The History of DDoS and DoS

Version 0.2

History repeats itself. The History History of DDoS and DoS illustrates how an attack vector from 1997 would reappear as “new” in 2007 and “never seen before” in 2017. History of DDoS and DoS is a living document is a tool to document (look for updates). Does not focus on the “biggest” or most “damaging” DDoS Attack. The focus is on the attack vectors and what the industry did to respond to the attack (even if the response was zero action). “History of DDoS and DoS” is not about sensational claims of “bigness.” Size does not matter. What matters is if the DDoS Attack succeeded.

Denial of Service (DoS) Attacks, Incidents, and Events have been with the Internet community since the early days of the ARPANET. They happened on all the early public networks (FidoNet, BBS networks, BITNET, etc.) and were part of the “mainframe” timeshare culture (where people locked each other out of terminals to get more machine time).

Some have a perception that DoS attacks are new. They are not. Some have a perception that just because DoS Attacks are not in the news they have “gone away.” The reality is that we will always have DoS Attacks. They will be with us for as long as we have a global interconnected network that interlinks people, machines, AIs, and things. 

What Causes DoD Attacks?

DoS Attacks and “Distributed DoS” attacks (DDoS) are caused by humans. People are behind all the intentional and unintentional DoS Attacks. The reasons vary but can be classified into five motivations:

Criminal Intent DoS. The human object is a criminal activity. These DoS attacks are the most common and range from someone getting paid to DoS, a company during a major event to knocking out competitive gamers to being a “ransomware payment motivator to a “DDoS Extortion” to a distraction to another criminal penetration/data exfiltration. The key with all these “DoS Flavors” is that there is some human motivation that society sees as illegal. 

Protesting, Politics, and Principled Passion DoS. The second most common DoS attacks are launched by people who are protesting, linked to politics, or projecting a “principle” using DoS as a statement. People banning together to DoS all the whaling operations is an example of DoS Protesting. Students all over China were launching tools to DoS the Japanese State Education board over the “new official history” is a protest DoS. The thing to remember with Protest DoS is that the collateral consequence can impact the Internet. In the old days, all this meant was a slower Internet. Today, a protest DoS can have a collateral impact on hospitals, voice connections, and other critical infrastructure. 

Nation-State Actors, State Controlled Influence Campaigns & Terrorist DoS. Nation-State threat actors launching DoS attacks are obvious but often overlooked. The Internet is an international battlespace. Counties in conflict can and will use the Internet as part of their conflict. Planning for these Nation-State Internet conflicts would be part of a DoS Resiliency plan. But, the more frequent “state interest” DoS would be launched indirectly via influence campaigns or by terrorists.  The 2006 Estonia attack is one classic example of a state actor using “influencers” to DoS Estonian interest. 

Corporate Competition. Corporations do compete. Some places have a clear understanding to conduct business transparently and fairly. But that is only in some parts of the world. Other parties may have rival companies “commission” DoS to embarrass their competition in the middle of an event. Yes, this has a cyberpunk/Shadowrun/Necromancer inference, but it should not be dismissed as a human DoS Motivator. 

Whoops – Unintentional Mistakes. The fifth motivator is not really a motivator, just a consequence. Some of the worse DoS incidents were not intentional but a consequence. The Morris Worm is one example where the intent was not to DoS systems all over the Internet. Slammer has also been deemed a mistake (a worm that came out of what looked like a test but got loose). No matter how we prepare for DoS incidents, we must remember that humans make mistakes that sometimes have consequences. Don’t get caught in a “failure of imagination.”

There are many reasons people launch DDoS Attacks. Some of those reasons are not obvious or part of larger strategies. 

DoS Reports – Don’t be deceived by DoS Bravado. 

Once a month, some vendor, operator, or new site will talk about the biggest, badest, most-ever DoS Attack. There will be new claims, “new DDoS trends,” and the “future of DoS.”  There will be warnings that “DoS is going to get worse,” and you better do something. Much of this is misogynistic, bragging about “who been the victim of the biggest.” It does not make sense to keep letting the world know about an ever-increasing capacity to cause DDoS damage. All it means is an ever-increasing cost to build a DDoS Resiliency infrastructure that can maintain the business. But, these reports are useful if you know their limitations. 

Limitation #1 – Each DoS report is from the point of view of that organization. 

