Table of Contents
Introduction
A 15-year-old whiz kid, a cohort of attackers, and state-sponsored threat actors…
Sounds like the beginning of a joke, or the characters in a new action-adventure cyber movie. But there’s nothing entertaining about what you’re about to read. These are a few of the actors in some of the most famous DDoS attacks in history.
As the saying goes, “those who cannot learn from history are doomed to repeat it.” With that in mind, in this blog, we’ll delve into some of the most famous DDoS attacks to understand how DDoS attacks have evolved, overall trends, lessons learned, and what we might expect in the future. We’ll also explain how you can detect and defend against DDoS attacks that disrupt service availability and can lead to data exfiltration, ransomware attacks, and other malicious activity.
DDoS Attacks
DDoS (distributed denial-of-service) attacks are responsible for more than 50% of attacks according to Verizon’s 2024 Data Breach Investigations Report. These attacks overwhelm a target server or network by flooding it with an excessive volume of requests. These requests could be in the form of data packets, HTTP requests, or even connection requests. The sheer volume of incoming traffic exhausts the target’s resources, leading to a breakdown in service.
Cyber criminals who carry out DDoS attacks typically use networks of Internet-connected devices that they’ve infected with malware that allows them to control the device remotely. These infected devices are known as bots (or zombies), and a group of bots forms a botnet. Once they’ve established a botnet, the attackers can direct an attack by sending remote instructions to each bot. Each bot sends requests to the target’s IP address, causing the server or network to become overwhelmed and resulting in a denial-of-service to normal traffic.
Why DDoS Attacks Are So Disruptive
DDoS attacks happen every day and no organization is immune. Small businesses to multinational companies to internet service providers (ISPs) and hosting providers can all be impacted. Smaller businesses may not be directly attacked. Instead, threat actors will target and install a bot on a server. Recruiting the server into their army of bots to form a botnet has a two-fold effect: It maximizes their ability to launch attacks on other businesses while impacting the compute power of the server of the small business and their online services start to degrade.
Larger businesses are usually the primary victims. Websites and other online services can be disrupted or completely stopped by a DDoS attack. The results include service downtime, financial loss, and reputational damage. For ISPs and hosting providers, customer sites and applications are also often impacted.
Increasingly, DDoS attacks are being coupled with other criminal activity such as data exfiltration and ransomware attacks which make them even more disruptive, costly, and complex to mitigate and recover from.
Nature of DDoS Attacks
There are various characteristics of DDoS attacks that contribute to their damaging impact.
- Volumetric. Typically, DDoS attacks leverage groups of bots which make them volumetric in nature as they seek to generate a massive volume of data packets directed at the target network to saturate it with a flood of traffic.
- Protocol focused. These types of DDoS attacks take advantage of weaknesses in protocols or services at the network layer (Layers 3 and 4) of the OSI model, to consume server resources and degrade service performance or cause an outage. Examples include:
- Ping of Death (PoD) attacks overwhelm a network device with ping packets, also referred to as ICPM data packets.
- UDP Flood attacks flood the target with UDP packets that often target specific ports.
- Application layer focused. Also known as Layer 7 DDoS attacks, these target the application layer of the OSI model with the intent of exhausting server resources or disrupt web application functionality. Examples include:
- HTTP/S Flood attacks overwhelm web services with HTTP requests.
- Slowloris attacks exploit the server’s resource allocation by sending partial HTTP requests and keeping connections open for as long as possible.
The Consequences of DDoS Attacks
DDoS attacks have cascading negative consequences for businesses, including loss of service availability, lost revenue, reputation damage, and recovery costs.
- Service availability: As servers attempt to respond to massive volumes of bogus requests, their resources become drained, and systems eventually crash leading to downtime for legitimate users.
- Lost revenue: The longer the length of downtime, the longer services aren’t available to the business and its customers, which results in lost revenue.
- Reputation damage: When customers don’t have reliable access to the services they need, the business’ reputation can take a significant hit, which can result in an increase in customer churn.
- Recovery costs: In addition to the costs of bringing services back online, recovery costs can also include forensic analysis and upgrades to defenses. Depending on the impact on customers there may also be costs associated with regaining trust and loyalty.
1. The Mafiaboy Attack (2000)
With a general overview of DDoS attacks, why they are so disruptive, and the impact on organizations, let’s delve into some of the most famous DDoS attacks. The first one we’ll look at is the Mafiaboy attack and its legacy in cybersecurity.
