Distributed Denial of Service (DDoS) Attacks/tools

What's new in DDoS?

• Nothing, really. (Some people are just late to the party. ;)
• Wikileaks attacks, counter-attacks, counter-counter-attacks...
  • Cyberattack Against Wikileaks was Weak, by Kevin Poulsen, Wired Threatlevel blog, November 2010
  • Operation Payback cripples MasterCard site in revenge for WikiLeaks ban, by Esther Addley and Josh Halliday, The Guardian, December 8, 2010
  • Continuing pro-Wikileaks DDOS actions, Anonymous takes down PayPal.com, by Xeni Jardin, Boingboing.net, December 8, 2010
  • How pro-WikiLeaks hackers wage cyberwar without hijacking your computer, by Mark Clayton, The Christian Science Monitor, December 9, 2010
  • "Anonymous": How dangerous is hacker network defending WikiLeaks?, by Mark Clayton, The Christian Science Monitor, December 9, 2010
  • Hackers wage global "cyberwar" in defense of WikiLeaks, by Stephen Kurczy, The Christian Science Monitor, December 9, 2010
  • Wikileaks: Anonymous stops dropping DDoS bombs, starts dropping science, by Sean Bonner, BoingBoing, December 9, 2010
  • WikiLeaks battle: a new amateur face of cyber war?, by Peter Apps, Reuters, December 10, 2010
  • Operation Payback is Becoming a Complete Failure, by John Danz, December 10, 2010
  • Are the Anonymous "Operation Payback" attacks a form of "civil disobedience?" Read these carefully, then you decide.
    • Retributive justice, Wikipedia
    • Incitement, Wikepedia
    • Civil Disobedience, Wikipedia

Some General Subjects/Themes

• Estonia claims to be under cyberwarfare DDoS attack from Russia?
  • Kremlin Kids: We Launched the Estonian Cyber War, by Noah Shachtman, Danger Room blog, Wired.com, March 11, 2009
  • Kremlin-backed youths launched Estonian cyberwar, says Russian official, by Dan Goodin, The Register, March 11, 2009
  • Estonia and Russia: A cyber-riot, The Economist, May 10, 2007
  • Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks, Sydney Morning Herald, May 16, 2007
  • Cyber Assaults on Estonia Typify a New Battle Tactic, by Peter Finn, Washington Post Foreign Service, May 19, 2007
  • Estonian DDoS Attacks - A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007
  • When cyberattacks are politically motivated, by Robert Vamosi, Special to CNET News.com, May 29, 2007 [Interview with Jose Nazario of Arbor Networks]
  • After Computer Siege in Estonia, War Fears Turn to Cyberspace, by Mark Landler and John Markoff, The New York Times, May 29, 2007
  • Cyberwar is breaking out of sci-fi genre, Pavla Kozkov, Czech Business Weekly, June 11, 2007
• Distributed Reflected DNS attacks (and some background)
  • Randal Vaughn and Gadi Evron released an analysis of DNS Amplification Attacks (which use distributed reflection and amplification) on March 17, 2006
  • VeriSign reports a "new DDoS attack" in an article published March 17, 2006
  • CERT/CC publishes a document discussing DNS recursion problems and some solutions for preventing becoming a reflector in early 2006.
  • NANOG Thread "DNS deluge for x.p.ctrc.cc" from February 2006
  • Distributed reflected DDoS attacks are covered on pages 19-20, 45, 51-52, and 297 in Internet Denial of Service: Attack and Defense Mechanisms, published in 2005
  • Vern Paxson wrote a paper, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, warning of these kinds of attacks in June 2001
  • A DNS reflection attack on Register.com was publicly discussed in a thread on the UNISOG mailing list in January 2001. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a large list of DNS servers at least a year old (at the time of the attack.)
  • The Honeynet Project Reverse Challenge, done in July 2002, involved analysis of a piece of malware that was [not?] surprisingly a DDoS agent. It implemented several DNS related attacks, including a reflection attack.
  • One of the fundamental issues in distributed reflected attacks is the ability of an attacker to spoof source addresses on packets. Documents describing this problem, and suggested fixes, are found in the Mitigation section of this page below, some going back to 2000.
• The "Botmaster Underground" case
  • FBI agents bust 'Botmaster', Reuters News Service, November 4, 2005
  • 'Botmaster' pleads guilty to computer crimes, Reuters, January 24, 2006 [Teen admits to controlling somewhere near 500,000 computers, must return $60,000 cash, computer equipment, and a BMW he bought with proceeds from renting the botnet.
  • eWeek blog entry about the case
  • U.S. Department of Justice press release.
  • Lee Graham Walker, Axel Gembe CHARGED in Operation Cyberslam, Outlook Series, October 6, 2008
  • U.S. v. James Jeanson Ancheta (federal indictment)
  • 20-year-old 'botmaster' faces years behind bars, Reuters, May 9, 2006
  • This was not the first case of DDoS-for-hire in the U.S., however. That was another case in 2005.
    • THE CASE OF THE HIRED HACKER: Entrepreneur and Hacker Arrested for Online Sabotage, FBI.gov headline story, April 18, 2005
    • Duo charged over DDoS for hire scam, by John Leyden, The Register, March 22, 2005
    • Michigan Man Arrested for Using New Jersey Juvenile to Launch Destructive "DDOS for Hire" Computer Attacks on Competitors, US Department of Justice press release, March 18, 2005