NO ONE has an Internet-wide view of what is happening to DoS on the Internet. Each organization that reports on DoS has its point of view based on its surface area of DoS measurements. If a vendor sells DoS Scrubbing boxes, then their surface area of DoS measurement is the number of customers with those boxes in their network reporting to the vendor. If the vendor is a cloud operator, then their surface area of DoS measurement is the deployment of those cloud resources and the DoS traffic touching those locations. All of this means that no one report from anyone vendor will provide a comprehensive trend of what is happening with DoS on the Internet. 

Limitation #2 – Each DoS report sees the attack type that targets its customers. 

Scrubbing boxes in ISPs are often used to clean up attacks against residential customers under “gamer attacks.” Cloud operators in one part of the world are DDoS scrubbing attacks against SaaS deployments while cloud operators in other parts of the world are DDoS scrubbing video operations from their customers. Still, other vendors have their DoS scrubbing on financial services. All of these are different types of DoS attacks. It highlights the core point. An attack type that one vendor sees a lot of many never show up with another vendor whose customer mix is different. 

Recommendation – Combined all the surface area of DoS measurements from all the vendors. 

Do not dismiss any of the vendor reports, but knock away the DoS bravado and put the piece together. Each vendor’s report is valid from its measurement points. Push back on the vendors and ask about their “measurement points.” For example, if you ask Akamai, they would say we have DoS measurements from the Prolexic Scrubbing Centers, the global Web Application Firewall (WAF) service, and the entire Akamai Edge Platform. Gamer Attacks on residential customers would not show up on that surface area of DoS measurement, but network operators would see those. Plug all the DoS measurement puzzle pieces together and you have a really interesting view of the current DoS Risk. 

History of DDoS and DoS – A Timeline

People launching denials of service go way back to mainframe – timeshare days. They were used on bullet board systems (BBS). They were hacks into telephone networks. They were used by militaries as part of their electronic warfare operations. 

The key is to understand that as long as there was an operational system, there are human motivators to deny the use of that system from others. Denial of Service attacks will never go away as long as humans are in a “us or them” scarcity mentality – which is not going away any time soon. 

The First “DDoS Attack” – 1974

Perhaps one of the first “documented DoS Attacks happened in 1974. The story is shared by David Dennis who at the time was a 13-year-old student at the University

High School, located across the street from the Computer-Based Education Research Laboratory (CERL) at the University of Illinois Urbana-Champaign. David recently learned about a new command that could be run on CERL’s PLATO terminals. PLATO was one of the first computerized shared learning systems

and a forerunner of many future multi-user computing systems.

While we suspect DoS attacks happened in other systems, David’s account was the earliest expressed. This author was part of similar “DoS the terminals” on school mainframe systems in 1976. 

Morris Worm – 1988

Robert Tappan Morris developed his worm purely for research purposes (“to gauge the size of the Internet”). But like many “experiments” on the Internet, there was a bug in the code. A bug where the system could not check if the system already had the code installed. This bug causes the code to copy itself everywhere – infecting the ARPANET (+60K strong) and resulting in a network-wide DoS.  

Morris pleaded guilty, repented, and was given 400 hours’ community service and a fine of $10,000.

Early DoS Attacks – 1991 Desert Shield

What many people don’t realize is that Denial of Service (DoS) was common in the early days of the Internet. Core dump bomb (sending huge garbage files), overloading modem banks, and various packet floods were part of the “back and forth.” During the 1991 Desert Shield build-ups, DoS packet floods against US targets did happen. There were not long-term attacks, because 1) sending packets to cost the attacker money and 2) the DoS flood choked up the link for the attacker. Think of a 256K international circuit. The irony is that back in 1991 we got spoofed UDP flood and TCP SYN floods. 30 years later what do we get – UDP flood and TCP SYN floods.

DDoS Watershed. One interesting thing evolved from those attacks. The Cisco AGS+ could not effectively drop a large number of UDP packets with their Access Control List (ACLs). When these attacks happened, it was found that you can connect an AUI Ethernet to coax the transceiver and terminate the coax with a T-connector (an old radar trick). You then configure the AGS+ with a static MAC to that ethernet and forward all the UDP packets to the “pretend ethernet.” The packets were able to “cloud out the ethernet” faster than trying to process a drop in an ACL.

This was our first DDoS Shunt. It was the grandsire to BGP Shunts, Scrubbing centers, Sinkholes, Remote Triggered Block Hole (RTBH), and all the other approaches where we “route” unwanted packets to a designation that they can be tracked, counted and dropped as effectively as possible.

