With all the attention DDoS attacks have garnered over the past few years, you would be forgiven for thinking they’re a new tool in the cybercriminal’s toolbox, a development cleverly designed to take advantage of sloppily secured IoT devices to tap into that rich vein of social media outrage.
As it turns out, that’s only part of DDoS’s recent history. Instead DDoS attacks are a lot like that neighbor kid who used to smash mailboxes with a baseball bat: a minor annoyance you lost track of for 20 years and all of a sudden he’s a world-famous criminal mastermind. Here’s a quick look at the evolution of DDoS attacks and where they’re at right now.
DDoS early days
For as much as they’ve grown and mutated over the last two decades, DDoS attacks have always had one core function: to deny online services to its users. These days this is likely to take the form of attacks on websites, gaming platforms, cryptocurrency exchanges and financial services, but when distributed denial of service attacks first came into existence it was an attack on what was then the entire internet.
As a grad student in 1988, Robert Morris got the idea to develop a worm to infect remote computers in order to determine how many were connected to a network then called the ARPANET, an early version of the internet. While his intentions were not malicious, his code unfortunately was, and instead of infecting each computer once and moving on, the worm copied itself over and over on each system until all 60,000 nodes on the network crashed and the entire internet was DDoSed.
For his blunder, Robert Morris was given 400 hours of community service and fined $10,000. A steep price for a mistake, it would seem, but considering he was responsible for the idea of infecting remote computers in order to use their resources to crash networks, he may have ultimately gotten off lightly.
A coming of age story
In the ‘90s the idea of computers being banded together to take aim at online services was co-opted by activists looking to make a statement from afar. The first recorded instance of what we now know as hacktivism took place in 1995, with a collective using their pooled computing resources to take down the French government’s website in protest of their nuclear policy. From there the idea of the botnet was born as another collective built a tool called FloodNet that allowed anyone around the world to donate their computer’s resources to take down targets that included the White House website.
The difference between FloodNet and the botnet that caught the world’s attention in the year 2000 is that FloodNet was voluntary. The botnet used by 15-year-old hacker MafiaBoy to take down Yahoo!, eBay, Amazon and other major internet services was decidedly not voluntary and consisted of computers that had been infected with malware to allow MafiaBoy to control them remotely. The vast majority of botnets today still consist of computers and devices that have been infected, generally without the knowledge of their owners. Another thing that hasn’t much changed: MafiaBoy did it to show off on the Internet, or for the lulz as some would put it today.
Even with MafiaBoy’s antics, distributed denial of service attacks didn’t have their coming out party until 2007 when massive DDoS attacks on an internet service provider in southern Russia turned the internet on and off in the entire region for a month. The attack size? A then-tremendous 10 Gbps. With this, the online world became wise to DDoS attacks as a major threat, and rudimentary mitigation efforts began.
Jack of all trades attacks
As the internet has grown, so too have botnets and their associated DDoS attacks. Instead of relying on infected computers, botnets like Mirai are now routinely made up of hundreds of thousands of infected IoT devices and the resultant attacks are landing well over 1 Tbps at their peak. Attackers have become increasingly clever as well, developing sophisticated attacks that take aim at the application layer, masquerading as legitimate requests to exhaust server-side resources without requiring a big smash of traffic.
DDoS attacks have become big business, with botnet builders renting out their wares in DDoS for hire services or making even bigger bucks selling high-level attacks on the dark web. DDoS attacks are used by everyone from script kiddies hoping to witness some DDoS-induced outrage on social media to scorned employees looking for revenge, hacktivist groups trying to make a point, gamers trying to knock off other gamers, competing businesses willing to do anything to gain an advantage, attackers trying to make money by manipulating cryptocurrency values with outages, hackers masking data thefts with attacks, and even nation states taking aim at other governments.
Currently, DDoS attacks can cost a victim business anywhere from $20,000 to $100,000 for every hour of the attack and can take months or even years to recover from due to the reputation damage that can be done by a security failure of this size.
Stopping them in their tracks
While it’s impossible to predict exactly what the next evolution of DDoS attacks will entail or what ingenious invention attackers have up their sleeves, it’s very easy to say that websites and businesses need to take the step of investing in professional DDoS protection in order to guard against whatever might be coming next. DDoS attacks have been causing headaches and havoc for 20 years now, and they’re only getting worse.