The internet is not something that you just dump something on. It’s not a big truck. It’s a series of tubes. Those tubes can be filled, and if they are overfilled, bad things happen. This is the basic idea behind denial-of-service attacks: to render a computer resource unavailable to its intended users, often by simply flooding the target system with ping requests. These attacks have become increasingly ubiquitous, largely because they are relatively easy to execute. Below is a brief history of fascinating and noteworthy DoS and DDoS (distributed denial-of-service) attacks. The results reveal a surprising evolutionary trend: where the earliest incidents were generally launched for fun or profit, contemporary DoS attacks have become prominent means of protest and dissent.
- 2 Nov 1988: the Morris worm, written by Cornell CS grad student Robert Morris, was the very first significant DoS attack. Morris put roughly 5000 machines out of commission for several hours.
- Mar 1998: Attackers exploited a problem with Windows NT servers, and successfully drove thousands of NT stations, including ones at NASA, MIT, the U.S. Navy, and UC Berkeley, offline. This DoS attack led to the formation of the FBI’s Infrastructure Protection and Computer Intrusion Squad, better known as the Power Rangers.
- 26 Mar 1999: The Melissa virus, written by David L. Smith, was a mass-mailing macro virus. Once it penetrated a computer, Melissa gained access to Microsoft Outlook and began self-replicating, mailing itself to the infected user’s correspondents. Because of the virus’ rapid rate of replication, many email systems were overwhelmed by the traffic; Melissa ultimately incapacitated the email networks of over three hundred U.S. corporations.
- Jan 2001: Register.com was targeted and booted offline by a DDoS attack that used DNS servers as reflectors, and forged requests for the MX records of AOL.com. It lasted roughly a week before it could be traced back and disabled.
- Oct 2002: attackers performed a DNS Backbone DDoS attack on DNS root servers, machines intended to provide service to all Internet users. The attackers succeeded in disrupting service at nine of the thirteen American root servers.
- Feb 2007: over 9,000 online game servers for games such as Counter-Strike, Halo, and Return to Castle Wolfenstein were attacked by “RUS,” a Russian hacker group. The DDoS attack was executed from over a thousand units located in Russia, Uzbekistan, and Belarus. Terrorists win.
- Mar 2007: Mininova suffered a massive DDoS attack that completely incapacitated the premier BitTorrent tracker. Though trackers are hardly strangers to DoS attacks, this incident was the first time that one of the world’s largest index sites, which generally have a tremendous traffic capacity, was noticeably hammered by a concerted and intercontinental DDoS effort.
- 25 Apr 2007: Ethnic Russian Estonians launched a series of DDoS attacks against Estonian businesses and institutions, including the website of Prime Minister Andrus Ansip’s Reform Party. The attacks were set against the backdrop of ethnic riots prompted by the removal of a Soviet war memorial from the center of Tallinn, Estonia. David Emm, senior technical consultant at Moscow-based antivirus software company Kaspersky Lab, told BBC reporters that he believed the most likely culprits were, “younger types who, in other days, would have been writing and spreading viruses.” Dmitri Galushkevich, a twenty-year-old ethnic Russian, was later convicted for his involvement in the attacks.
- Jan 2008: Members of “Anonymous,” a self-branded collective of unnamed individuals from various internet subcultures, launched a DDoS-based attack on the Church of Scientology in response to alleged acts of intimidation and censorship. On January 20, the group flooded Scientology.org with as much as 220M bps of traffic, succeeding in knocking the site offline. On January 21, thirteen-year-old boys everywhere celebrated their “epic win.”
- 19 Apr 2008: CNN reported that their news site had been targeted by DoS attacks, resulting in slowed or unavailable service in limited areas of Asia. A CNN article on the subject cited reports by Asian tech sites that Chinese hackers were targeting the news conglomerate in response to their coverage of the unrest in Tibet. Many Chinese bloggers accused CNN and other leading Western news organizations of taking a pro-Tibetan stance when reporting on the region’s civil turmoil.
- Apr 2009: Malware hunters at Symantec discovered that malicious files embedded in pirated copies of Apple’s iWork 09 software spawned what appears to have been the first Mac OS X botnet, which launched DDoS attacks on an unknown website. Virus Bulletin researchers Mario Ballano Barcena and Afred Pesoli found two variants, OSX.Iservice and OSX.Iservice.B, using different techniques to obtain users’ passwords and assume control of the infected machines.
- 5 May 2009: In an ironic twist, members of 4chan, the world’s largest and most notorious English-based imageboard, launched a successful DDoS attack… on themselves. Spammers posted images with a link promising free porn, which lead instead to a zip file that contained an auto-executable virus. The attack was allegedly executed by a college student who wanted to take down the site so he could study for finals without being distracted by /b/.
- May 2009: Millions of Chinese internet users were unable to access the internet because of a massive DDoS attack that knocked a DNS system from one of the country’s registrars offline. Konstantin Sapronov, head of Kaspersky’s Virus Lab in China, commented, “The incident revealed holes in China’s DNS that are ‘very strange’ for such a big country.” The registrar that was attacked hosted the DNS for video streaming site Baofeng; traffic was so high for this site that unanswered DNS requests created an additional traffic jam, essentially multiplying the attack.
- 15 Jun 2009: Sites belonging to Iranian news agencies, President Mahmoud Ahmadinejad, and Iran’s supreme leader Ayatollah Ali Khamenei were knocked offline when activists protesting the results of the recent Iranian elections used DoS attacks to flood the sites with traffic. In his article “With Unrest in Iran, Cyber-attacks Begin,” Robert McMillan, a reporter with IDG News Service, comments, “This type of attack, known as a denial of service (DoS) attack, has become a standard political protest tool, and has been used by grassroots protesters in several cyber-incidents over the past few years, including cyber events in Estonia in 2007 and Georgia last year.” The activists have used both web-based page refresh tools, including Pagereboot.com, and custom tools promoted via twitter, blogs, and activists abroad.