It has been 25 years since the first DDoS attack, and since then the world has witnessed many variants which all share the same result: disrupting the availability of the target host and its services.
At the same time, we have seen a similar evolution in DDoS protection technologies, as well as improvements to enable anti-DDoS to interact with evolving technologies. But how has the DDoS attack evolved over the past 25 years? Has the ever growing Internet of Things affected the growth of DDoS attacks at all? And what can we expect in the future?
The history of DDoS attack events is full of “legendary” stories, with the first DDoS attack dating back to 1988 when Robert Morris wrote a self-replicating computer program (the Morris worm) which had a major impact on the Internet. This Trojan virus was quickly detected as it spread due to the rate at which it consumed system resources. Although Morris did not launch attacks by controlling infected computers in a centralised way, his work formed the basis for DDoS attacks by exploiting botnets. In fact, even today injecting a Trojan virus by exploiting system vulnerabilities and launching attacks against the target through botnets, are the most common DDoS attack methods.
In 1996, a real DDoS attack – the Panix Attack – occurred, which affected commercial institutions’ operations and caused huge losses. During the attack, a large number of SYN packets were sent which caused the server to become unresponsive to customers’ normal requests. At that time, the US Community Emergency Response Team (CERT) issued an advisory (CA-1996-21) to protect against fake IP addresses. Affected organisations were able to install a filter on their routers to filter the attack traffic. Since then, Linux patch.2.0.30 had introduced the concept of SYN cookie protection for SYN flood attacks.
The far-reaching DDoS attacks date back to February 2000, when Yahoo, eBay and Amazon were attacked in the US. Mafiaboy (the Internet alias of Michael Calce) used the attack tool TFN2 to launch distributed attacks against these commercial websites in an attempt to “control the Internet”. TFN2 launches distributed attacks by means of botnets, and can control the encryption of communication proto-cols in order to evade detection.
Governments and nations become targets
In July 2001, the Code Red worm exploited a vulnerability in Internet information services (IIS), taking over control systems and forcing them to attack other targets. A self-replicating worm that could automatically infect other systems, Code Red attacked the White House website, and since then we have seen DDoS attacks expanded to governmental websites with an intensifying impact.
From that point on, DDoS battles were not limited to individual and commercial organisations. After Estonia gained its independence from the Soviet Union, the relationship between the countries grew tense, and when, in 2007, Estonia attempted to relocate monuments built by the Soviet Union, it found itself the target of DDoS attacks on its governmental websites, including the websites of the presidential palace and the Prime Minister’s Office.
American government websites, including the White House, the Pentagon, and the Department of Defence all suffered DDoS attacks from botnets starting in July 2009. Sources show that 27 websites were attacked, and the intelligence services in South Korea indicate the attack was initiated by the Telecom Department of North Korea. However, no evidence has been found to support the claim.
In August of the same year, Facebook, Twitter and YouTube were attacked when someone who called himself Georgy revealed the truth of the South Ossetia war between Georgia and Russia in his blog space. It was widely speculated that Russia launched the attacks, but again there was insufficient evidence.
DDoS attacks ramp up, with help from the Internet of Things (IoT)
In 2012, a large-scale DDoS attack event (“Operation Ababil”) happened as a result of an American film director uploading the trailer of the movie “Innocence of Muslims”, about the Islamic prophet Muhammad to YouTube, eliciting widespread Muslim protests. In this unprecedented religious war, US financial institutions, including Bank of America, Citibank and HSBC were attacked, causing a significant impact on service availability.
In March 2013, Spamhaus suffered from the largest DDoS attack to date. In this case, the DNS reflection attack principle was to launch the traffic attack, reflecting traffic off a third party so the origin is concealed. An unprecedented peak traffic rate of 300 Gbps was seen in this attack.
The proliferation of the Internet of Things, in full force by the second half of 2014, created fertile ground for botnets that can be used to launch SSDP-based reflection attacks. In effect, any network-connected device with a public IP address and vulnerable operating system can be an unwitting participant. This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks. According to the NSFOCUS 2H 2014 Threat Report, more than seven million smart devices have been exploited globally.
DDoS as a smokescreen
Hackers changed the game in August 2015, using DDoS as a smokescreen to divert attention while they stole 2.4 million personal data records from Carphone Warehouse in the UK. We’ve become accustomed to DDoS attacks that have a primary goal of paralysing networks. However using DDoS to distract IT security teams, while committing other cybercrimes, is an interesting twist. Both approaches are equally damaging.
Motivations and methods
DDoS attacks have shown a variety of different motivations, methods, and types over time. In the beginning, they were often seen as acts of individual heroism, but have now evolved into a type of invisible war: large-scale, organised, with clear political or economic purposes. The motivations of DDoS attacks have changed from flaunting technical skills, to using DDoS as a tool for profit making. DDoS attacks can be intended to paralyse a competitor’s website, engage in blackmail, steal data, express anger, and even for other political and religious reasons.
Moreover, attack vectors are more sophisticated and smarter than ever. Besides using volumetric traffic to flood the target, intelligent attacks employing vulnerabilities or inherent defects in Internet protocols and network infrastructure have become popular among skilled attackers. A DDoS attack not only affects the individual target, it also affects the entire network infrastructure due to bandwidth consumption. Many victims will be affected, even if they are not in the attack target lists. Hence, you never know when and whether you could be the next victim of DDoS attacks.
The future of DDoS attacks
One of the most interesting recent twists in the DDoS story is a move to make DDoS attacks be accepted as a legal method to protest. Anonymous, the online hacktivist group, sent a petition to the White House in Jan 2013, trying to legalise DDoS attacks for protesting. As the petition states,
“It (the DDoS attack) is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage… Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.”
The debate on DDoS thus falls into two extreme camps. One camp insists that DDoS attacks are perfectly legal and within the rights of citizens, serving as a means to protest within the cyber world and force the organisation to shut down their online services. However, the other camp takes the opposite, extreme approach, claiming that all DDoS attacks are attempts by hackers and potential terrorists to disrupt their victim’s operations. Regardless of what the two camps think, dealing with the effects of a DDoS attack can be very costly for those who fall prey to attackers.
What will the future hold for DDoS attacks? Will they be viewed as the equivalent of a crowd of protesters standing in front of a shop and stopping customers from doing business? Often in this case, law enforcement asks protesters to move on, or face potential arrest. Many constitutions around the world do support the concept of “peaceful assembly”. However, when protestors begin to cause a loss of revenue for those under protest, the perception of peaceful assembly begins to wither. Today, DDoS attacks are viewed as criminal activity in every case. Unfortunately, breaking the law does not seem to be a deterrent for DDoS attackers. Either way, this problem will not be going away anytime soon.
Looking towards the future, DDoS prevention may well depend on the development of technologies based on improved defense and more advanced attack-source tracing methods. Concurrently, as network infrastructure is designed in a more secure fashion, and ID authentication techniques are improved, Internet users will be further restrained from performing malicious activities.
Cyberspace must be bound by law, in order to minimise the numbers of DDoS attacks. Nevertheless, we recommend that organisations and businesses implement a complete anti-DDoS solution along with a contingency plan to instantly react to DDoS attacks.
Aftab Afzal, Senior Vice President and General Manager EMEA at NSFOCUS IB
Photo Credit: Duc Dao / Shutterstock