How DDoS Attacks Techniques Have Evolved Over Past 20 Years

From do-it-yourself denial-of-service attacks in the 1990s to this year's terabit-topping memcached attacks, distributed denial-of-service attacks have reached new heights in sophistication and volume.

DDoS bandwidth keep Rising

This year marked a major milestone for distributed denial-of-service attacks, when—not just one, but two—attacks crossed the 1 Tbps bandwidth threshold. 

In late February, attacks on the Github software-collaboration service and an unspecified online gaming provider topped terabit-per-second volumes not seen in the past, according to attack-mitigation firm Arbor Networks. 

As with other modern distributed denial-of-service (DDoS) attacks, the incidents were made possible by vulnerable devices connected to the internet, specifically servers running a distributed memory service known as memcached. The attacks led to a 10-minute outage at Github and unspecified impacts at the gaming provider. 

While the bandwidth consumed in an attack is not necessarily an accurate measure of how difficult the attack is to mitigate, the higher volume trend underscores the escalating threat posed by DDoS attacks. Most companies have internet infrastructures capable of handling data streams totaling perhaps 10 to 50 Gbps, far less than terabit data volumes.  

"Most DDoS attacks are way overkill," Roland Dobbins, principal engineer at Netscout subsidiary Arbor Networks, told eWEEK. "This is like using a nuclear weapon to swat a fly." 

DDoS attacks have evolved significantly over the past 25 years, from manual efforts launched by groups of protestors to botnets made of connected devices to automated attacks exploiting vulnerabilities in server protocols. 

The attacks started on multi-user systems and then moved to servers. Later attack methods toyed with using workstations and home computers. More recently, attackers have settled on one of two techniques, using massive number of unsecured IoT devices to distribute an attack or amplifying and reflecting an attack using a vulnerable network protocol. 

"Attackers will take advantage of any technology to reflect or amplify their attack," Josh Shaul, vice president of web security at Akamai, told eWEEK. "Servers continue to be used—the memcached attacks are servers. But over the last three years, we have gone back to distributed devices, where we have seen attackers using the things that we connect to the Internet." 

Here are some of the key moments in the evolution of DDoS attacks. 

Earliest DoS attacks exploit lax mainframe OS security 

The first stories of potential DDoS attacks are mainly anecdotal. A widely cited story claims a former high-school student was able to use an early mainframe system known as PLATO to launch an attack within a small network of terminals in 1974. 

The attack used a PLATO command, known as ext, to direct other terminals connected to the mainframe to attempt to connect to a non-existent external device. The command caused the system to crash and the 31 other users in the room had to shut down. 

However, the dates in the story appear to be off by a year, as the PLATO system administrator patched the system for the ext exploit within the first two days of 1974. 

In the early 1980s, Xerox PARC researchers John Shoch and John Hupp coined the term "worm" for a program that automatically spreads from system to system. Their worm copied itself to each system on a research network, and—because of a bug—promptly crashed each machine, amounting to a denial-of-service attack. 

1995: Activists launch manual DoS protest attacks 

In the late 1990s, activist groups began using the Internet as a way to create virtual sit-ins, blocking access to web sites as a form of protest. Perhaps the first group to exercise this power was the Strano Network, a collection of like-minded people who worked to protest the French government's nuclear policy. 

Rather than using a program to repeatedly connect to a Web site, the Strano Network asked participants to visit and repeatedly reload the targeted sites. 

1998: FloodNet and the self-installed DDoS bot 

A few years after the Strano Network, another group of performance artists and protestors—the Electronic Disturbance Theater—developed a tool called FloodNet that participants could download and run on their own computers. The attack tool would then use a list of targets provided by the EDT to attack specific Web sites. 

The first major use of the tool was to support the Zapatista Army in Mexico against the government in 1998 and later attack the World Trade Organization in 1999. 

1998: Smurf attacks cause disruptions 

The first major amplification and reflection attacks also appeared in 1998 when online miscreants used their ability to cause other servers to "ping" a target using the Internet Control Message Protocol (ICMP). Known as a Smurf attack, these packet floods were simple but effective. By sending a forged source address in the packet, the attacker could reflect the traffic to the target and hide the true source of the attack. By using a network broadcast address, the attacker can amplify the number of packets sent by a factor of 255. 

The attack was used against the University of Minnesota in March 1998 causing a chain reaction that led to significant outages and 30 percent packet loss. 

1999: Trinoo and the first server botnets 

The University of Minnesota got little respite the next year either. In August 1999, the university was targeted with an attack using the Trinoo bot program, which was installed on at least 227 compromised Solaris servers

"When I go way, way back, DDoS history started with leveraging malware—it took over a bunch of home machines and then used those machines to attack others," said Akamai's Shaul. "But people did not have that much bandwidth, so we went from using workstations and home computers to using servers." 

