{"id":10162,"date":"2020-10-09T10:37:03","date_gmt":"2020-10-09T10:37:03","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/?p=10162"},"modified":"2023-10-24T16:01:17","modified_gmt":"2023-10-24T16:01:17","slug":"history-evolution-of-ddos-attacks","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/history-evolution-of-ddos-attacks\/","title":{"rendered":"The History and Evolution of DDoS Attacks"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDistributed denial-of-service (DDoS) is one of the oldest and the most dynamically advancing vectors of cybercrime. Having taken root in the mid-1990s as a rudimentary instrument for electronic vandalism, hacktivist protest, or script kiddies\u2019 ego boost, this phenomenon has matured and embraced more detrimental uses over the last 25 years.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNowadays, threat actors increasingly leverage DDoS for extortion by demanding money for not blasting computer networks. In some scenarios, it is used as a sideshow that distracts a victim from main hazardous activities, such as a data breach or a ransomware onslaught.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAs if these evil motivations weren\u2019t enough, this technique has become an element of unethical business competition, where ill-disposed entrepreneurs resort to DDoS-on-demand services to disrupt their rivals\u2019 activities. Because uninterrupted service availability is crucial to the business ecosystem, downtime can badly impact customer relations, cause serious reputation issues, and therefore entail significant financial losses.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDDoS is progressing in lockstep with global technological advancements. The rapid rise of the IoT, combined with notoriously poor security of connected smart devices, paved the way for the emergence of IoT botnets that fueled some of the most powerful incursions in history, with rogue traffic rates exceeding 1Tbps. Even worse, the 2020 reflection-based DDoS attack fired at Amazon Web Services (AWS)\u00a0reportedly reached<\/a>\u00a02.3Tbps.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAll in all, DDoS has been giving organizations and governments a heads-up for more than two decades, and it is not easing the grip. In Q1 2020, the number of these raids\u00a0doubled<\/a>\u00a0compared to Q4 2019, which means that the menace is escalating. The following paragraphs will highlight significant milestones in the evolution of this cybercrime mechanism to show you the big picture.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

1996: the first known DDoS raid<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe wakeup call was a 1996 attack targeting Panix, the oldest Internet Service Provider (ISP) in New York. An unidentified adversary swamped its computer systems with an SYN flood. This method exploits the TCP three-way handshake process by deluging a network with numerous fraudulent SYN (synchronize) packets coming from a spoofed IP address. As a result, the target runs out of resources and cannot process requests from legitimate users. It took Panix roughly 36 hours to get back on track.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

2000: DDoS goes pro, hacktivism kicks in<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe tactics, techniques, and procedures (TTP) of DDoS operators took a leap in February 2000, when Amazon, eBay, Yahoo!, Dell, CNN, and FIFA underwent a massive attack launched by Michael Calce, a Canadian teenager going by the online alias \u201cMafiaboy.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tTo set the onslaught in motion, the ne\u2019er-do-well used a tool called TFN2 that harnessed a network of previously infected computers to generate a large amount of malicious web traffic. To fly under the radar of traditional protection mechanisms, this offensive application could tamper with the encryption of network communication protocols.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn early 2008, rebellious online activists jumped on the hype train to wage an ideological war against controversial laws and societal trends. The Anonymous hacker group perpetrated the so-called\u00a0Operation Chanology<\/a>, taking down the website of the Church of Scientology via a 220Mbps attack. The hacktivists mostly weaponized open-source network stress testing solutions, Low Orbit Ion Cannon (LOIC) and High Orbit Ion Cannon (HOIC), to deluge victim networks with malicious traffic.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tLulzSec, another high-profile gang of black hats, soon followed suit. These hackers\u00a0gained notoriety<\/a>\u00a0for knocking the official CIA website off the Internet on June 15, 2011. Five days later, they orchestrated a DDoS attack against a UK national law enforcement entity called the Serious Organized Crime Agency (SOCA). Their targets also included several Portuguese and Brazilian government sites.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

2007: DDoS becomes a threat to nation-states<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDDoS extended its reach beyond pranks and hacktivism in 2007, turning into serious warfare used against governments. Estonia became the first playground for this unnerving shift. After this small European country departed from the Soviet Union, Russian authorities condemned some of its political initiatives. In one game-changing episode, the confrontation went cyber.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhen Estonian officials decided to move the Bronze Soldier monument (the symbol of USSR victory over Nazism) outside of the capital city Tallinn, the country found itself in a DDoS snafu that badly hit its governmental sites. The targets included the sites for the prime minister\u2019s office and the presidential palace.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe destructive flood of web traffic reportedly came from Russian IP addresses. The Estonian government later\u00a0claimed<\/a>\u00a0the attack was carried out by the Kremlin as a sign of retaliation.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn July 2009, several dozen U.S. government websites, including those used by the Pentagon, the Department of Defense, and the White House, underwent a series of DDoS attacks. Evidence showed that this campaign was likely orchestrated by North Korean state-sponsored advanced persistent threat (APT) groups.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn August 2009, social networking giants Facebook, Twitter, and LiveJournal\u00a0experienced DDoS incursions<\/a>\u00a0after a blogger named Georgy published materials revealing the truth about Russia\u2019s military campaign in Georgia. These attacks brought down Twitter for several hours and disrupted the other two services. Some researchers have since attributed this foul play to the Russian government, although these statements remain in the realm of speculations.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

