Evolution of DDoS Attacks

16 July 2021

The ongoing digital transformation of various businesses has not only significantly increased the load on networks and data centers, but also increased the interest of attackers in DDoS attacks at the network level. Modern DDoS attacks are already approaching 1 Tbit/s in scale.

But the history of DDoS attacks dates back to the 1990s. In 1996 when the Internet was just becoming widespread, a set of public tools with the source code for carrying out DDoS attacks was published on one of the forums.

That source code started the events that happened on July 22, 1999. On that day, the server of the University of Minnesota was suddenly attacked by a network of 114 computers infected with the malicious Trin00 script. The code forced infected computers to send data packets to the university in huge volumes (by those standards), which overloaded it. This was the first ever DDoS attack. But the practice spread quickly. Within a few months, Yahoo, Amazon and CNN, which were already quite popular, became its victims. An interesting fact is that one of these attacks was carried out by a 15-year-old Canadian. After the aforementioned events, blackhole / sinkhole methods were no longer able to neutralize the largest attacks.


In 2003 DDoS attacks reached Russia: MasterHost, the largest hosting in the country at that time, was attacked. Four years later Estonia was subjected to severe distributed denial of service attacks. For the first time, the state felt the full power of DDoS attacks — before that it was believed that only prankers and extortionists use such tools against businesses and local organizations, e.g. universities and schools.

The first half of the 2010s is characterized by constantly updated records for the power of DDoS attacks: 300 Gbps, 500 Gbps, 620 Gbps. Hardware-assisted protection was not enough to neutralize incoming attacks from multiple botnets. Other possibilities were required. And they appeared. The largest network security companies are completing their distributed filtering networks. At the same time, the era of global cloud-based DDoS protection services began.

These days, the DDoS landscape has a high “threshold” for inflicting tangible damage on the target. The most “painful” attacks target medium-sized businesses and usually have two motives. The first is to support their attempts to penetrate — it is more difficult to return the system to a normal state and stop the attacker when it is combined with a full-scale DDoS. And the second is unlawful competition. For these reasons, botnet owners either sell their services on the darknet or engage in banal extortion as a source of income. In part, it was the high entry threshold for DDoS attacks that made this illegal activity a real business.

Where there is a demand, there is also a supply: we have already written that today on the Darknet and specialized Telegram channels one can find offers to rent a botnet to carry out DDoS attacks for quite modest money — you can use a botnet that can launch an attack up to 400 Gbps, for only a few hundred dollars a week.

Nevertheless, experts believe that we should brace ourselves for an increase in DDoS activity in the foreseeable future. The ubiquity of the Internet of Things, the emergence of 5G networks, and the consequences of the lockdown only contribute to the replenishment of the ranks of cybercriminals. The answer to this will surely be the emergence of even more advanced means of countering DDoS, including machine learning technologies.