The History and Evolution of DDoS Attacks

October 6, 2020 David Balaban, Freelance Technology Writer

Distributed denial-of-service (DDoS) is one of the oldest and the most dynamically advancing vectors of cybercrime. Having taken root in the mid-1990s as a rudimentary instrument for electronic vandalism, hacktivist protest, or script kiddies’ ego boost, this phenomenon has matured and embraced more detrimental uses over the last 25 years.

Nowadays, threat actors increasingly leverage DDoS for extortion by demanding money for not blasting computer networks. In some scenarios, it is used as a sideshow that distracts a victim from main hazardous activities, such as a data breach or a ransomware onslaught.

As if these evil motivations weren’t enough, this technique has become an element of unethical business competition, where ill-disposed entrepreneurs resort to DDoS-on-demand services to disrupt their rivals’ activities. Because uninterrupted service availability is crucial to the business ecosystem, downtime can badly impact customer relations, cause serious reputation issues, and therefore entail significant financial losses.

DDoS is progressing in lockstep with global technological advancements. The rapid rise of the IoT, combined with notoriously poor security of connected smart devices, paved the way for the emergence of IoT botnets that fueled some of the most powerful incursions in history, with rogue traffic rates exceeding 1Tbps. Even worse, the 2020 reflection-based DDoS attack fired at Amazon Web Services (AWS) reportedly reached 2.3Tbps.

All in all, DDoS has been giving organizations and governments a heads-up for more than two decades, and it is not easing the grip. In Q1 2020, the number of these raids doubled compared to Q4 2019, which means that the menace is escalating. The following paragraphs will highlight significant milestones in the evolution of this cybercrime mechanism to show you the big picture.

1996: the first known DDoS raid

The wakeup call was a 1996 attack targeting Panix, the oldest Internet Service Provider (ISP) in New York. An unidentified adversary swamped its computer systems with an SYN flood. This method exploits the TCP three-way handshake process by deluging a network with numerous fraudulent SYN (synchronize) packets coming from a spoofed IP address. As a result, the target runs out of resources and cannot process requests from legitimate users. It took Panix roughly 36 hours to get back on track.

2000: DDoS goes pro, hacktivism kicks in

The tactics, techniques, and procedures (TTP) of DDoS operators took a leap in February 2000, when Amazon, eBay, Yahoo!, Dell, CNN, and FIFA underwent a massive attack launched by Michael Calce, a Canadian teenager going by the online alias “Mafiaboy.”

To set the onslaught in motion, the ne’er-do-well used a tool called TFN2 that harnessed a network of previously infected computers to generate a large amount of malicious web traffic. To fly under the radar of traditional protection mechanisms, this offensive application could tamper with the encryption of network communication protocols.

In early 2008, rebellious online activists jumped on the hype train to wage an ideological war against controversial laws and societal trends. The Anonymous hacker group perpetrated the so-called Operation Chanology, taking down the website of the Church of Scientology via a 220Mbps attack. The hacktivists mostly weaponized open-source network stress testing solutions, Low Orbit Ion Cannon (LOIC) and High Orbit Ion Cannon (HOIC), to deluge victim networks with malicious traffic.

LulzSec, another high-profile gang of black hats, soon followed suit. These hackers gained notoriety for knocking the official CIA website off the Internet on June 15, 2011. Five days later, they orchestrated a DDoS attack against a UK national law enforcement entity called the Serious Organized Crime Agency (SOCA). Their targets also included several Portuguese and Brazilian government sites.

2007: DDoS becomes a threat to nation-states

DDoS extended its reach beyond pranks and hacktivism in 2007, turning into serious warfare used against governments. Estonia became the first playground for this unnerving shift. After this small European country departed from the Soviet Union, Russian authorities condemned some of its political initiatives. In one game-changing episode, the confrontation went cyber.

When Estonian officials decided to move the Bronze Soldier monument (the symbol of USSR victory over Nazism) outside of the capital city Tallinn, the country found itself in a DDoS snafu that badly hit its governmental sites. The targets included the sites for the prime minister’s office and the presidential palace.

The destructive flood of web traffic reportedly came from Russian IP addresses. The Estonian government later claimed the attack was carried out by the Kremlin as a sign of retaliation.

In July 2009, several dozen U.S. government websites, including those used by the Pentagon, the Department of Defense, and the White House, underwent a series of DDoS attacks. Evidence showed that this campaign was likely orchestrated by North Korean state-sponsored advanced persistent threat (APT) groups.

In August 2009, social networking giants Facebook, Twitter, and LiveJournal experienced DDoS incursions after a blogger named Georgy published materials revealing the truth about Russia’s military campaign in Georgia. These attacks brought down Twitter for several hours and disrupted the other two services. Some researchers have since attributed this foul play to the Russian government, although these statements remain in the realm of speculations.

