The Rise of DDoS Attacks: A New Era in Cybersecurity
Twenty years ago, the world encountered its first DDoS (Distributed Denial of Service) attack, marking the beginning of a new era in cybersecurity. Since then, the scale and capabilities of cybercriminals organizing such attacks have grown significantly, turning DDoS into a major segment of the criminal underworld. This article explores what DoS and DDoS attacks are, who organizes them and why, and what the future may hold.
The First DDoS Attack: University of Minnesota, 1999
On July 22, 1999, the University of Minnesota’s server stopped responding to requests. At first, administrators didn’t think much of it—such outages had happened before. But after analyzing network traffic, they realized the server was under attack, unlike anything seen before. This was the dawn of the DDoS era.
The server was attacked using a malicious script called Trinoo, written by a young man from New Orleans known as phifli. Trinoo exploited a buffer overflow vulnerability to infect Linux computers, creating a botnet of hundreds of machines ready to attack a target server on command using UDP flooding techniques.
What Makes a DoS Attack?
To understand what made this attack unique, it’s important to first define a Denial of Service (DoS) attack. The goal of a DoS attack is to disrupt the normal operation of a targeted system or make network resources inaccessible, using a variety of techniques.
DoS attacks have a long history. The first recorded successful attack dates back to 1974, when 13-year-old David Dennis caused disruptions in the computer terminals at the University of Illinois’ Computer-Based Education Research Laboratory. By exploiting a flaw in the PLATO terminal system, he managed to freeze 31 terminals simultaneously with a simple program.
A Simple Analogy: The Doctor’s Office Queue
To explain DoS and DDoS attacks to someone unfamiliar with computers, consider this analogy:
Imagine you’re waiting in line at a doctor’s office. Just as your turn arrives, someone barges in saying, “I just have a quick question,” but then stays in the doctor’s office for hours. The line is confused, the workday ends, and the intruder refuses to leave. This is a classic DoS attack.
If a whole crowd of people does the same thing, constantly distracting the doctor and preventing the line from moving, you’re experiencing a DDoS attack.
The 1990s: The Golden Age of DoS Attacks
The real boom in DoS attacks came in the late 1990s, with the rise of utilities that could flood a network connection (especially easy in the era of dial-up and slow internet) or crash remote computers. These programs, known as “nukes” (after the popular WinNuke utility), were widely used in online chat wars. The term “to nuke” even became common slang. Many nukes offered multiple attack types and were user-friendly, even for beginners.
Interestingly, users could accidentally DoS their own computers by entering 127.0.0.1 (the local address) as the attack target, making themselves the victim.
DoS attacks didn’t always require special tools; even standard operating system commands like ping could be used for attacks.
The Evolution to DDoS
DDoS attacks are an evolution of DoS attacks. In a DDoS attack, the target server is bombarded by traffic from many computers or devices at once, greatly increasing the intensity and making it possible to take down even large, well-protected systems.
This is exactly what happened to the University of Minnesota’s server in 1999, when 114 Trinoo-infected computers began flooding it with UDP packets.
How Botnets Work
A standard botnet-based attack, like Trinoo, works as follows: The attacker creates a botnet—a network of “zombie” computers infected with malware. Infection can happen through various means, from phishing emails to self-propagating worms that exploit vulnerabilities. Infected computers report to a command center and await instructions.
Once the botnet is ready, the attacker commands it to launch an attack, causing all infected machines to send traffic to the target server, aiming to disrupt or disable it.
From Curiosity to Crime
The University of Minnesota attack was the first in a series of DDoS attacks using Trinoo. Six months later, in early 2000, even more secure servers belonging to giants like CNN, Amazon, eBay, and Yahoo were hit by similar attacks, orchestrated by a Canadian hacker known as Mafiaboy, who had built a massive botnet.
The next major botnet, MyTobworm, created by an 18-year-old hacker, quickly spread worldwide and enabled attacks on the largest online resources of the time.
Initially, DDoS attacks were carried out out of curiosity or mischief, not for profit. But soon, cyber extortionists realized their potential, and DDoS became a lucrative criminal business. The scheme is simple: attackers disrupt a major website, then demand a ransom from its owners. Since downtime can cost companies huge sums and defending against large-scale DDoS attacks is difficult, many prefer to pay up.
Extortion is just one use for DDoS attacks. Today, they are tools for hacking, competitive and political warfare, activism, and even school pranks—like students taking down online gradebooks to hide their grades from parents.
Modern DDoS Techniques and Threats
DDoS attacks can use a variety of techniques. For example, one of the largest DDoS botnets, Mirai, consists of hundreds of thousands of infected smart devices, especially home and office IP cameras. Mass infection often happens because owners leave default logins and passwords unchanged. If you don’t want your IP camera secretly participating in attacks across the globe, make sure to set a strong password instead of the default “admin-admin.”
DDoS attacks don’t always require botnets; they can also be carried out manually. Special programs, descendants of the 1990s nukes, are used by hundreds or thousands of users at once to target a victim. Some online forums and social media groups even coordinate these “manual” DDoS attacks.
Sometimes, DDoS attacks happen unintentionally. For example, if a popular website links to an interesting article hosted on a weak server, thousands of visitors may overwhelm it, causing it to crash.
The Ongoing Evolution and Impact of DDoS Attacks
Over the past 20 years, DDoS attacks have evolved dramatically. As network bandwidth and server performance have increased, so has the intensity of attacks. Experts continue to record new records, and botnets grow stronger, adding thousands of zombie devices.
There have been truly alarming incidents, such as attacks on root DNS servers, which could disrupt the global internet addressing system and, under certain conditions, disconnect entire countries.
DDoS attacks have repeatedly been declared “dead,” but they remain a persistent threat. Today, hacker groups specialize exclusively in DDoS attacks, offering their services for a fee to anyone interested.
Despite their apparent simplicity, DDoS attacks pose a serious threat to the normal functioning of internet infrastructure, increase network load, and cause millions in losses to the global economy every year. Most countries now have administrative or criminal penalties for DDoS attacks, but the problem is far from solved.
The Future of DDoS Attacks
Will DDoS attacks disappear in the coming decades? Most likely not—they have become an integral part of the modern internet. The genie is out of the bottle, and it’s unlikely we’ll put it back in.
However, we can reduce the commercial appeal of this criminal business by protecting our computers and smart devices from malware that seeks to recruit them into botnets. It’s also important not to pay ransoms to attackers, undermining the economic foundation of their activities.
The University of Minnesota’s server was under attack for only a few days. Administrators worked around the clock, configuring network filters, analyzing logs, and doing everything they could to fight back. In the end, they succeeded and finally got some rest. But the consequences of that attack have kept cybersecurity experts up at night for the past 20 years.