Lately, Distributed Denial of Service (DDoS) attacks have grown in popularity and effectiveness, disturbing internet security. Recent DDoS attacks have only been increasing in both frequency and severity. Here, we’ll introduce some recent largest and most famous DDoS attacks.
DDoS attacks are sometimes done to divert the attention of the target organization. While the target organization focuses on the DDoS attack, the cybercriminal may pursue a primary motivation such as installing malicious software or stealing data.
DDoS attacks have been used as a weapon of choice of hacktivists, ones interested in cyber crimes, nation states, and etc.
what was the largest DDoS attack of all time?
The biggest DDoS attack took place in February of 2018. This attack targeted GitHub, a popular online code management service used by millions of developers. At its peak, this attack saw incoming traffic at a rate of 1.3 terabytes per second (Tbps). It could send packets at a rate of 126.9 million per second.
There were no botnets involved, because it was a memcached DDoS attack. Attackers leveraged the amplification effect of a popular database caching system known as memcached. The attackers were able to amplify their attack by a magnitude of about 50,000x. They did it by flooding memcached servers with spoofed requests.
According to GitHub, the traffic was traced back to over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.
In this graph, you can see just how much of a difference there was between normal traffic levels and those of the attack:
Luckily, GitHub was using a DDoS protection service. This DDoS protection service was automatically alerted within 10 minutes of the start of the attack. This alert helped the process of mitigation and GitHub was able to stop the attack quickly. The world’s largest DDoS attack only ended up lasting about 20 minutes.
Other famous and recent DDoS attacks
Mirai IoT botnet – 2017
In October 2016, a technically simple but innovative DDoS attack was launched by way of the Mirai botnet. It made use of insecure internet of things devices such as IP cameras.
It was pointed at Oracle-owned internet management business Dyn and at its peak managed 1.2 Tbps. Targeting the west coast of America, popular sites including Twitter, Netflix and Reddit were all taken offline for a time.
It had also been pointed at security journalist Brian Krebs’ personal site, Krebs on Security, where it managed 665 Gbps.
Eventually, in December 2017, two suspects admitted guilt in developing and using the botnet. They ran a business that provided DDoS mitigation.
Melbourne IT – 2017
Melbourne IT, as well as two of its subsidiaries Netregistry and TPP Wholesale, suffered a DDoS attack on April 13. The assault began at 10:00 local time. It forces the victimized organizations to inform customers that their cloud hosting and mailing platforms, among other services, were at the time unavailable.
DreamHost – 2017
On August 24, a DDoS attack deluged web hosting provider and domain name registrar DreamHost, knocking its systems offline. Particularly knocked its DNS infrastructure.
The Register’s Iain Thomson believes the attack originated from those who opposed the company’s decision to take on as Punished Stormer, a rebirth of the neo-Nazi Daily Stormer website for which CloudFlare terminated service following the Charlottesville protests, as a customer that same day. DreamHost mitigated the attack a few hours later.
UK National Lottery – 2017
Someone decided to target the UK National Lottery with a DDoS campaign, after 19:00 local time on September 30. The attack knocked the Lottery’s website www.national-lottery.co.uk and its mobile app offline. It prevented many UK citizens from playing the Lottery without visiting a partner retailer to purchase a ticket.
By 23:00 local time, the bulk of the attack had died down. Even so, the Lottery’s website and app continued to experience lesser issues until 03:00.
Electroneum – 2017
Electroneum cryptocurrency startup had crowdfunded $40 million worth of Bitcoin and Ether following an Initial Coin Offering (ICO). Just before it launched its mobile mining app on November 2, the company’s website suffered a DDoS attack.
The campaign led Electroneum to lock investors out of their accounts while it worked to restore its network access. In the meantime, the Financial Conduct Authority took a moment to remind investors that ICOs offer no protection. It means investors should be prepared to lose their entire stake.
Boston Globe – 2017
It happened on November 8 at approximately 15:00 EST. The Boston Globe suffered what was likely an investigation to measure the anti-DDoS defenses of bostonglobe.com and other websites owned by the company. This initial wave disrupted the newspaper’s telephones. It also interrupted its editing system.
