DDoS history -- distributed denial of service attacks

Posted by & filed under List Posts.

With the rise of the Internet of Things (IoT), experts have warned that it is incredibly vulnerable from a security perspective – and it has been exploited by DDoS attackers. In September-October 2016, nearly 50,000 connected devices, spread out across 164 nations, were used to achieve traffic as high as 280 Gbps. The attack sent traffic into networks of targets primarily sent from digital video cameras. Following that attack, security journalist Brian Krebs was hit with a massive assault – followed by one that achieved a whopping 620 Gbps on DynDNS. The DNS firm had to protect its infrastructure against a packet rate that got up to 100 Mbps – a real-time issue that caused was a bigger problem for them than was the peak bandwidth.

How did we get here?

Three markers of the rise of DDoS

In three key ways, DDoS has expanded over time:

  1. Increasing degree of sophistication – While SYN floods used to be leveraged for DDoS attacks, today is about intricate attacks that go after services, infrastructure (VPS, firewall, etc.), software, and bandwidth (called multi-vector attacks). Multi-vector attacks required skill initially; however, as cybercrime advanced, it became possible for anyone to launch these attacks.
  2. Increasing frequency – Today, anyone can perform a huge DDoS attack as DDoS has been weaponized. The rate of occurrence of attacks has grown, as has the occurrence of huge attacks. Reports from the first quarter of 2018 showed that DDoS attacks were growing in frequency (as well as in length and size).
  3. Increasing volume – The size of DDoS attacks became larger with the incorporation of IoT botnets and use of new innovations such as reflection and amplification. Because of these factors, the attacks of recent years are much larger than the ones that were sustained by ISPs in the late 90s.

Timeline of DDoS development

We can get a better sense of DDoS evolution by looking at a timeline of major events related to these attacks – which takes us back to the early 1970s:

1973 – It is difficult to determine the exact date of the first denial of service (DoS) attack, but Robert Lemos suggested in eWeek that the initial one may have occurred in 1973 (according to an unverified story told by David Dennis, adjusted to account for a probably mistake that he made in the year). The attack was said to have occurred on the Programmed Logic for Automatic Teaching Operations (PLATO) system at the University of Illinois at Urbana-Champaign (UIUC), which was used for instruction and as an online community (a precursor to the Internet). Dennis claims to have caused it as a 13-year-old high school student, when he wrote a program and deployed it to users of PLATO, causing many of them to have to restart simultaneously. He claimed to subsequently use this same technique on several networks locally and nationally, and that he was successful until the ext command was changed.

1995 – Manual DoS protest attacks were conducted by activists in the late 1990s. These activists started to think of the Internet as a place that could be used as a form of protest, through access prevention. The Strano Network was one of the first groups to engage in this activity.

1998 – This year was when the distributed denial of service (DDoS) emerged (although it would not become widely notorious until 2000). Floodnet was a tool that could be downloaded and run on the computers of users. It was created by another group of activists called the Electronic Disturbance Theater (EDT). The tool would then start going after various sites, following a list supplied by the EDT. This same year, cybercriminals started using simple but effective Smurf attacks, which leveraged the Internet Control Message Protocol (ICMP) to prompt other servers to ping a target. These attacks were the first prominent instance of reflection/amplification attacks.

1999 – The Trinoo bot, made up of 227 infected Solaris servers, was used to attack the University of Minnesota.

2000 – The first DDoS attack to get significant press occurred when Mafiaboy, a 15-year-old Canadian boy, brought down various major corporations, including Amazon, eBay, Yahoo!, and Dell. The Computer Emergency Response Team (CERT) Coordination Center also noted that there would be more DDoS attacks that amplified bandwidth by using the domain name system (DNS).

2003 – Worms had become ever more problematic for system administrators in the beginning of the century. The 376-byte MS SQL Slammer worm, the first flash worm, was let loose in 2003. This worm’s speed was unprecedented: it doubled the number of infected systems every 8.5 seconds, and overloading network bandwidth in just 3 minutes.

2005 – 8 Gbps was the largest amount of DDoS traffic that was reported by any respondent in the annual Worldwide Infrastructure Security Report (WISR) from Arbor Networks. (Compare to today’s figures below.)

2007 – A statue was moved in Estonia that honored World War II Soviet soldiers who fought against Nazi Germany. Diplomatic issues arose between the two states because of this decision, and Estonia suffered repeated DDoS attacks.

2008 – Anonymous started a series of actions, including against the Church of Scientology, in which they defaced sites or hit them with DDoS attacks.

2011 – Sony fell victim to a massive DDoS attack. This attack seemed to have been used as a distraction as the thieves stole PlayStation Network customer records.

2013 – At 300 Gbps, the most massive DDoS of all time was measured. This attack hit Spamhaus because the organization had named the hosts of botnets, spam networks, and cybercrime outfits, as well as blacklisting them.

2014 – On Christmas Day, Xbox Live and the PlayStation Network were hit with a DDoS attack, with Lizard Squad taking credit for it.

2016 – Politically motivated DDoS attacks were central to this year. The US Department of Defense was pummeled with a barrage of spam in late January. The Russian military was similarly hit with a DDoS attack in March. The Reaper (IoTroop or IoT_reaper), a botnet built by North Korea, continued to become more powerful. Qihoo 360, a Chinese web security company, reported that The Reaper had enslaved 10,000 devices, all of which were interacting with the cybercriminals’ servers regularly. The botnet had millions of IoT devices that it could potentially add via an automatic loader. There was an attack of 500 Gbps that lasted throughout the Olympics in August. As DDoS took center stage with Mirai, an attack that peaked at 620 Gbps was carried out by an IoT botnet against Brian Krebs.

2018 – Memcached was used to attack Github. In this event, there was a disruption of approximately 10 minutes. Per the engineering department at Github, 1.35 Tbps of traffic was targeted at the collaborative-software service. The Memcached protocol was subsequently shown to enable amplification through web-connected servers by a factor of as much as 51,000. Through this protocol, it was able to wage a simple attack and then amplify it, slamming a network with much more sizable packets.  There was a major blow to criminal DDoS efforts when Webstresser was shut down by authorities of the Netherlands, the UK, and the US. The organization’s leadership was arrested. Webstresser is credited with causing 4-6 million DDoS attacks between 2015 and 2018. It caused that much havoc by offering DDoS-for-hire services.


Denial-of-service attacks have certainly come a long way since they were first deployed in the early 1970s, morphing into ever-more-sophisticated distributed-denial-of-service (DDoS) events. As DDoS attacks have become larger and more expensive, the importance of working with experts on your defense has skyrocketed. Safeguard your site against the hassle and expense of a DDoS attack.