The breakup of Yugoslavia – 1992

The idealism of the vision of the Internet was disrupted in 1992 during the Yugoslavia break-up. The Internet was just starting out, with the power of communications and the ability to disrupt those communications. The DoS attack may have been raw (single computers throwing packets at another computer), but they were effective and disruptive. 

Intifada moves online 1993

Right after the Yugoslavian conflict, Palestinians realized they too can move the Intifada online. Many on the Internet were torn as the Israeli and Palestinian tensions moved from physical space to Internet space. Again, these DoS Attacks were raw, but the techniques started to evolve. 

PANIX Attack – 1996 – SYN Flood Attack

In 1996, New York-based Internet service provider Panix became the target of a DDoS attack via a so-called SYN flood. The hacker used a spoofed IP address to overwhelm the company’s servers with fake “synchronize” packages, forcing it to stop processing actual requests. Panix managed to recover in around 36 hours with the cooperation and collaboration of a community of peers helping to track down the sources of the spoofed flows.

DDoS Watershed. PANIX instigated two efforts of work. First was the creation of DoS-Foes. This was a mailing list of people who were helping with PANIX and some of the other new DDoS Attacks. It is the start of what we now call “Security Trust Groups.” Much of the Internet today is protected by these “anti-DDoS Trust Group of peers.” The second effort of work is the best common practice to filter spoofed addresses. BCP38 – RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing started an effort on the Internet to require edge networks to only allow the source IPs to be the allocated IPs. The modern term for this today is Source Address Validation (SAV).

Melissa Internet Virus (1999)

People forget that there is a range of attack vectors that can achieve DoS. Don’t get deceived by simple reflection flood attacks as the only attack vector. The Melissa Internet Virus is one example. A simple mail macro-virus that affected MS Office documents would activate if a user opened a file. The virus would then use the address book and send a copy of the virus to 50 more people. The DoS impact was an exponential epidemic that spread throughout the world – locking computers, services, and networks. 

The First Distributed Denial of Service (DDos) Attack – 1999

Multiple systems were used for DoS attacks before 1999. But these “multi-system” attacks is where someone logged into multiple systems to launch the attack. In 1999 a new tool came on the scene Trinoo. Trinoo was used in 1999 to completely disable the University of Minnesota’s internal network for more than 48 hours with a massive UDP flood. It was a watershed moment for DoS. Now you create a tool, build command and control into that tool, then use it to launch Distributed DoS attacks. This The DoS Project’s “trinoo” distributed denial of service attack tool by David Dittrich is a valuable historical read for everyone who is getting involved with DDoS Resiliency Architectures. 

Mafiaboy Attack – February 2000

The Mafiaboy attack was interesting timing. NANOG 18 was starting to stream sessions online (for remote viewers who could not make the meeting. Steven M. Bellovin was giving the keynote on Denial of Service Attacks! Steve was five minutes into the talk when pagers went off, people were grabbing their laptops, and running out of the room. Steve is wondering “why are people running out of my talk.” Yes, the Mafiaboy attack had started with organizations like Yahoo, eBay, and Amazon were attacked but impacting all the backbones. Mafiaboy (the internet alias of Michael Calce) used the attack tool TFN2, one of the DDoStools Steve was warning about in his NANOG talk. 

DoS Watershed – the ISP Security Emerged

February 2000 was a watershed for the Internet community. The second day of NANOG 18 fostered a wave of hallway conversations. There was a new focus for the community on Service Provider & ISP Security. This type of security is different from the security seen in enterprises that are built around firewalls. Flow analytics, routing protocols, massive collaboration, anti-spoofing, and many other core principles evolved from those February 2000 consultations.  

Excerpt from Steve Bellovin’s February 2000 NANOG Keynote on Denial of Service. 

Code Red Worm 2001

Code Red is an interesting attack that combines worms and DDoS to disrupt the Internet. Code Red attacked computers running Microsoft’s IIS web server. It left messages saying ‘Hacked by Chinese’, and even brought down the White House’s site. Code Red was a stepping stone for the embryonic ISP Security community. People were prepared for Code Red’s emergence, with a group working with the New Zealand Internet community when Code Red would “wake up.” The collection of New Zealanders and ISP Security Peers curated the Sink Hole technique to route Code Red traffic off to parts of the network to limit the damage and identify infected computers. It is a classic example of the Internet community collectively working together to keep the Internet from getting DoSed. 

