25 years of DDoS.

Author:Afzal, Aftab

It has been 25 years since the first DDoS attack, and since then the world has witnessed many variants which all share the same result: disrupting the availability of the target host and its services. At the same time, we have seen a similar evolution in DDoS protection technologies, as well as improvements to enable anti-DDoS to interact with evolving technologies. But how has the DDoS attack evolved over the past 25 years? Has the ever growing Internet of Things affected the growth of DDoS attacks at all? And what can we expect in the future?

The history of DDoS attack events is full of "legendary" stories, with the first DDoS attack dating back to 1988 when Robert Morris wrote a self-replicating computer pro-gram (the Morris worm) which had a major impact on the Internet. This Trojan virus was quickly detected as it spread due to the rate at which it consumed system resources. Although Morris did not launch attacks by controlling infected computers in a centralised way, his work formed the basis for DDoS attacks by exploiting botnets. In fact, even today injecting a Trojan virus by exploiting system vulnerabilities and launching attacks against the target through botnets, are the most common DDoS attack methods.

In 1996, a real DDoS attack--the Panix Attack--occurred, which affected commercial institutions' operations and caused huge losses. During the attack, a large number of SYN packets were sent which caused the server to become unresponsive to customers' normal requests. At that time, the US Community Emergency Response Team (CERT) issued an advisory (CA-1 996-21) to protect against fake IP addresses. Affected organisations were able to install a filter on their routers to filter the attack traffic. Since then, Linux patch.2.0.30 had introduced the concept of SYN cookie protection for SYN flood attacks.

The far-reaching DDoS attacks date back to February 2000, when Yahoo, eBay and Amazon were attacked in the US. Mafiaboy (the Internet alias of Michael Calce) used the attack tool TFN2 to launch distributed attacks against these commercial websites in an attempt to "control the Internet". TFN2 launches distributed attacks by means of botnets, and can control the encryption of communication proto-cols in order to evade detection.


In July 2001, the Code Red worm exploited a vulnerability in Internet information services (IIS), taking over control systems and forcing them to attack other targets. A...

To continue reading