Skip to main content

20 years of DDoS

In September 1996 New York City’s original Internet Service Provider, Panix, was hit by a SYN flood denial of service attack that took the company offline for several days. At a time when only 20 million Americans were online this was one of the first high profile examples of how fragile internet infrastructure could be.   

Fast forward 20 years and businesses and individuals are now hugely dependent on the Internet services they both offer and utilise, and the primary threat to the availability of those Internet is distributed denial of service (DDoS) attack. DDoS attacks have evolved consistently over the last 20 years and have moved from being a curiosity, to a nuisance, to a serious business continuity risk. 

Easy-to-use tools and cheap attack services have weaponised DDoS attacks, making sophisticated attack capabilities accessible to anyone who can use a web browser.

Attack timeline

  • In 2005 the largest attacks reported to Arbor as a part of its annual World-Wide Infrastructure Security Survey was 8Gbps
  • In 2007, the former Soviet republic of Estonia was hit with sustained DDoS attacks following diplomatic tensions with Russia. The issues arose following a statue move in Estonia honouring Soviet forces who serviced in World War 2 against Germany
  • In 2008, Anonymous started a series of high profile DDoS and website defacement attacks
  • In 2011, we saw a DDoS on Sony, allegedly used to disguise the theft of millions of customer records for PlayStation Network Users
  • In 2013, Spamhaus was targeted for naming and blacklisting cybercrime hosting, spam and botnet operations. It was the largest attack recorded at the time, reaching 300Gbps
  • In 2014, Lizard Squad claimed to have performed a DDoS attack on the PlayStation Network and Xbox Live on Christmas Day
  • In August 2016, public-facing web properties and organisations affiliated with the Olympics were targeted by sophisticated large-scale DDoS attacks sustaining 500gb/sec in attack traffic for the duration of the games
  • In September 2016 an IoT botnet was used to launch a sustained attack against Brian Krebs that peaked at around 620Gbps

What these headlines show is that DDoS attacks have grown significantly in scale over the last 10 years or so. And, they show very clearly that DDoS attacks are being used to echo real word political and ideological conflicts.  

DDoS attacks have grown in three key areas

Size: Attacks that targeted ISPs in the late 1990s were minuscule compared to the massive attacks today. Techniques such as reflection amplification, and now the use of IoT botnets, have rapidly pushed up the size of DDoS attacks.  A common response to stories about peak attacks is that these are black swan events; this is no longer true. Last year Arbor’s ATLAS system, which monitors data from around 350 Arbor service provider customers giving unique visibility into around a third of all Internet traffic, tracked 223 attacks over 100Gbps, by November this year we had already seen 488. Very large attacks are no longer unusual. 

Frequency: DDoS weaponisation, via the proliferation of attacks tools and services, has made even large, sophisticated DDoS attacks available to anyone.  The frequencies of large attacks have grown hugely, and overall attack frequencies are also on the up. Early data from this year’s World-Wide Infrastructure Security Survey shows another big jump in the frequency with which enterprises around the world are being targeted this year. 

Complexity: DDoS attacks are no longer simple SYN floods but highly complex, multi-vector attacks that target connection bandwidth, applications, infrastructure (Firewall, IPS) and services simultaneously. Multi-vector attacks used to be the proviso of sophisticated attacker groups, but today they can be launched with a single mouse click. 

Limited defences

Despite two decades of headlines many businesses today are under-invested and ill-prepared to handle the DDoS threat. Many wrongly believe they are not being targeted by DDoS attacks and attribute outages to equipment failures or operational error as they don’t have visibility of what is really happening. This can lead to repeated investments which don’t solve the problem. 

Others rely on firewall and IPS, or a single layer of protection from their ISP or their CDN. In each case, these businesses are exposed and only partially protected. Firewall and IPS are stateful devices, that are often targets of DDoS attacks while cloud-only or CDN protection does not provide adequate protection for critical business applications. 

Defending from DDoS

To combat DDoS attacks today organisations must implement layered DDoS defence. Businesses need specialised defences at the network perimeter to proactively protect themselves from the most stealthy, sophisticated application layer attacks, and they need cloud-based DDoS protection that can be called upon when an attack escalates.  

In today’s digital landscape, layered defence has never been more important. Having the right solutions and processes in place will allow security teams to become more efficient and effective, protecting their organisations from becoming the next DDoS victim!

Darren Anstee, Chief Security Technologist, Arbor Networks
Photo Credit: Duc Dao / Shutterstock

Darren Anstee
Darren Anstee is the Chief Technology Officer at Arbor Networks, based in the UK. Darren has over 20 years of experience in the pre-sales, consultancy and support aspects of telecom and security solutions.