Distributed Denial of Service attacks have existed since 1996. The first one was leveraged against the New York internet provider Panix when an attacker used a spoofed IP address technique called a SYN flood to overwhelm Panix’s servers with fake “synchronize” packages.
Although the company restored services and recovered within 36 hours, the event was still significant because it was the first recorded major DDoS attack. It was also the first time hackers had used this tactic as an attack method.
Here we are over twenty years later, and attackers still use DDoS to paralyze and infiltrate networks, and despite its brutish and rudimentary strategy, it remains effective.
Let’s take a deeper look at DDoS attacks to learn how they’ve been used and why they’re still the go-to for disruption.
A History of Distributed Denial of Service Attacks (DDoS)
Historically, tech-savvy students developed and used distributed denial of service to prank people in the 1990s. It wasn’t until 1996 that attackers used this method in a cyber-attack.
In 1997, Khan C. Smith launched an attack against the Las Vegas Strip that knocked out internet access for more than an hour during an event by DEFCON.
In 2000, a 15-year-old Canadian hacker dubbed “mafia boy ” launched a series of DoS attacks against e-commerce sites such as eBay and Amazon.
Again, in 2018, a DDoS attack targeted GitHub and involved a strike of 129.6 million packets per second (PPS). In 2019, Imperva reported that one of its clients was the target of a DDoS attack, with 500 million PPS distributed at the network.
In 2022, one of Google Cloud’s customers was the target of an HTTPS DDoS attack of 46 million requests per second (RPS).
Recent DDoS Activities
In recent years, distributed denial-of-service (DDoS) attacks have risen, and this threat landscape is evolving quickly. Those behind the attacks have a developed new tactics, techniques, and procedures (TTPs) that they are ready to employ to defeat any preventative mitigation efforts.
Since the beginning of 2024, the Middle East and Europe have been hotbeds of DDoS attacks. Application-layer attacks increased by 43% compared to the same period in 2023, and volumetric attacks increased by 30%. It should also be noted that the pro-Russia hacktivist group known as NoName057(16) focuses on application-layer attacks, specifically HTTP/S GET and POST floods.
Recent Actions by Law Enforcement
Law enforcement is closely watching the activities of hackers behind DDoS attacks to disrupt these gangs and arrest those behind the attacks.
- Poland—In June 2023, Polish law enforcement arrested two men with possible connection to a DDoS-for-hire service which has been around for about a decade. This followed a collaborative investigation with the support of Europol, the FBI, and law enforcement agencies from the Netherlands, Belgium, and Germany.
- Germany—In November 2024, German law enforcement took down a DDoS platform cybercriminals were using to launch attacks and arrested the two men allegedly operating the site. Additionally, infrastructure related to the site, Dstat.cc, was seized, as was Flight RCS, a clear web marketplace selling synthetic cannabis and designer drugs. The Central Office for Combating Internet Crime (Frankfurt), the Federal Criminal Police Office, and the Hessian State Criminal Police coordinated the takedown operation.
- Russia—In September 2-24, the Russian FSB reported that a Moscow resident was detained for launching DDoS attacks during local elections. These attacks targeted the Moscow region and infrastructure in the capital. According to the report from the FSB, the 61-year-old used Ukraine-made software on a personal device to carry out the attacks.
Why Are DDoS Attacks Still Happening?
One of the primary reasons we’re still seeing DDoS attacks is their effectiveness and ease of execution. In addition, many experts say that the commoditization of DDoS has made it possible for anyone with a Bitcoin wallet to launch an attack due to the availability of botnets-as-a-service.
Another cause behind the increase in DDoS attacks is global tensions. A common motivator for DDoS attacks is ideological or political agendas, known as “hacktivism.”
Competition and revenge attacks launched by disgruntled or former employees are also prevalent. Security analysts note that business competitors hoping to gain advantage in the market via sabotage have also launched DDoS attacks.
DDoS attacks can also run interference or create a distraction for cybersecurity defensive teams so that attackers can carry out other attacks—divide and conquer.
Of course, there are many other motivations. Some include settling scores, defending or enforcing ideas, blackmail and extortion, cyberterrorism, and a weird sense of fun.
Serious DDoS attacks at scale can have tangible revenue losses in the hundreds of thousands or even millions of dollars for larger organizations.
The Incident Response team at Novacoast said DDoS attacks remain prevalent because they are very difficult to mitigate without relying on a third party. Due to the effectiveness of modern DDoS techniques, most organizations couldn’t defend themselves without spending tens, if not hundreds of millions, on infrastructure and load balancing.
For reference, earlier this year, Cloudflare stopped the largest DDoS attack in history, which was sending 2.14 billion packets every second.
Preventing and Mitigating DDoS Attacks
With the popularity of DDoS attacks having no sunset in sight, there are some methods for protecting business assets by preventing and mitigating them.
Implement a security plan that reduces attack surface. Separating assets into different network subnets can help shield things like web and database servers. Implementing geographic restrictions and blocking traffic from specific regions, countries, or outdated protocols, ports, and applications is also beneficial. Where possible, leverage additional indicators such as user agents and other data from HTTP requests to block incoming attack packets via your firewall platforms.
Identify the defenses available at the perimeter which can be tuned, such as load balancers, to help offload malicious traffic should you experience a DDoS attack. Your ISP may also be able to redirect or drop malicious traffic temporarily.
An adaptive threat monitor analyzes network traffic patterns in real-time for spikes or other anomalous activity, helping identify potential threats. More advanced threat detection, such as that available in a Web Application Firewall, may also help defend against automated credential stuffing and password spray attacks, such as via OpenBullet/SilverBullet.
Using the proper method depends on what layer you’re trying to protect. For example, blackholing will protect layer 4, while an ADP (application delivery platform) can inspect SSL traffic on layer 6. Web APIs can also be subjected to DDoS attacks.
DDoS attacks occurring during high-traffic periods can be very challenging. And DDoS attacks can vary in duration. More than sixty percent will last under 10 minutes, but some can last much longer—anywhere from a few hours to several days.
Defending against DDoS attacks is challenging, even with the right defenses in place, making it critical for organizations to develop a robust security plan and have response procedures well-documented for when the first salvo of disruptive packets start to overwhelm.