The Early Days: 1995-2000
Business on the Internet didn’t really get going until 1995 when Jeff Bezos founded Amazon.com and Pierre Omidyar began AuctionWeb, which would become eBay. There were very few defenses in place at that time, as the vulnerability of commerce to layer 3 DDoS attacks quickly proved.
The Attack Against Panix and the Internet Society’s Response
In 1996, Panix, NYC’s original Internet Service Provider (ISP) was knocked offline by a DDoS attack, which would seem modest by today’s standards, but back then took down the ISP for several days, along with all the businesses it served. An average of 150 SYN packets per second (50 per host) were launched at Panix’s SMTP ports; but investigators couldn’t trace the spoofed IP addresses and were unable to filter malicious traffic. The attack and the inability to trace or prevent it began to make network administrators concerned.
In January 1998, the Networking Group of the Internet Society published its first RFC (Request for Comments), RFC 2267, on the topic of DoS. In particular, it focused on forged source addresses and a suggested method for how to deploy “ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from ‘behind’ an Internet Service Provider’s (ISP) aggregation point”. Using network ingress filtering to reduce spoofed or forged IP addresses used in TCP SYN, ICMP and UDP flood attacks is a technique still used today. The RFC also noted that in addition to aiding in defeat of this attack method, Internet traffic filtering can also assist service providers in locating the source of the attack “since the attacker would have to use a valid, and legitimately reachable, source address”. Furthermore, RFC 2267 said that most operating system vendors have additionally modified their software to enable the targeted servers to sustain attacks at such a high volume.
The Year 2000 – An Explosion in Internet Usage and DDoS Attacks Booming
Over the four period between 1996 to 2000, Internet users increased 10 fold, from 36 million to 361 million. Despite the looming dot.com bust in 2000, businesses were rapidly moving online, excitedly turning to the Internet for ecommerce, customer service, payments, etc. Business connectivity went from T-1 (1.5mb/sec) to T-3 (44mb/sec).
Alongside the explosion in Internet traffic and services, the scale and sophistication of DDoS attacks was growing. In early 2000, the attacks by ‘Mafiaboy’ on CNN, Amazon.com, eBay and elsewhere cost $1.7B in damages. Mafiaboy also was one of the first attackers to deploy a bot, taking advantage of Trinoo, an advanced tool, to scan and compromise distributed hosts to serve as zombie machines. There were many more such DDoS attacks across the year, in part because of standardization of protocols and ports, and a widespread consolidation of business applications that was taking place, which had the unintentional effect of making DDoS much easier to execute at scale, and spread more quickly.
Meanwhile, industry-wide attempts were being launched to tackle DDoS protection services, such as the ICSA.net Birds of a Feather Conference on DDoS attacks, which took place at the RSA 2000 conference in San Jose in January 2000. That same month, SANS asked its membership to deploy published DDoS detection tools to help them determine how broadly the tools were being used. Reports were returned within hours, detailing successful searches.