2016: DDoS via IoT botnets makes its debut

The Internet of Things captures everyone’s imagination for a reason: the increasingly intelligent and ubiquitous connected devices make complicated things easy and bring cutting-edge technologies to users’ fingertips. This awesomeness has a flip side, though. In an attempt to win the tech race, some manufacturers prioritize the user experience and neglect security.

These slip-ups play into cybercriminals’ hands by turning Internet-enabled devices into low-hanging fruit. DDoS actors piggybacked on crudely protected IoT appliances for the first time in October 2016. They used a botnet consisting of hundreds of thousands of these devices to drain the resources of Dyn, a prominent online infrastructure company. The power of this attack was estimated at more than 1Tbps. It took down Reddit, Etsy, Spotify, the sites for CNN and the New York Times, as well as dozens of other well-known services.

The rise of 5G is considered to be an extra factor that will facilitate IoT-based DDoS assaults. From a malefactor’s perspective, higher speeds and bandwidth translate to more effective traffic amplification stratagems. Since smart devices will be growingly using next-generation mobile connectivity in the near future, IoT botnets will become a yet more powerful instrument in DDoS operators’ toolkit.

2018: ransom DDoS comes into existence and perseveres

Extortion is a particularly tricky motivation behind DDoS raids. This vector was first spotted in 2018 when malicious actors started executing what is called “memcached” attacks. The gist of this tactic is to mishandle a data caching service widely adopted in cloud server environments. This framework relies on the User Datagram Protocol (UDP) communications that do not support authentication and can be easily exploited.

Criminals torpedo “memcached” servers with UDP requests containing a target server’s IP address. In response, the server sends packets back to that IP, only to overwhelm the victim’s processing capacity. To top it off, this method allows an adversary to amplify the traffic up to 20 times.

When researchers analyzed one of the early “memcached” attacks, they came across a ransom note injected into the rogue traffic. It demanded 50 XMR (Monero cryptocurrency) for discontinuing the assault.

As time went by, the extortion tactics of DDoS actors became much more straightforward. They started contacting intended victims over email instead of obfuscating ransom notes in strings of offensive code. Their narrative is straightforward: pay or be brought offline. Interestingly, these blackmail threats are often made before any anomalous traffic begins hitting servers, so it may be hard to distinguish between a real menace and an outright bluff.

This tactic gained momentum in August 2020, when thousands of companies around the world received ransom threats from cyber criminals claiming to represent high-profile hacker communities such as Lazarus Group, Fancy Bear, and Armada Collective. The felons demand 10-20 BTC (worth about $104,000-$208,000) per organization for not executing a 2Tbps DDoS attack against its digital infrastructure. The amount will be supposedly increasing by another 10 BTC after every missed six-day deadline.

According to the FBI’s Flash Alert on this matter, many organizations did not report any abnormal traffic rates after the deadline expired. Some of the targets, though, did experience low-impact DDoS assaults that were successfully mitigated. One way or another, the agency emphasizes that this is an “active campaign” and the risks should not be underestimated.

The present-day: multi-pronged attacks

Having gone through decades of evolution, DDoS is now being growingly harnessed in hybrid attacks that combine different techniques under the same umbrella. The above-mentioned ransom approach is a good example. Although sometimes these extortion attempts are all bark and no bite, the use of DDoS as a scare element could be enough to bilk organizations of money.

An incredibly unorthodox mechanism is to leverage a real DDoS raid to smokescreen other forms of malicious exploitation. While a target’s IT personnel is busy tackling the anomalous flood of malformed traffic packets, bad actors can quietly perpetrate something unrelated. In this scenario, adversaries typically distract their targets from malware deployment, financial frauds, sensitive data theft, or phishing scams such as business email compromise (BEC).

By and large, DDoS continues to be a major player in the cybercrime arena, and organizations should add the appropriate defenses to their security equation if they haven’t already. The use of a web application firewall (WAF) and a trusted cloud-based threat mitigation service such as Akamai or Cloudflare can step up the protection considerably.

Security analysts also recommend ignoring ransom demands if malefactors threaten to knock an enterprise network offline in case of non-payment. Successful extortion encourages attackers to boost their foul play. Furthermore, many of these blackmail attempts revolve around empty threats that will never be fulfilled.

About the Author

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the PrivacyPC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, malware removal, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Previous Article
IoT Device Security Conference Goes Virtual, Featuring Presentations from IAR Systems, The Trusted Computing Group, Cypress, and More
IoT Device Security Conference Goes Virtual, Featuring Presentations from IAR Systems, The Trusted Computing Group, Cypress, and More

Technical Conference is Dedicated to Securing Today’s Connected Devices, using AI/Machine Learning and othe...

Next White Paper
The Digital Signage Business Transformation
The Digital Signage Business Transformation

The advent of new technologies—and the resulting rollout of value-added services—has brought about seismic ...