Persistent DDoS Against Yahoo – 2002

Yahoo was hit with a lot of DDoS attacks over the year. 2002 was a watershed for Yahoo and the industry as people learned “capacity and sizing models” for DDoS Resiliency. In the past, system capacity would match the bandwidth capacity with the smallest packet size. If the bandwidth would send 10,000 packets per second, then the system sizing would match with 10,000 TPS. DDoS attacks changed those capacity models. Different attack combinations would bog down the TPS on the systems. New models evolve where the PPS of ingress bandwidth (smallest packet size) would have x5, x8, or x10 the TPS capacity on the system size. This would allow a full PPS DoS attack to come into the system and have enough capacity to respond to the attack minimizing system impacts.  

Slammer Worm January 2003

For over two months, users of Microsoft SQL Server 2000 were trying to deploy a patch. Three versions of patches were failing. During this time, someone crafted a small tiny but VERY nasty bit of maliciousness – in all just 376 bytes (no typos folks – no ‘kilo’, or ‘mega’, or ‘giga’ missing).  In January 2003 that code got released. It immediately raised alarms as unpatched and exposed MS SQL Servers were getting infected. The “ISP Trust Group – NSP-SEC” by 2003 had their own phone system – INOC-DBA. That community immediately took action. Lucky someone in the group saw the port number, know it was MS SQL Server, logged into an infected system, got a sample, shared it with the community, and started the containment actions. The community started with their own networks deploying ACLs to block Slammer’s ability to scan on those exposed ports. Once one network was protected, the team move to their peers, their customers, and anyone else who would listen. Unfortunately, South Korea was severely hit and knocked out their DNS infrastructure (which effectively knocked out all .kr domains. 

Example of the deployment of the Slammer Containment Filters. This illustrates the power of a collective of DDoS Defenders in various Internet Organizations. 

Windows Update – Malware Battle & CDNs as DDoS Defence – 2003

Through 2003, a collective of “white hat” security people formed a security trust group with Microsoft to battle a botnet that was spreading through the Internet. Every month Microsoft would update code via Windows Update that would clean up the botnet. The miscreant author got frustrated after several months of hard work getting cleaned up through “monthly updates.” That person then decided to disrupt the next month’s “Microsoft fix” by launching a DDoS against Windows Update. Again, the collective of security professionals figured out a fix. Let’s take the lessons from “hyper-engineering” DDoS Capacity from Yahoo and spread it all over the Internet. The team called Akamai and asked if they could emergency on-board Microsoft Update. This would vastly expand the capacity and spread Microsoft Update from a couple of data centers (easy to target) to thousands of locations on the edge of the Internet all over the world. The attacker was thwarted and gave up (never getting caught and moving on).  

DDoS Watchshed. Akamaizing Windows Update demonstrated the power of massive “horizontal” distribution of the attack surface area. It eliminated the DDoS Aggregation point where all the traffic arrives on a focused point. 

Online UK Betting DDoS Extortion – 2004 – 2005

“You will pay us a lot of money to this bank account by this time or we will knock out all your online betting servers 30 minutes before the Manchester United match. You cannot stop us. You will lose lots of money. Pay us or else.”

This was a paraphrase of the threat given to the UK Gaming industry in 2004 when criminal gangs realized they can use DDoS Attacks for extortion. Many of these attacks were successful. The lasted 30 minutes to an hour. The losses to the targets motivated a lot of new capacity deployments. But, as we have seen from all DDoS Extortion, they only stop if:

  1. The DDoS Miscreants get caught
  2. The DDoS Miscreants know law enforcement is on to them (and they run)
  3. The DDoS Miscreants have to work too hard to make money
  4. The DDoS Miscreants move on to other more lucrative attacks. 

In the 2004-2005 attacks, International Law Enforcement started tracing the money flows and was getting close. The DDoS Extortion then stopped as the Extortionist crew move on. 

Estonia DDoS Attacks – 2007

In 2007 the government of Estonia decided to move the Bronze Soldier of Tallinn, built at the site of several war graves, from the center of the capital to the nearby Tallinn Military Cemetery. The statue is a memorial to Soviet soldiers who fell in World War II while fighting with Nazi troops. Estonia’s Russian-speaking community objected strongly to the move, but it still went ahead, causing two nights of riots and mass arrests. The protest then went online.. DDoS attacks started on Estonian infrastructure all over Europe. As told in the Wired article Hackers Take Down the Most Wired Country in Europe, Hillar Aarelaid or the Estonian CERT Team was with Merike Kaeo when the attacks began. The Estonian CERT Team needed help, so Merike start calling people within the ISP Security community. That plugged the Estonian CERT team into the NSP-SEC community, who then rallied ISPs and Telco all over the world to push back on the DDoS attacks.