Eventually, the bad actors took the results of their test and resumed their attack at 11:00 EST on November 9. In this way, they prevented many Boston Globe employees from doing their jobs and made bostonglobe.com inaccessible. Relief eventually came in mid-afternoon when the company’s Internet service provider put effective anti-DDoS measures in place.
Dyn attack – 2016
This is the second biggest DDoS attack in October 2016. It was directed at Dyn, a major DNS (The Domain Name System) provider. This attack was destroying and created disruption for many major sites. The major sites like AirBnB, Netflix, PayPal, Visa, Amazon, The New York TImes, Reddit, and GitHub. This was done using a malware called Mirai. Mirai creates a botnet out of compromised Internet of Things (IoT) devices such as cameras, smart TVs, radios, printers, and even baby monitors. To create the attack traffic, these compromised devices are all programmed to send requests to a single victim.
Fortunately, Dyn was able to resolve the attack within one day, but the motivation for the attack was never discovered. There are suspicions that the attack was carried out by an angry gamer.
Mumsnet DDoS attack by @DadSecurity – 2015
A campaign group called “@DadSecurity” is suspected of doing the oddest ideological attack of recent times. They did it as part of a wider campaign of annoyance that included having an armed police team dispatched to the house of founder Justine Roberts.
GitHub attack – 2015
This one also happened on 2015 and targeted GitHub. This politically motivated attack lasted several days and adapted itself around implemented DDoS mitigation strategies. The DDoS traffic originated in China and it is strongly suspected that the Chinese Government oversaw the attack.
This DDoS attack specifically targeted the urls of two GitHub projects aimed at circumventing Chinese state censorship. It is speculated that the intent of the attack was to try and pressure GitHub into eliminating those projects.
The attack traffic was created by injecting JavaScript code into the browsers of everyone who visited Baidu. Baidu is China’s most popular search engine. Other sites who were using Baidu’s analytics services were also injecting the malicious code; this code was causing the infected browsers to send HTTP requests to the targeted GitHub pages. In the consequences of the attack it was determined that the malicious code was not originating from Baidu, but rather being added by an intermediary service. China has a policy of monitoring incoming traffic with their “Great Firewall”. It may also be the case that they modified the outbound packets with a similar intermediary process.
OCCUPY CENTRAL, HONG KONG – 2014
This attack was carried out in 2014 and targeted the Hong Kong-based grassroots movement known as Occupy Central. The movement was campaigning for a more democratic voting system.
In response to their activities, attackers sent large amounts of traffic to three of Occupy Central’s web hosting services. They did it as well as two independent sites, PopVote, an online mock election site, and Apple Daily, a news site. Neither of them were owned by Occupy Central but openly supported its cause. Presumably, those responsible were reacting to Occupy Central’s pro-democracy message.
The attack stopped servers with packets disguised as legitimate traffic. Moreover it was conducted with not one, not two, but five botnets. This resulted in peak traffic levels of 500 gigabits per second.
CLOUDFLARE – 2014
In 2014, security provider and content delivery network CloudFlare was slammed by approximately 400 gigabits per second of traffic. The attack was directed at a single CloudFlare customer and targeted servers in Europe and was launched with the help of a vulnerability in the Network Time Protocol (NTP), a networking protocol for computer clock synchronization. Even though the attack was directed at just one of CloudFlare’s customers, it was so powerful that it affected CloudFlare’s own network.
This attack illustrated a technique in which attackers use spoofed source addresses to send mass amounts of NTP servers’ responses to the victim. This is known as “reflection,” since the attacker is able to mirror and amplify traffic.
Shortly after the attack, the U.S. Computer Emergency Readiness Team explained NTP Amplification Attacks are especially difficult to block. Because responses are legitimate data coming from valid servers.
Spamhaus attack – 2013
Another largest-ever-at-the-time attack was the 2013 attack launched on Spamhaus. An organization that helps combat spam emails and spam-related activity. Spamhous is responsible for the filtering as much as 80% of all spam. It makes them a popular target to people who would like to see spam emails reach their intended recipients.
