History of DDoS Attacks


Since the first DoS attack was launched in 1974, DDoS attacks and other DoS attacks have remained among the most persistent and damaging cyber-attacks. These attacks reflect hackers’ frustratingly high levels of tenacity and creativity—and create complex and dynamic challenges for anyone responsible for cyber security.

The Early Days

In 2014, the DoS attack celebrated its 40th birthday. Born as the handiwork of a teenaged “computer geek,” these attacks have since exploded in quantity—and sophistication.

The first-ever DoS attack occurred in 1974 courtesy of David Dennis—a 13-year-old student at University High School, located across the street from the Computer-Based Education Research Laboratory (CERL) at the University of Illinois Urbana-Champaign. David recently learned about a new command that could be run on CERL’s PLATO terminals. PLATO was one of the first computerized shared learning systems, and a forerunner of many future multi-user computing systems. Called “external” or “ext,” the command was meant to allow for interaction with external devices connected to the terminals. However, when run on a terminal with no external devices attached it would cause the terminal to lock up—requiring a shutdown and power-on to regain functionality.

Curious to see what it would be like for a room full of users to be locked out at once, he wrote a program that would send the “ext” command to many PLATO terminals at the same time. Dennis went over to CERL and tested his program—, which succeeded in forcing all 31 users to power off at once. Eventually the acceptance of a remote “ext” command was switched off by default, fixing the problem.

During the mid to late 1990s, when Internet Relay Chat (IRC) was first becoming popular, some users fought for control of non-registered chat channels, where an administrative user would lose his or her powers if he or she logged off. This behavior led hackers to attempt to force users within a channel to all log out, so they could enter the channel alone and gain administrator privileges as the only user present. These “king of the hill” battles—in which users would attempt to take control of an IRC channel and hold it in the face of attacks from other hackers—were fought using very simple bandwidth-based DoS attacks and IRC chat floods.

DDoS Attacks Spread

One of the first large-scale DDoS attacks occurred in August 1999, when a hacker used a tool called “Trinoo” to disable the University of Minnesota’s computer network for more than two days. Trinoo consisted of a network of compromised machines called “Masters” and “Daemons,” allowing an attacker to send a DoS instruction to a few Masters, which then forwarded instructions to the hundreds of Daemons to commence a UDP flood against the target IP address. The tool made no effort to hide the Daemons’ IP addresses, so the owners of the attacking systems were contacted and had no idea that their systems had been compromised and were being used in a DDoS attack.

Other early tools include “Stacheldraht” (German for barbed wire), which could be remotely updated and support IP spoofing, along with “Shaft” and “Omega”, tools that could collect attack statistics from victims. Because hackers were able to get information about their DDoS attacks, they could better understand the effect of certain types of attacks, as well as receive notification when a DDoS attack was detected and stopped.

Once hackers began to focus on DDoS attacks, DoS attacks attracted public attention. The distributed nature of a DDoS attack makes it significantly more powerful, as well as harder to identify and block its source. With such a formidable weapon in their arsenals, hackers began to take on larger, more prominent targets using improved tools and methods.

By the new millennium, DDoS captured the public’s attention. In the year 2000, various businesses, financial institutions and government agencies were all brought down by DDoS attacks. Shortly after, DNS attacks began with all 13 of the Internet’s root domain name service (DNS) servers being attacked in 2002. DNS is an essential Internet service, as it translates host names in the form of uniform resource locators (URLs) into IP addresses. In effect, DNS is a phonebook maintaining a master list of all Internet addresses and their corresponding URLs. Without DNS, users would not be able to efficiently navigate the Internet, as visiting a website or contacting a specific device would require knowledge of its IP address.

From Script Kiddies to Geo-Political Events

As attack technology has evolved, so, too have motivations and participants. Today, we no longer face teenage “computer geeks” or “script kiddies” testing the limits of what they can do. While they still exist, they are no longer alone. Recent years have brought a continuous increase in the number of DDoS attacks—fueled by changing, and increasingly complex, motivations.

Anatomy of Today’s Hackers

Hacking used to require a distinct set of skills and capabilities. These days, DDoS attack services are bought and sold via marketplaces on the Clearnet and Darknet—a phenomenon that is closing the gap between skilled and amateur hackers and fueling an exponential increase in threats.

Thanks to the growing array of online marketplaces, it is now possible to wreak havoc even if you know virtually nothing about computer programming or networks. As attack tools and services become increasingly easy to access, the pool of possible attackers—and possible targets—is larger than ever. While many hacktivists still prefer to enlist their own digital “armies,” some are discovering that it is faster and easier to pay for DDoS-as-a-Service than to recruit members or build their own botnet. Highly skilled, financially motivated hackers can be invaluable resources to hacktivists seeking to take down a target.

By commoditizing hacktivist activities, hacking marketplaces have also kicked off a dangerous business trend. Vendors are now researching new methods of attack and incorporating more efficient and powerful vectors into their offerings. Already some of the marketplaces offer a rating system so users can provide feedback on the tools. Ultimately, this new economic system will reach a steady state—with quality and expertise rewarded with a premium.

IoT Botnets Open the 1TBps Floodgates

This exemplifies why preparing for “common” attacks is no longer enough. This event introduced sophisticated vectors, such as GRE floods and DNS water torture.

Cyber-Ransom Proves Easiest, Most Lucrative Tool for Cybercriminals

Almost all ransom events have a different attack vector, technique or angle. There are hundreds of encrypting malware types, many of which were developed and discovered this year as part of the hype. Also,DDoS for ransom groups are professionals who leverage a set of network and application attacks to demonstrate their intentions and power.

Non-Volumetric DoS: Alive and Kicking

Despite astonishing volumes, neither the number of victims nor the frequency of attacks has grown. Most non-volumetric DDoS attacks are in relatively lower volumes, with 70% below 100MBps. Rate-based security solutions continue to fall short, requiring companies to rethink their security strategy and embrace more sophisticated solutions. Without those upgrades, there is a good chance an organization will experience, yet lack visibility, into service degradation.

Recent History: Notable Cyber-Attacks of 2016

2016 brought a long-feared DDoS threat to fruition: cyber-attacks were launched from multiple connected devices turned into botnets. These attacks are propelling us into the 1Tbps DDoS era. Check out Radware’s full library of DDoS Attack Reports & Cyber Security Threat Reports.


  • PCWorld reports that “25,000 digital video recorders and CCTV cameras were compromised and used to launch distributed denial-of-service (DDoS) attacks, flooding its targets with about 50,000 HTTP requests per second.”1 Though impressive and startling, this attack said nothing about what was still to come.

  • Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking 620Gbps2 volumetric DDoS attack from a botnet designed to take the site offline.

  • The same type of botnet was used in a 1Tbps attack targeting the French Web host OVH3. A few days later, the IoT botnet source code goes public—spawning what would become the “marquee” attack of the year.

  • Dyn, a US-based DNS provider that many Fortune 500 companies rely on, was attacked by the same botnet in what is publicly known as a “water torture” attack. The attack renders many services unreachable and causes massive connectivity issues—mostly along the East Coast of the United States.

  • Mirai rewrites the rules; new risks for IoT DDoS botnet are revealed. As the first IoT open-source botnet, Mirai is changing the rules of real-time mitigation and making security automation a must. It isn’t just that IoT botnets can facilitate sophisticated L7 attack launches in high volumes. The fact that Mirai is open-source code means hackers can potentially mutate and customize it—resulting in an untold variety of new attack tools that can be detected only through intelligent automation.