Background and Overview
Although the Mafiaboy attack took place nearly 25 years ago, it’s hard to shake from our collective memory for several reasons including the hacker’s age and his targets. A 15-year-old high school student from Canada who went by the name Mafiaboy built a botnet by compromising university computer networks to launch DDoS attacks. The intent was to demonstrate his skill at initiating attacks against industry giants at a time when DDoS attacks were not widespread.
Impact on Major Websites
The attack targeted numerous high-profile websites, including recognized names like Yahoo, Amazon, eBay, CNN, E-Trade, and Dell. The flood of traffic overwhelmed servers, rendering the websites of directly targeted companies inaccessible to legitimate users. Extensive downtime and loss of service led to financial losses and reputation damage. It also spread to the larger internet community including impacting the stock market.
Lessons Learned
The attack exposed society’s reliance on the internet and the importance of cybersecurity to protect service availability. It also led to the creation of cybercrime laws that remain in effect today. Mafiaboy may have learned a valuable lesson as well. Having faced legal action after the attack, he now applies his hacking skills as a cybersecurity professional.
2. GitHub Attack (2018)
On February 28, 2018, GitHub, a popular collaboration platform for software developers, was hit with a DDoS attack, the scale of which had never been seen before. Although it lasted approximately 20 minutes, it served as a wakeup call to the power a DDoS attack punch can pack.
The Largest DDoS Attack in History
The attack transmitted 1.35 terabits a data per second to GitHub’s server. The volume was achieved when hackers discovered a way to exploit a caching system known as Memcached to send data, instead of using a botnet. The approach ultimately magnified the impact of the DDoS attack by a factor of 50,000.
How GitHub Survived
GitHub had DDoS protection in place. So, their security team was alerted to the attack within 10 minutes and was able to stop the attack after another 10 minutes to mitigate the impact.
Lessons Learned
The example demonstrated the value of taking a proactive approach to DDoS protection, and cybersecurity in general. Even though a DDoS attack of this type and scale was unprecedented, the technology and tools GitHub had in place alerted the team to what was happening, and the service was offline only briefly.
3. Dyn DDoS Attack (2016)
Botnets can be built on malicious software that is designed for rapid infestation. The most notorious is Mirai malware and its multiple variants that can take advantage of weaknesses in IoT devices with low computational power, or higher-powered networking equipment to launch even more potent attacks. The Dyn DDoS attack is a prominent example.
Background of the Attack
In October 2016, Dyn, a major Domain Name Service (DNS) provider, became the victim of a 1 terabit per second DDoS attack – a record at that time. The attack on a DNS provider rocked the industry as the impact was felt across the U.S. and Europe. The Dyn DDoS attack became famous for another reason as well – it was the first major attack after the creator of Mirai shared the source code on a hacking forum.
Impact on Global Internet Traffic
The attack knocked Dyn’s services offline and, with it, numerous high-profile websites including HBO, Twitter, Reddit, PayPal, Netflix, GitHub, and Airbnb.
Lessons Learned
A turning point in the evolution of DDoS attacks, the attack on Dyn demonstrated the ease with which threat actors with little to no technical skills could launch damaging attacks. Their success triggered a proliferation of similar attacks that impacted organizations and users around the globe. More broadly, the model of selling malware-as-a-service became a catalyst for threat actors to create and profit from copycat variants.
4. The Spamhaus Attack (2013)
Spamhaus, a non-profit organization, was founded to counter spam emails and associated spam-related actions. Naturally, their success in this area drew the attention of threat actors who relied on spam to gain access to organizations and cause disruptions. So, in 2013 Spamhaus was targeted with a well-orchestrated DDoS attack that involved numerous hackers.
The Scale of the Attack
While nowhere near the scale of the DDoS attacks we’ve already discussed, the attack reached 300 Gbps which was a peak for the time. A group of hackers collaborated on the attack and on March 17, 2013 launched an assault aimed at stopping Spamhaus.
Impact on Global Internet Infrastructure
The attackers quickly realized that Spamhaus was protected so they shifted their focus to the organization’s security vendor. When they couldn’t stop that company, they pivoted and targeted the network providers that the vendor used for bandwidth. Each time the attackers shifted targets they upped the volume of malicious traffic and changed tactics. Ultimately, the attackers were successful in disrupting and slowing down internet traffic in Europe and impacting millions of users for several days. However, it did not bring the internet down or eliminate antispam efforts.
Lessons Learned
This Spamhaus attack was an example of how DDoS attacks can be used as a form of retaliation. It also showed how relentless attackers are, able to rapidly shift targets and tactics to try to accomplish their mission. But it also demonstrated the importance and value of having robust protection in place to mitigate the impact of DDoS attacks.