Estonia is a classic example of international collaboration for collective DDoS defence.  

DDoS in Southern Russia (2007)*

This is a much less well-known DDoS, but no less important for it. In the hot summer of 2007 in the Krasnodar region in southern Russia, the cities of Adygea and Astrakhan had only intermittent Internet coverage – it went off, came back on again, over and over. Turned out that the reason was a DDoS that had taken down the largest net provider in the region.

Naturally there was panic, with engineers running round in circles, routers – and brains – smoking, swearing, clients – including the VIP ones – starting to ask when the Internet will come be back on, and law enforcement wondering just who they were meant to be arresting – and for what!

The attacks came in waves for a whole month, reaching a staggering (for 2007) 10 gigabytes per second. The attacks were also very unusual: they used botnets, but made more use of file exchanging peer sites, which was unprecedented back then outside research projects. Who was behind the attacks was never discovered.

This DDoS was a pivotal moment for Russia. The whole Internet for a whole region was being switched on and off like a torch and there was nothing anyone could do about it. Before this incident no one took any notice of DDoS threats; afterwards – just the opposite: they were treated as acute current threats to be taken seriously. Technologies appeared, and telecoms companies started to actively install new specialized kit. We did our bit too – developing our own solution.

* Shared by Eugene Kaspersky in A Brief History of DDoS Attacks

LulzSec Hacktivism in 2011

In 2011, LulzSec took down the CIA’s, PBS, and the U.S. Senate websites. They also launched an extended attack on Sony, whose PlayStation Network was brought to a grinding halt for the better part of a month. Lulzsec is an example of a solo hacktivist that is independent, normally a small group, and will band together under a banner to gain notoriety. While LulzSec’s campaigns did not cause big damage, they did wake people up to take notice of how a small, new, and passionate group could quickly gain experience through practice and become a significant threat. LulzSec’s campaign consequences also taught the DDoS Miscreant community how NOT to launch their campaigns. Wikipedia list out the full law enforcement action against the LulzSec community

Banking Sector DDoS Attack in Q3 – Q4 2011

Sometimes, DDoS Attacks come in waves of attacks. These waves were from one group that launched DDoS campaigns with a specific objective. In September – December 2012 a DDoS campaign targeted the banking sector. Two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD) orchestrated DDoS attacks. It was found that they performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.. Waves of DDoS attacks would rotate between banks. Bank of America (BAC), JPMorgan Chase (JPM), Wells Fargo (WFC), U.S. Bank (USB), Fifth Third Bank, BB&T, Capital One, HSBC, and PNC Bank were examples of the banks targeted. These attacks used Brobot with specifically crafted DNS packets that would reach 60 Gbps. Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were eventually indicted by the U.S. Department of Justice in 2016 for their involvement in the incident

Political DDoS in Russia (2011-2012)* 

Between December 2011 and March 2012 there was plenty of political tension in Russia: both the Duma (parliament) and Presidential elections were taking place, and they were accompanied by lots of political demonstrations. To top it all off there was a shoot-out between opposing DDoS forces. Both opposition and pro-government sites were DDoSed. The main take-away: this was the first time in Russia cybercriminal methods were so widely and blatantly applied for political ends.

* Shared by Eugene Kaspersky in A Brief History of DDoS Attacks

SpamHaus March 2013

SpamHaus disrupts the criminal use of the Internet. Organizations all over the world use SpamHaus to block +80% of all spam. Those spamming, phishing, and Business Email Compromise (BEC) criminals do not like SpamHaus. That makes SpamHaus a prime target for DDoS attacks. One of the biggest happened in 2013. At the time, the criminals attacking SpamHaus rallied resources to launch a DNS reflection attack at the rate of 140-300 Gbps. The attack was persistent, lasted for a week nearly, and required the Internet collective to work with SpamHaus to mitigate the impact. But, in this case, the Internet community had the last laugh. Several parties were tracked down and arrested (see An arrest in response to March DDoS attacks on Spamhaus and Second arrest in response to DDoS attack on Spamhaus

To effectively mitigate these attacks or at least minimize their impact, choose a comprehensive, multi-layered, intelligent, and managed DDoS mitigation service such as AppTrana. AppTrana offers end-to-end and instantaneous defense against all types of DDoS attacks and real-time visibility into the security posture to ensure that your website/ web application is always available.

