Evolution of DDoS Attacks: From the 1990s to Today

Initially, DDoS attacks began as harmless pranks by tech-savvy students in the United States. However, over the past 30 years, they have evolved into a powerful weapon against corporations and government entities. This brief history of DDoS attacks is for those who want to know more.

Evolution of DDoS Attacks: From the 1990s to Today

The 1990s: When Pranks Went Too Far

The world first heard of DDoS (Distributed Denial of Service) attacks in the 1990s. Back then, the internet was still becoming mainstream, and anyone skilled with computers was often seen as a hacker.

A major figure in DDoS history is Kevin Mitnick. In 1994, this notorious hacker used a large number of SYN packets to attack his long-time rival, Tsutomu Shimomura. This technique, which became known as a SYN Flood, effectively incapacitated his opponent’s computer.

It is believed that this moment marked the first successful DoS (Denial of Service) attack. Later, Mitnick expanded that scheme by initiating traffic from multiple computers at once, coining the term “distributed,” which led to the birth of DDoS attacks.

Two years later, an intriguing set of open-source utilities appeared on an online forum. That toolkit allowed users to remotely launch numerous simultaneous strikes against targets’ resources.

Then, on July 22, 1999, the University of Minnesota’s computer system was unexpectedly attacked by a network of 114 infected computers. Those devices had been compromised by a malicious script known as Trin00, which flooded the university’s systems with massive packets of data, preventing them from responding to legitimate users. The Trin00 script was based on that very open-source code released three years earlier.

Evolution of DDoS Attacks: From the 1990s to Today

The 2000s: The First Major Strikes

One of the key events of the early 2000s was a series of DDoS attacks targetting .com domain websites. The main character of this story was a Canadian teenager with the nickname Mafiaboy. Using the same SYN Flood method Mitnick had pioneered, Mafiaboy wreaked havoc on major companies like Yahoo!, Amazon, eBay, CNN, Dell, and many others for several days. All of his attacks were launched from compromised university computers.

This incident attracted the attention of both the public and businesses, and for the first time, DDoS attacks were recognized as a significant cyber threat at the governmental level.

By 2002, the IT community began discussing emerging DDoS methods. Hackers increasingly employed HTTP protocols and external resource requests more frequently, often spoofing the victim’s IP address to flood the target with responses, ultimately overwhelming the servers.

In 2005, major IT and telecommunications companies formed an anti-hacker alliance to address the escalating DDoS threat. Attacks were becoming more frequent and more powerful, with victims experiencing DDoS assaults at speeds of tens of Gbps, far exceeding the previous benchmarks of hundreds of Mbps.

Around the mid-2000s, a new phenomenon appeared: RDDoS (Ransom DDoS). Hackers would not only launch attacks but also threaten companies with future ones, demanding a ransom to stop or prevent those assaults. Several UK betting companies fell victim to that tactic during the Cheltenham Horse Racing Festival.

During that period, hackers also started renting out DDoS infrastructure, marking the rise of the first botnets.

Another significant event was the creation of the first specialized solutions for protecting against DDoS attacks. Israeli company Riverhead developed a cybersecurity product, and soon after, Arbor Networks (USA) launched a similar solution. Eventually, Cisco Systems acquired Riverhead, solidifying its position as a major player in the anti-DDoS market.

The 2000s also saw the emergence of the first cloud-based DDoS protection tools, including Prolexic (now part of Akamai), BlackLotus, Dragonara, and others.

The 2010s: The Rise of Hacktivism and New Tools

In 2007, Estonia faced severe DDoS attacks that shook the country. The malicious traffic was collectively generated by activists around the world, a phenomenon that later became known as hacktivism.

That movement gained significant momentum in the early 2010s, as hacker tools like Low Orbit Ion Cannon (LOIC) and High Orbit Ion Cannon (HOIC) became widely accessible. Those tools allowed ideologically motivated hackers to overload victims’ resources with data using TCP, UDP, and HTTP protocols.

By 2013, record-breaking attacks had reached 300 Gbps, and during the 2016 Olympics, they surged to 500 Gbps. Just a month later, the figure hit 620 Gbps.

The 620 Gbps attack was launched by the notorious Mirai botnet, targeting the website of security journalist Brian Krebs. Later, Mirai incapacitated Dyn DNS, one of the largest DNS service providers in the US, affecting clients like Twitter, GitHub, and Spotify. Investigations revealed that the attack involved over 100,000 devices connected to the botnet.

While it’s unclear how much influence hacktivism had on the development of botnets like Mirai, the 2010s saw the rise of several ideologically driven hacker groups, including Anonymous, who orchestrated numerous DDoS attacks on corporations and organizations that opposed online piracy and torrenting.

Read more: Famous Hacker Groups: Their Methods and Tools

The 2020s: Records on All Fronts

In this decade, the number of DDoS attacks has been growing at an unprecedented pace. According to our report on DDoS attacks in 2023, the number of incidents increased by 63%. By the end of 2024, preliminary data suggests that the volume of DDoS attacks will have grown by at least 100%.

Moreover, the number of devices involved in botnets now reaches hundreds of thousands, a stark contrast to the earlier concernover DDoS attacks involving just 100 devices. Experts attribute this growth to the rise of IoT devices and the increasing popularity of smart home technologies.

Read more: Smart Homes and DDoS Attacks: How Everyday Devices Become Cyber Threats

DDoS attack power has also surged, with average attack volumes now measured in tens of Tbps, and peak attack rates reaching tens of millions of requests per second.

Finally, attackers are constantly updating their methods and tools. Multi-vector, carpet-bombing, and other complex DDoS attacks have become frequent. Many of these attacks are powered by AI and machine learning technologies, making them harder to defend against. As a result, potential victims increasingly require specialized multi-layered network security solutions, such as those offered by StormWall.

DDoS Protection for Websites

  • Activate protection in 10 minutes
  • 24/7 technical support