5. Estonia Cyber Attacks (2007)
In April 2007, the entire country of Estonia was subjected to a three-week long DDoS attack – the longest duration and widest impact of any attack experienced up until that point.
Political and Social Implications
The attack came in response to a political conflict with Russia and was one of the first examples of a large-scale, state-sponsored DDoS attack. The attack targeted government, media, and financial websites.
National Disruption
Estonia’s government was an early adopter of online government and was practically paperless at the time. So, an attack targeting Estonia’s online infrastructure was purposely calculated to cause significant disruption and was successful. It impacted millions of internet users, across many aspects of everyday life.
Lessons Learned
This marks the first time the use of a DDoS attack crossed the line into what could be considered warfare. Targeting critical infrastructure sectors proved to be a successful strategy to bring a country to its knees. Noticed around the world, the ordeal catalyzed the creation of international laws for cyber warfare.
How DDoS Attacks Have Evolved
Over the years DDoS attacks have evolved in volume, attack vectors, and sophistication. As traditional attack vectors closed and the quest to pack a bigger punch grew, adversaries continued to find new ways to execute exponentially more damaging DDoS attacks.
Growing Sophistication
The release of the Mirai source code changed the DDoS attack landscape forever. Today, sophisticated botnet DDoS tools and botnet services are readily available through online marketplaces for a few hundred U.S. dollars. This makes it relatively easy and inexpensive to launch a DDoS attack and reap the financial and competitive gains with little technical knowledge.
Adversaries also doubled-up on tactics. For example, an increasingly common DDoS attack type is ransom DDoS attacks, where the attacker sets up the attack but then demands money from the attack target in exchange for not carrying it out.
The Role of IoT and Botnets
As our reliance on connectivity has increased and Internet of Things (IoT) devices have proliferated, so too have significant DDoS botnet attacks that leverage Mirai-based and IoT-based botnet activity. It can be difficult to protect IoT devices due to lack of visibility and their limited compute power which can prevent the implementation of security features. This makes them susceptible to DDoS attacks as well as for use in botnets.
Future Trends in DDoS
Looking to the future, we need to remember that cyber criminals always look for ways to maximize their return on investment and one way is to continue to reduce the complexity involved in executing DDoS attacks. Due to the lower computational power of IoT devices and effort required to infect and manage an army of them, adversaries are increasingly shifting to more powerful VM-based botnets. Cloud-hosted virtual machines have higher computational and throughput capabilities that allow attackers to carry out more powerful attacks with fewer devices and less effort.
How to Protect Against DDoS Attacks
As with all threats, an ounce of prevention is worth a pound of cure. To defend against DDoS attacks, organizations should use a combination of best practices and technology.
Educate Employees and Secure IoT Devices
Educate employees on the dangers of DDoS attacks and how to avoid becoming infected by using strong passwords, multi-factor authentication, and not clicking on suspicious links or attachments in emails from unknown sources.
Secure IoT devices by deploying security features whenever possible. Additionally, validate your inventory of IoT devices and make sure they are up to date with patches, apply network segmentation to limit movement of traffic from IoT devices to other parts of the network, and use endpoint detection/protection tools if the IoT device has the compute power to run the software required.
Network Redundancy and Failover Plans
Use load balancers and failover mechanisms that distribute traffic across different servers and cloud resources to help mitigate the impact of an attack and assist with continuity of service while IT teams investigate and respond. Additionally, leverage Content Delivery Networks (CDNs) to distribute your website’s content across multiple servers and locations. CDNs can absorb and distribute traffic, minimizing the impact of DDoS attacks on a single server.
Invest in Advanced DDoS Protection
The most comprehensive way to mitigate DDoS attacks is with a DDoS protection solution. The best solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.
Conclusion
The lessons we learn by examining some of the most famous DDoS attacks in history are incredibly valuable. They demonstrate how DDoS attacks continue to increase in sophistication, impact, and frequency, and how organizations can successfully navigate and prevent these attacks.
As the use of IoT devices and malware variants proliferates, these attacks show no sign of slowing down. And now, following the movement of organizations to the cloud, cyber criminals are taking their tactics there too. We can expect attackers to increasingly use cloud-hosted virtual machines to execute more powerful attacks with fewer resources and complexity.
Fortunately, there are multiple best practices and technologies organizations can use to defend against DDoS attacks, including educating employees and securing IoT devices, employing network redundancy and failover plans, and using an advanced DDoS protection solution.
DDoS protection provides uninterrupted service availability even in the midst of a DDoS attack and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on the latest trends and insights about DDoS botnet attacks.