Trinoo kicked off a trend in compromising servers for denial-of-service attacks. A popular program, named Stacheldraht (German for "barbed wire"), was created by a hacker using the name Mixter and then used by others to attack a variety of sites. Another program, known as Tribe Flood Network, was similar to Trinoo. It was used by Michael Calce, then known as "MafiaBoy," to take down major websites at the time, including Amazon, CNN and Yahoo! 

2000: DoS attackers increasingly leverage domain name service 

Domain name service (DNS) packets have often been used by attackers as a payload during denial-of-service attacks. But beginning in 2000, the Computer Emergency Response Team (CERT) Coordination Center warned that an increasing number of attacks had begun to use DNS as a mean of amplifying bandwidth. 

"We have seen intruders utilize multiple name-servers on diverse networks in this type of an attack to achieve a Distributed Denial of Service attack against victim sites," the group stated in an April 2000 advisory

Companies largely failed to heed the warning. In another advisory six years later, the United States CERT noted that 75 to 80 percent of servers still allowed recursion, the DNS server capability that allows amplification attacks. 

2003: Fast-spreading worms focus attention on Windows security 

The first decade of the century marked the heyday of the computer worm. Programs such as Code Red, Nimda, and Blaster all had significant success in infecting networks and causing headaches for system administrators. These self-propagating programs also convinced Microsoft to change course from focusing on new features for its Windows operating system to focusing on security. 

In 2003, the world encountered its first flash worm, the 376-byte MS SQL Slammer worm, which spread so fast it doubled the number of infected systems every 8.5 seconds and saturated local network bandwidth within 3 minutes. Five minutes after it started spreading, the Slammer worm reached 80 million packets per second, a level that would not be seen again for another decade. 

2009: MyDoom worm used against U.S., South Korean sites 

In 2009, approximately 50,000 computers infected with the MyDoom worm were used by attackers to target government, financial and business sites in the United States and government sites in South Korea. The attack, which saw peak bandwidth rates of 13 Gbps, caused little downtime, but prompted politicians to blame North Korea for launching the attack. 

The attack came five years after variants of the MyDoom worm were used to launch a DDoS attack on the web site of Unix software company SCO Group, which was targeted because the company claimed in a lawsuit that it owned the Linux operating system. Microsoft was also hit in the same attack, which demonstrated the effectiveness of using a large number of consumer computers against websites and networks. 

2016: Insecure internet of things devices used to amplify 

In September and October of 2016, almost 50,000 internet-of-things devices in 164 countries flooded targets with traffic up to 280 Gbps, according to security firm Imperva. This DDoS attack used mostly digital video cameras and recorders to send relatively sophisticated traffic to victims' networks. 

The resulting attacks on the website of security researcher and journalist Brian Krebs and infrastructure service provider DynDNS topped 620 Gbps, according to Internet infrastructure firm Akamai

While the peak bandwidth exceeded prior records, the fact that the number of packets per second surpassed 100 Mbps caused more problems for defenders, said Ofer Gayer, senior product manager at security firm Imperva. 

"This is one of the challenges that companies have," he said. "Adding more bandwidth to your network is the easy part—making decisions about packets in real time is much more difficult."

2018: Attackers use memcached as DoS tool 

On February 28, software developers’ ability to connect to collaborative-software service GitHub was disrupted for about 10 minutes. An attacker using an amplification attack targeted the site with a massive distributed denial-of-service attack that directed 1.35 Tbps of traffic at the site between 17:21 UTC and 17:30 UTC, according to a report published by the company’s engineering team. 

The attacker took advantage of a relatively obscure protocol that allowed them to amplify a simple attack and redirect much larger packets at the victim's network. In this case the attack abused a protocol known as memcached that, if enabled on an Internet-connected server, could be used toamplify an attack by a factor of up to 51,000. 

The problem was that, on many networks, memcached was enabled on servers that were exposed to the networks and easily exploitable by attackers. 

"It's one of the best protocols to use for amplification ever!" Marek Majkowski, a team member with CloudFlare, stated on the company's blog. "There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB)." 

The Github attack did not mark the end of the escalation in denial-of-service attacks. Within days of the attack on Github, a second attack related to online gaming consumed 1.7 Tbps of bandwidth, according to Netscout subsidiary Arbor Networks, which declined to name the target.”

By March 9, Arbor noted that the size of memcached DDoS attacks declined due to mitigation efforts that included securing vulnerable servers. 

However, as overall network bandwidth grows, the volume of packets slung as part of  denial-of-service attacks will grow as well, said Arbor's Dobbins, as attackers find new DDoS techniques. 

"The main inhibiting factor for these attacks is available bandwidth," he said. "And I see no reason that this trend will not continue into the future.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...