If you’ve managed a network for more than a week, chances are you’ve seen it, or at least worried about it: the DDoS attack. You know the symptoms. Traffic spikes. Routing instability. Customers raising tickets before monitoring even kicks in.
But how did we get here? What exactly qualifies as a DDoS attack today, and how has it evolved from script-kiddie chaos to geopolitical weapon? This post explores the origins, classification, motivations, and infamous examples that shaped how we understand DDoS today.
What is a DDoS attack?
At its simplest, a Distributed Denial-of-Service (DDoS) attack involves overwhelming a target (typically a network, server or application) with traffic from multiple sources, making it unresponsive to legitimate users. It’s ‘distributed’ because the attack is coordinated across many endpoints: botnets, amplifiers, hijacked proxies, and in some cases, legitimate cloud infrastructure.
But that’s just the surface. There’s a range of intent, scale, and method behind each attack. What separates a few bots from a network-wide disruption comes down to technique and amplification, not just brute force.
Pre-DDoS: local exploits and manual floods
Before the rise of distributed attacks, denial-of-service was largely limited to local or single-source exploits. The first DDoS incidents weren’t motivated by money or politics. In the late 1990s, they were about control, or more often, boredom.
Impact was usually limited to a single machine or subnet.
1999–2000: The first coordinated floods The real shift came with tools like Trinoo and Tribal Flood Network (TFN). These were some of the first to allow remote control over multiple Unix systems to launch simultaneous floods: UDP, ICMP, and later, TCP-based attacks. With them, attackers could orchestrate hundreds of compromised machines to target a single service. The victims? Rival hackers, gaming servers, university networks.
These early botnets weren’t automated. They required manual setup on each compromised host. Still, the damage was clear: university servers were taken offline, and attackers began testing the limits of bandwidth-based disruption.
In February 2000, a coordinated series of attacks hit Yahoo!, CNN, eBay, and Amazon, bringing them offline with what we’d now recognise as simple volumetric floods. The attacks didn’t rely on clever exploits, just volume and timing. And they worked.
2001–2003: Worms, bandwidth, and botnets
The next leap came with the spread of automated worms like Code Red, Nimda, and SQL Slammer. These propagated without user interaction, compromising thousands of Windows machines in minutes. Attackers quickly realised they could harness this scale for DDoS.
Botnets formed using these infected systems gave attackers thousands of nodes with real bandwidth. Unlike modem-era hosts, broadband-connected devices could push sustained traffic measured in megabits per second, multiplied across thousands of endpoints.
Malware like Agobot added scanning, backdoor access, and built-in flood capabilities, bringing automation to propagation, control, and attack delivery.
2005 Onwards: DDoS becomes a service With growing scale and automation came commercialisation. By the mid-2000s, online services known as booters or stressers appeared. These offered DDoS-as-a-service to anyone with basic funds and a target IP.
Typical services allowed customers to select attack types (UDP, TCP, HTTP, DNS) and set duration, often with subscription pricing. No technical knowledge was required. Payment could be made through PayPal, Liberty Reserve, or later, cryptocurrency.
Attack infrastructure was often comprised of IoT devices, misconfigured cloud VMs, and home routers – easy to infect and hard to trace.
Amplification and reflection
Reflection-based amplification became a popular tactic. Instead of relying entirely on botnet bandwidth, attackers spoofed victim IPs in queries to open services like DNS, NTP, or Memcached. These services responded with far more data than the request, redirecting a large payload to the victim.
Amplification factors of 30× to 50× were common, and in some cases, single hosts could generate over 1 Gbps of attack traffic without needing a botnet. This was particularly effective in bypassing simple threshold-based detection systems, and remains a common tactic today.
Classification: not all DDoS is the same
To defend against an attack, you have to understand what type you’re dealing with. Here’s how DDoS attacks are typically categorised:
- Volumetric attacks
The classic floods – DNS amplification, UDP floods, or spoofed traffic designed to saturate bandwidth. - State exhaustion attacks
Targeting firewalls, load balancers, or NAT tables by consuming connection slots with SYN floods or other transport-layer tricks. - Application-Layer attacks
More subtle. These attacks mimic legitimate behaviour (like slow HTTP requests or malformed API calls) and tie up backend resources. - Stealthy / low-rate attacks
Designed to bypass traditional thresholds and slowly degrade service or trigger failover logic.
These attack types are often layered, with adversaries combining techniques to maximise disruption and complicate mitigation.
Read all details: Classification of DDoS attacks: every modern DDoS attack vector explained
Why do DDoS attacks happen?
The motivations have changed as much as the techniques. While extortion is often assumed, it accounts for only a small share of incidents in practice. Here are some common drivers:
- Hacktivism – Protest campaigns against governments, corporations or ideologies. Think Anonymous or NoName(057)16.
- Geopolitical operations – State-linked or nationalist groups targeting infrastructure in adversarial regions.
- Business disruption – Competitors or insiders taking services offline, sometimes during critical sales windows.
- Diversion – Distracting defenders while another exploit unfolds.
- Revenge or mischief – Especially in gaming, where server takedowns are often personal.
Many large attacks reported in the wild have either political or economic objectives—making attribution difficult and defence even more complex.
Memorable incidents in DDoS history
A few landmark events reveal just how far DDoS has come:
- 2009 – Operation Troy
South Korea’s government and financial sites were disabled by what was likely a state-sponsored campaign – one of the first nation-level DDoS incidents. - 2010 – Operation Payback
Coordinated by Anonymous, this campaign targeted copyright groups and payment platforms in retaliation for anti-piracy enforcement. - 2016 – Dyn DNS Outage
Powered by the Mirai botnet, this attack disrupted major platforms including Twitter, Spotify, and Netflix by taking down a core DNS provider. - 2022–2024 – Killnet, NoName057(16)
These pro-Russian groups launched sustained attacks against NATO-member state infrastructure during the Ukraine war. Their methods changed frequently and often relied on decentralised C2 infrastructure, making them harder to track or contain.
These examples demonstrate the range of motivations, from political retaliation to financial gain, and the growing sophistication of attack infrastructure.
Looking Ahead
Attackers today combine protocol abuse, traffic shaping, and bot orchestration with enough nuance to bypass threshold-based systems, so DDoS is no longer just a volume game.
We’ll cover how to build a modern DDoS mitigation strategy – across BGP, Flow Spec, application firewalls, and behaviour-based detection – in our next article.
For now, understanding the intent and mechanics is a solid first step.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com