Books related to DDoS

• Internet Denial of Service: Attack and Defense Mechanisms, by Jelena Mirkovic, Sven Dietrich, David Dittrich and DDoS: Is There Really a Threat?," USENIX Security Symposium, August 16, 2000
• Analysis of the "Power" bot, by David Dittrich
• GT Bot (Global Threat), by Lockdown Corp.
• kaiten.c (no analysis, just code)
• knight.c (no analysis, just code)
• X-DCC (IRC "warez" bots often combined with DDoS)
  • CanSecWest talk on disassembling malware networks by Dave Dittrich, May 2002 (see xdcc-analysis.txt for analysis)
  • XDCC - An .EDU Admin's Nightmare, by TonikGin, Sept. 11 2002
• ocxdll.exe / mIRC Trojan Analysis, by Kyle Lai, September 5, 2002
• Honeynet Project Reverse Challenge binary ([not?] surprisingly, this is a DDoS agent)
• Robert Graham's analysis of the Blaster worm
• sdbot command reference
• rxbot command reference
• Inside the Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, IEEE Security & Privacy (Vol 1 No 4)
• Phatbot Trojan Analysis, by LURHQ

Fundamental problems

• Attribution
  • Techniques for Cyber Attack Attribution, by David A. Wheeler, Institute for Defense Analyses, October 2003
• Source Address Forgery
  • F-08: Internet Address Spoofing and Hijacked Session Attacks, DoE CIAC, January 23, 1995
  • CERT Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections, January 23, 1995
  • IP Spoofing Demystified, Phrack magazine, Issue 48, Article 14, June 1996
  • CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, September 19, 1996
  • Help Defeat Denial of Service Attacks: Step-by-Step, SANS, March 23, 2000
  • BCP 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," by Paul Ferguson and Daniel Senie, May 2000
  • SAVE: Source Address Validity Enforcement Protocol, by Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang, 2001
  • SAC004, "Securing the Edge," by Paul Vixie, October 17, 2002
  • Changing IP to Eliminate Source Forgery, by Donald Cohen, K. Narayanaswamy, Fred Cohen

Defensive Tools

• RID, by David Brumley
• National Infrastructure Protection Center; Trinoo/Tribal Flood Net/Stacheldraht/tfn2k detection tool
• BindView's Zombie Zapper
• Index of Distributed Tools at Packet Storm
• dds -- a trinoo/TFN/stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, George Weaver, David Brumley, and others. [In BETA testing.] (Use RID instead.)
• gag -- a stacheldraht agent scanner (C source code) by Dave Dittrich, Marcus Ranum, and others. (Use RID instead.)
• Ramenfind (Identification and cleanup tool for the Ramen worm, which was modified to install DDoS agents in February 2001.)
• IP Source Tracking on Cisco 12000 Series Internet Routers (PDF version), Cisco Systems

Advisories

• CERT Incident Note 99-07 Distributed Denial of Service Tools, November 18, 1999
• NIPC ADVISORY 00-055: "Trinity v3/Stacheldraht 1.666" Distributed Denial of Service Tools, October 13, 2000
• CERT Incident Note IN-2000-05 "mstream" Distributed Denial of Service Tool, May 2, 2000
• CERT Advisory CA-2000-01 Denial-of-Service Developments
• Sun Bulletin #00193, Distributed Denial-of-Service Tools, January 5, 2000