The attack drove traffic to Spamhous at a rate of 300 gbps. Once the attack began, Spamhous signed up for Cloudflare. Cloudflare’s DDoS protection mitigated the attack. The attackers responded to this by going after certain internet exchanges and bandwidth providers in an attempt to bring down Cloudflare. This attack did not achieve its goal, it did however cause major issues for LINX, the London internet exchange. The main culprit of the attack turned out to be a teenage hacker-for-hire in Britain who was paid to launch this DDoS attack.
Manchester casino extortion attack – 2013
It is a rare-publicized example of DDoS in the service of extortion. The attack on a Manchester-based online casino came after the business refused to pay the owner that refused to deliver half the business to Polish nationals Piotr Smirnow and Patryk Surmacki. Both of them were eventually arrested at Heathrow Airport tying to leave the country and then they jailed.
SPAMHAUS – 2013
In 2013, a DDoS attack was launched against Spamhaus, a nonprofit threat intelligence provider. Although Spamhaus, as an anti-spam organization, was and is regularly threatened and attacked, this DDoS attack was large enough to knock their website offline, as well as part of their email services.
Like the 2014 attack on CloudFlare mentioned above, this attack utilized reflection to overload Spamhaus’ servers with 300 gigabits of traffic per second.
The attack was traced to a member of a Dutch company named Cyber bunker, who seemingly targeted Spamhaus after it blacklisted Cyber bunker.
Attack on the BBC by Iran – 2012
Iran downed the BBC’s email server for a while. It disrupted its Persian Service and even overloaded its exchange with large numbers of phone calls.
U.S. BANKS – 2012
In 2012, not one, not two, but six U.S. banks were targeted by a string of DDoS attacks. The victims were no small-town banks either: They included Bank of America, JP Morgan Chase, U.S. Bancorp, Citigroup and PNC Bank.
The attack was carried out by hundreds of hijacked servers. Each of them created peak floods of more than 60 gigabits of traffic per second.
At the time, these attacks were unique in their persistence. Rather than trying to conduct one attack and then backing down, the perpetrators bombard their targets with a many methods in order to find out one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types.
DDoS attack on Oxford and Cambridge universities – 2012
A single 20-year old individual was blamed for the DDoS attacks on Oxford and Cambridge University. He later imprisoned for a range of cyber crimes. This attack disrupted the Oxford and Cambridge University’s websites for a period of days in 2011 and 2012. It was never clear why the named man attacked the universities but the ease with which one person could cause so much trouble for large institutions was noted at the time.
LulzSec ‘”Tango down” DDoS attacks – 2011
A small collection of mainly British youths that hid behind the LulzSec moniker loved their DDoS. The group that gave the Anonymous movement its UK brand. Several big UK organisations were targeted; the attack that downed the Serious Organised Crime Agency (SOCA) website in June 2011 was probably the last straw.
Estonia attack – 2007
In April 2007 the nation of Estonia was hit with a massive DDoS attack targeted at government services as well as financial institutions and media outlets. This had a crushing effect since Estonia’s government was an early adopter of online government and was practically paperless at the time; even national elections were conducted online
The attack came in response to a political conflict with Russia over the relocation of the ‘Bronze Soldier of Tallinn’, a World War II monument. This attack considered by many to be the first act of cyber warfare. The Russian government is suspected of involvement and an Estonian national from Russia was arrested as the result. But the Russian government has not let Estonian law enforcement do any further investigation in Russia. This trouble led to the creation of international laws for cyber warfare.
Mafiaboy attack – 2000
In 2000 a 15-year-old hacker known as ‘Mafiaboy’ took down several major websites including CNN, Dell, E-Trade, eBay, and Yahoo. These major websites at the time were the most popular search engines in the world. This attack had devastating consequences including creating chaos in the stock market.
Mafiaboy coordinated the attack by hacking into the networks of several universities and leveraging their servers to conduct the DDoS attack. He was later revealed to be a high schooler named Michael Calce. The consequence of this attack directly led to the creation of many of today’s cyber crime laws.
Conclusion
These recent attacks used a method that is increasingly popular with cyber criminals and does not require botnets. Criminals take advantage of vulnerabilities of thousands of improperly configured Memcached servers to launch attacks.