2016: DDoS via IoT botnets makes its debut<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe Internet of Things captures everyone\u2019s imagination for a reason: the increasingly intelligent and ubiquitous connected devices make complicated things easy and bring cutting-edge technologies to users\u2019 fingertips. This awesomeness has a flip side, though. In an attempt to win the tech race, some manufacturers prioritize the user experience and neglect security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThese slip-ups play into cybercriminals\u2019 hands by turning Internet-enabled devices into low-hanging fruit. DDoS actors piggybacked on crudely protected IoT appliances for the first time in October 2016. They used a botnet consisting of hundreds of thousands of these devices to drain the resources of Dyn, a prominent online infrastructure company. The power of this attack was estimated at more than 1Tbps. It\u00a0took down<\/a>\u00a0Reddit, Etsy, Spotify, the sites for CNN and the New York Times, as well as dozens of other well-known services.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe rise of 5G is considered to be an extra factor that will facilitate IoT-based DDoS assaults. From a malefactor\u2019s perspective, higher speeds and bandwidth translate to more effective traffic amplification stratagems. Since smart devices will be growingly using next-generation mobile connectivity in the near future, IoT botnets will become a yet more powerful instrument in DDoS operators\u2019 toolkit.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

2018: ransom DDoS comes into existence and perseveres<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tExtortion is a particularly tricky motivation behind DDoS raids. This vector was first spotted in 2018 when malicious actors started executing what is called \u201cmemcached\u201d attacks. The gist of this tactic is to mishandle a data caching service widely adopted in cloud server environments. This framework relies on the User Datagram Protocol (UDP) communications that do not support authentication and can be easily exploited.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tCriminals torpedo \u201cmemcached\u201d servers with UDP requests containing a target server\u2019s IP address. In response, the server sends packets back to that IP, only to overwhelm the victim\u2019s processing capacity. To top it off, this method allows an adversary to amplify the traffic up to 20 times.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhen researchers analyzed one of the early \u201cmemcached\u201d attacks, they came across a\u00a0ransom note<\/a>\u00a0injected into the rogue traffic. It demanded 50 XMR (Monero cryptocurrency) for discontinuing the assault.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAs time went by, the extortion tactics of DDoS actors became much more straightforward. They started contacting intended victims over email instead of obfuscating ransom notes in strings of offensive code. Their narrative is straightforward: pay or be brought offline. Interestingly, these blackmail threats are often made before any anomalous traffic begins hitting servers, so it may be hard to distinguish between a real menace and an outright bluff.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis tactic\u00a0gained momentum<\/a>\u00a0in August 2020, when thousands of companies around the world received ransom threats from cyber criminals claiming to represent high-profile hacker communities such as Lazarus Group, Fancy Bear, and Armada Collective. The felons demand 10-20 BTC (worth about $104,000-$208,000) per organization for not executing a 2Tbps DDoS attack against its digital infrastructure. The amount will be supposedly increasing by another 10 BTC after every missed six-day deadline.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAccording to the FBI\u2019s\u00a0Flash Alert<\/a>\u00a0on this matter, many organizations did not report any abnormal traffic rates after the deadline expired. Some of the targets, though, did experience low-impact DDoS assaults that were successfully mitigated. One way or another, the agency emphasizes that this is an \u201cactive campaign\u201d and the risks should not be underestimated.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The present-day: multi-pronged attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHaving gone through decades of evolution, DDoS is now being growingly harnessed in hybrid attacks that combine different techniques under the same umbrella. The above-mentioned ransom approach is a good example. Although sometimes these extortion attempts are all bark and no bite, the use of DDoS as a scare element could be enough to bilk organizations of money.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAn incredibly unorthodox mechanism is to leverage a real DDoS raid to smokescreen other forms of malicious exploitation. While a target\u2019s IT personnel is busy tackling the anomalous flood of malformed traffic packets, bad actors can quietly perpetrate something unrelated. In this scenario, adversaries typically distract their targets from malware deployment, financial frauds, sensitive data theft, or phishing scams such as business email compromise (BEC).\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tBy and large, DDoS continues to be a major player in the\u00a0cybercrime<\/a>\u00a0arena, and organizations should add the appropriate defenses to their security equation if they haven\u2019t already. The use of a web application firewall (WAF) and a trusted cloud-based threat mitigation service such as Akamai or Cloudflare can step up the protection considerably.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSecurity analysts also recommend ignoring ransom demands if malefactors threaten to knock an enterprise network offline in case of non-payment. Successful extortion encourages attackers to boost their foul play. Furthermore, many of these blackmail attempts revolve around empty threats that will never be fulfilled.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Distributed denial-of-service (DDoS) is one of the oldest and the most dynamically advancing vectors of cybercrime. This technique has become an element of unethical business competition, where ill-disposed entrepreneurs resort to DDoS-on-demand services to disrupt their rivals\u2019 activities.<\/p>\n","protected":false},"author":934,"featured_media":10163,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[712,711,710],"ppma_author":[3911],"class_list":["post-10162","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-cybercrime","tag-ddos","tag-distributed-denial-of-service"],"authors":[{"term_id":3911,"user_id":934,"is_guest":0,"slug":"david-balaban","display_name":"David Balaban","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/10\/David-Balaban.-150x150.jpg","user_url":"https:\/\/privacy-pc.com\/%20","last_name":"Balaban","first_name":"David","job_title":"","description":"David Balaban, a computer security researcher in malware analysis and antivirus software evaluation, runs MacSecurity.net and Privacy-PC.com projects.They present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. He has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/934"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=10162"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10162\/revisions"}],"predecessor-version":[{"id":33693,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10162\/revisions\/33693"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/10163"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=10162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=10162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=10162"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=10162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}