password is supplied when the program is installed.
An additional important fact to point out is that TFN2K is very stealthy. It does several things that make it harder to detect on a network. For example, all communication between the client and the server are sent
using ICMP_ECHO REPLY packets. This is harder to detect because port numbers are not used. So, even if you run a port scanner on a regular basis, you would not be able to detect that your system is being used as a TFN2K server.