Cloud Security: The History of Distributed Denial of Service Attacks

History of DDoS - Famous Attacks

A DDoS attack is one of the most deadly IT assaults on your company's infrastructure. The danger is becoming more and more real every day as attackers now sometimes have an army of bots scattered all over the world, thereby making the task of detection and prevention more difficult. In this article, we take a look at some of the most famous DDoS attacks in history and the related consequences.

Contents 1 2002 DNS Root Server Attacks 1.1 Lessons Learned 2 2007 DNS attacks 3 Attacks on Estonia 4 Accidental DD0S attack on Google 5 DDoS Attacks in Iran

2002 DNS Root Server Attacks

Let's start with the big daddy of DDoS attacks. This was the most significant DDoS attack till date since it threatened the very existence of the Internet itself. The thirteen Root DNS servers which propagate changes to all the others came under attack on the 21st of October 2002. It could be said that it was an attack on the Internet itself - hitting it at its most vulnerable point.

The attack lasted for over an hour and was well coordinated with all thirteen DNS servers coming under fire at the same time. The amount of data that was thrown at the servers put together crossed 900 Megabits/second and was composed of various types of protocols including TCP and UDP.

The fallout of the attack was significant. Though the servers didn't crumble under the load, there were so many attack queries that some genuine queries from all over the world timed out due to being unreachable.

Lessons Learned

The experience was a victory in many ways for the DNS servers. Because they were massively over provisioned, they were able to successfully cope with the high volume of traffic thrown at them. If anything, it validated the principle of over provisioning to account for further attacks of this sort in the future.

2007 DNS Attacks

On the 6th of February 2007, six of the thirteen DNS servers were once again attacked in an attempt to "bring the Internet down." The first wave of the attack lasted for two and a half hours. After a gap of three hours, the servers were hit again for three hours.

This time however, engineers who worked on the systems protecting the DNS servers had learned important lessons from the first attack in 2002. A new technology called Anycast had been developed that allowed the DNS servers to mitigate the effects of attacks of this sort. Two of the servers though, didn't have the technology installed and were taken down by the attacks.

The overall experience of the 2007 attacks was positive with the engineering teams demonstrating that they had the ability to withstand a coordinated DDoS attack. The attacks were said to have arrived from the Asia Pacific region - though this can be misleading because they were most likely carried out by "zombie" computers used by unsuspecting users.

It was also learned that one of the ways users could prevent their systems from being hijacked was by changing the default passwords on their home routers - the adoption of this recommendation hasn't been very high though.

Attacks on Estonia

In 2007 in the month of April, Estonia faced a debilitating DDoS attack crippling government websites such as the prime minister's site as well as other the sites of other organizations such as banks and schools. The attack was guessed to be political in nature, and though there were many accusations against the Russian government itself, the general consensus was that the attack wasn't prompted by a state run agency.

However, there was ample evidence to indicate that the attack came from Russian nationalists as a protest against the movement of a World War II memorial. Estonia was formerly a member of the erstwhile Soviet Union.

The attack was most likely carried out by an army of bots from all over the world. Such attacks are difficult to trace and in this case, the widespread distribution of the bots made it exceedingly unlikely that any single organization would be found responsible. The only way to deal with such attacks is to improve your security systems and identify the DDoS bots before your systems are crippled.

Accidental DDOS Attack on Google

On the 25th of June 2009, the death of popstar Michael Jackson led to a flurry of Internet searches regarding various aspects of his life. Normally, the death of a celebrity doesn't cause much of a furor and even if it did, it's never enough to seriously impact large websites or the Internet itself. However, this time was different. The number of search queries was so large and so sudden that Google mistakenly thought that it was the victim of a DDoS attack and took countermeasures to protect itself.

For a while, those using Google were met with an error message asking them to enter a simple captcha to prove they weren't a bot. However, Google realized what was happening and quickly recovered. They even mentioned the incident on a blog post.

The incident went on to show that not all DDoS attacks are malicious in nature. Even sites such as Wikipedia and BBC were affected by the sudden surge in Internet traffic. It makes one consider what would happen if there was an outbreak of war. Is our Internet infrastructure able to handle the combined and persistent usage of the world's traffic all at once? It's a sobering thought.

DDoS Attacks in Iran

Occasionally, DDoS attacks can be used as means of protest against repressive governments by citizens who want to vent their anger online. Of course, there's always a danger of real criminals calling themselves "regular folk" and thus justifying DDoS attacks, but the recent protests in Iran have shown what a dedicated online mob can do.

Several Iranian government websites were DDoS'd by masses of Iranian protesters during the recent controversial election. The campaign was spread via Twitter and Facebook with links to websites that facilitated the continuous hitting of government sites. A new word was coined to describe people using DDoS as a political weapon - hacktivists.

A key concern regarding DDoS attacks in Iran was the the entire Internet infrastructure in the country is centralized. This means that an overload of a network can slow down the Internet not just for those accessing the target sites, but for everyone else in the country as well. DDoS attacks are therefore shown to be a double edged sword for those hoping to make a point.