The first well-publicized DDoS attack in the public press was in February 2000. The first well-documented DDoS attack appears to have occurred in August 1999, when a DDoS tool called Trinoo (described below) was deployed in at least 227 systems, of which at least 114 were on Internet2, to flood a single University of Minnesota computer this system was knocked off the air for more than two days. Distributed DoS attacks are much newer, first being seen in late June and early July of 1999. Rather than describe specific DDoS attacks in detail, this paper will define generic DDoS terms and ways in which service providers and user sites can defend themselves against these attacks.ĭenial-of-service attacks under a number of guises have been around for decades.
This paper will focus on DDoS attacks only and assumes some basic familiarity with different DoS attacks. Distributed DoS attacks are a much more nefarious extension of DoS attacks because they are designed as a coordinated attack from many sources simultaneously against one or more targets. "Traditional" DoS attacks, however, typically generate a large amount of traffic from a given host or subnet and it is possible for a site to detect such an attack in progress and defend themselves. DoS attacks are of particular interest and concern to the Internet community because they seek to render target systems inoperable and/or target networks inaccessible. This short paper discusses defenses against Distributed Denial of Service (DDoS) attacks. Bosworth (John Wiley & Sons, in preparation). Levine and GCK) in the upcoming 4th edition of the Computer Security Handbook, edited by M.E. A much expanded version will be published as Chapter 11, "Denial of Service Attacks" (by Diane E. This paper was submitted as the practical exercise in partial fulfillment for the SANS/GIAC Security Essentials Certification (GSEC). Distributed Denial of Service Attacks Gary C.