BBC December 2015

BBS is one of the most widely branded and recognized world broadcasters. As such, they are often a target for DoS that is related to the news. In 2015 the BBC faced a series of DDoS attacks by New World Hacking. They were a hacktivist group that wanted to test their BangStresser against a visible target.  The attack was crafted using two AWS instances and worked around some of the AWS security to launch the attack. New World Hacking group did their reconnaissance to find effective targets. In this case, the DDoS crew hit BBC’s on-demand TV service, iPlayer services, and radio services. The impact cause disruption to the services for over 3 hours. This attack illustrated how a motivated hacktivist group could found exploitable DDoS resources for something “new.” It is also an example of “DDoS Bravado being misleading. New World Hacking claimed this was the biggest DDoS attack ever (at that time), but others debunked their claim (see ‘Biggest ever’ web attack on BBC actually wasn’t even close). This “dispute” distracted from the DDoS innovation – using cloud capacity in a way that was unexpected. 

GitHub 2015 – We don’t like your code!

GitHub source-code management unintentionally crossed swords in 2015 and was hit with a politically motivated DDoS attack. The browsers of everyone visiting Baidu (a popular web search platform in China) were infected with JavaScript Code, creating a botnet. The infected systems sent voluminous HTTP requests to the platform, causing downtimes across the GitHub network. This was an interesting attack in that the “bots” were infected browsers whose users had no idea they were being used to attack Github. 

MiraiKrebs September 2016 – We Don’t like Brian Krebs

Brian Krebs is an effective and prolific cyber-crime reporter. His contacts in the security community, technician savvy, and determination result in in-depth articles that expose the underbellies in the Internet’s criminal underground. This effectiveness makes Brian a target. His website has been constantly attacked since its creation. In September 2016, a dogged attack. This attack used the Mirai botnet, which, at its peak later that year, consisted of more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home routers, and video players.

OVH DDoS Attacks September 2016

The Mirai botnet continued to be used by miscreants shifting to an undisclosed customer on OVH.  OVH is a European hosting provider that at the time hosts roughly 18 million applications for over one million clients. Mirai attack was on a single undisclosed OVH customer and driven by an estimated 145,000 bots, generating a traffic load of up to 1.1 terabits per second, and lasted about seven days. These attacks demonstrated the danger of exposed IoT systems. Mirai was the start of the criminal exploitation of devices that are easily built, sold, plugged in, and deployed on an interconnected network. 

Dyn 2016 – Let’s target DNS!

If you really want to take out parts of the Internet, look for those elements that everything and everyone depends on. In 2016, the target was an authoritative Domain Name System run by Dyn, a major DNS provider. At that time, Dyn hosted some of the biggest names on the Internet – including corporate heavyweights like Amazon, Netflix, Airbnb, Twitter, PayPal, Reddit, Spotify, Fox News, HBO, New York Times, Visa, etc A new botnet using the Mirai infected vulnerable devices IoS devices and was able to build a DDoS load of 1.2TBps. This attack lasted for over a day and took a combined collective of operators working to mitigate the attack. Yes, DDoS impacts business. In Dyn’s case, the company lost 14,500 domains and faced a total cost of USD 110 million.

GitHub 2018

For some reason in 2018, someone wanted to take out GitHub. The source-code management/web hosting platform hit with a 1.3 TBps attack (126.9 million per second). As typical with large attacks, the DDoS miscreants used a reflection attack technique leveraging Memcached (a database caching system for speeding up websites and networks). The Memcached DDoS attack technique is particularly effective as it provides an amplification factor – the ratio of the attacker’s request size to the amount of DDoS attack traffic generated – of up to a staggering 51,200 times. The attack lasted 10 minutes and the platform was unavailable for 5 minutes. The attack could be stopped within this timeframe only because the platform had DDoS protection in place. However, recovery took nearly 1 week. According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

AWS Speaks Up – Their February 2020 DDoS Attack

AWS is no stranger to DDoS attacks. They are a target, their customers are a target, and they provide services to protect their customers. In February 2020 Amazon Web Services shared details of a Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection attack against one of their customers. The DDoS technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second. Having AWS share in detail their “surface area of DDoS measurement” adds more insight into the puzzle pieces of DDoS insight. 

Are you looking for more practical, public-service Security Advice?

The materials and guides posted on here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.