Every insidious and pervasive menace plaguing society has to begin somewhere. As more and more devices are connected to networks and information is shunted to the cloud, industrial cyberattacks continue to rise. Sophos’ recent State of Ransomware 2022 report showed that incidents of ransomware were up 78% from 2020 to 2021. But ransomware is far from the only cyber threat to industrial systems. A recent article from endpoint protection company Crowdstrike stated that the fourth most common type of cyberattacks are denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks. DDoS attacks have impacted everyone from private companies such as tech giant Google (2020) and Amazon Web Services (2020); to critical infrastructure and sovereign nations. A massive DDoS strike hit Israel earlier this year, taking down several key government websites.
But while these types of attacks have made headlines in recent years, they’ve actually been around for a surprisingly long time. Some date the initial DDoS attack as far back as 1974, but the first major strike came in August 1999, courtesy of a tool called Trinoo. Both of these early attacks went after prominent Big Ten universities. Since then, they have grown to become some of the most persistent and damaging intrusions in the cybersecurity universe.
What are DDoS attacks?
According to Dr. James Stanger, chief technology evangelist at CompTIA, a DDoS attack “is a malicious attempt to sabotage a network by overwhelming its ability to process legitimate traffic and requests. In turn, this activity denies the victim of a service, while causing downtime and costly setbacks. A DDoS attack is a network-based attack; it exploits network-based internet services like routers, domain name service (DNS) and network time protocol (NTP), and is aimed at disrupting network devices that connect your organization to the internet. Such devices include routers (traditional WAN, as well as ISP edge routers), load balancers and firewalls.”
The difference between a DoS attack and a DDoS attack comes down to that first “D,” meaning distributed. A DoS attack targets a particular resource, such as an industrial control system (ICS), whereas a DDoS attack goes after the devices that provide access and connectivity. DoS attacks tend to come from a single source, while DDoS attacks come from a large network of devices, or a botnet.
According to an article from the Info Security Group, DDoS attacks surged in 2020, in large part due to the COVID-19 pandemic, which accelerated digital transformation and saw more people — including those in manufacturing — moving to work from home. DDoS attacks are not particularly difficult to execute and can cause massive disruptions. Though the most high-profile attacks have targeted private industry, ICSs are also vulnerable, especially with the emergence of the Industrial Internet of Things (IIoT).
The earliest DDoS attack
What is widely considered the first-ever DDoS attack came from an unlikely source at an unlikely time. It happened in 1974 — well before the modern computer era — and was perpetrated by a 13-year-old Illinois resident named David Dennis. The young teenager was a student at University High School, located across the street from the Computer-Based Education Research Laboratory (CERL) at the University of Illinois Urbana-Champaign.
According to an article in Radware, “David recently learned about a new command that could be run on CERL’s PLATO terminals. PLATO was one of the first computerized shared learning systems, and a forerunner of many future multi-user computing systems. Called ‘external’ or ‘ext,’ the command was meant to allow for interaction with external devices connected to the terminals. However, when run on a terminal with no external devices attached it would cause the terminal to lock up — requiring a shutdown and power-on to regain functionality.”
Dennis wondered if he could cause a room full of users to be locked out simultaneously, so he created a program that would send the “ext” command to several PLATO terminals at once. When he tested his program at CERL, it forced 31 users to power off at the same time.
The next evolution of DDoS
DDoS attacks didn’t go mainstream or prove the extent of the damage they could unleash for another 25 years, until August 1999. The first well-known DDoS attack utilized a tool called Trinoo, also known as trin00, to wreak havoc at the University of Minnesota. The attack lasted two days, was deployed in at least 227 systems and managed to disable the university’s computer network.
The same Radware article laid out how Trinoo operated: “Trinoo consisted of a network of compromised machines called ‘Masters’ and ‘Daemons,’ allowing an attacker to send a DoS instruction to a few Masters, which then forwarded instructions to the hundreds of Daemons to commence a UDP flood against the target IP address. The tool made no effort to hide the Daemons’ IP addresses, so the owners of the attacking systems were contacted and had no idea that their systems had been compromised and were being used in a DDoS attack.”
The problem grows
As the new millennium dawned, DDoS attacks became much more pervasive. By 2000, this technique had been used to infiltrate businesses, financial institutions and government agencies, shining a very public light on DDoS and DoS attacks.
As previously mentioned, DDoS attacks are on the rise again, thanks to the explosion of connected devices and the expansion of the Internet of Things. Unfortunately for manufacturers and businesses, many IoT and IIoT devices are older and were not designed with security in mind, making them extremely susceptible to something like a botnet. These days, the attack surface is larger than ever, leaving a ripe environment for DDoS and DoS threat actors.