Mitigation information

• Start by reading these documents:
  • Distributed Denial of Service Attacks, by Bennett Todd, Linuxsecurity.com, February 18, 2000
  • Results of the [CERT sponsored] Distributed-Systems Intruder Tools Workshop [PDF version]
  • Managing the Threat of Denial of Service, by Allen Householder, Art Manion, Linda Pesante, and George Weaver (CERT/CC) in collaboration with Rob Thomas, October 2001
  • Consensus Roadmap for Defeating Distributed Denial of Service Attacks, A Project of the Partnership for Critical Infrastructure Security
  • Help Defeat Denial of Service Attacks: Step-by-Step, SANS Institute
  • Denial of Service (DoS) Attack Resources, by Paul Ferguson
  • BCP 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," by Paul Ferguson and Daniel Senie, May 2000
  • SAC004, "Securing the Edge," by Paul Vixie, October 17, 2002
• SYN flood protection
  • TCP/IP stack tuning on end systems, by Rob Thomas
  • Hardening the TCP/IP stack to SYN attacks, by Mariusz Burdach, SecurityFocus, September 10, 2003
  • Solaris 2.x - Tuning Your TCP/IP Stack and More
  • Countering SYN Flood Denial-of-Service Attacks, by Ross Oliver, Tech Mavens, August 29, 2001
• Advice for server administrators
  • Protect the required and often attacked services, e.g. DNS., by Rob Thomas
• Advice for network providers
  • Characterizing and Tracing Packet Floods Using Cisco Routers, Cisco Systems Inc.
  • "Essential IOS" - Features Every ISP Should Consider, Cisco Systems Inc.
  • ISP security (from an operations perspective), NANOG Tutorial by Barry Raveendran Greene (Cisco), Christopher L. Morrow and Brian W. Gemberling (UUNET) [Mentioned in USENIX 2005 tutorial]
  • Protect the border and the border routers (also ported to Juniper and Riverstone), by Rob Thomas
  • Protect your BGP peering and RIBs (also ported to Juniper and Riverstone), by Rob Thomas
  • Monitor DoS attacks with NetFlow on your VIPs, by Rob Thomas
  • Track the source of spoofed packets, by Rob Thomas
  • Filtering ICMP and minimum ICMP messages, by Rob Thomas
  • Null routing traffic and tracking DoS attacks, by Chris Morrow
  • Blocking Code Red Worm with Cisco IOS NBAR, 4 August 2001
  • Using Network-Based Application Recognition and Access Control Lists for Blocking the "Code Red" Worm at Network Ingress Points, Cisco Tech Note
  • A DDOS defeating technique based on routing, BUGTRAQ posts by Fernando Schapachnik, February 20, 2000
  • Path MTU Discovery and Filtering ICMP, by Marc Slemko
  • RFC 2267 -- Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, by Paul Fergussen and Daniel Senie
  • RFC 2644 -- Changing the Default for Directed Broadcasts in Routers, by Daniel Senie
  • Distributed Denial of Service (DDoS) News Flash, Cisco Systems Inc.
  • Policing and Shaping Overview, Cisco whitepaper on rate limiting
• General advice
  • DDoS Attack Mitigation, BUGTRAQ posts by Elias Levy, 11 Feb 2000
  • Incident Handling Step by Step: Unix Trojan Programs, SANS Institute
  • Smurf attacks by Craig A. Huegen
  • Tune your firewalls and end systems, by Rob Thomas

Legal implications

• SANS Webcast on Legal Liability for Security Breaches - and Minimum Standards of Due Care with Mark Rasch and Hal Pomeranz, February 26, 2003
• Distributed Denial-of-Service Attacks, Contributory Negligence and Downstream Liability, by M. E. Kabay, PhD, CISSP
• DDoS Class Action lawsuit web site

Related Papers, Essays, Legislative Proposals, and Research

• Denial of Service Attacks and Challenges in Broadband Wireless Networks, by Shafiullah Khan, Kok-Keong Loo, Tahir Naeem, and Mohammad Abrar Khan, International Journal of Computer Science and Network Security, Vol. 8, No. 7, pp. 1-6, July 2008
• Breeding Internet Superbugs, by Paul Vixie, July 31, 2006
• Trends in Denial of Service Attacks, by Jose Nazario, Arbor Networks, Usenix 2003 Work-in-Progress report
• Extortion Worms: Internet Worms that Discourage Disinfection, by Tim Freeman, February 12, 2002
• Untraceable Email Cluster Bombs: On Agent-Based Distributed Denial of Service, by Markus Jakobsson and Filippo Menczer, May 23, 2003
• How to 0wn the Internet in Your Spare Time, by Stuart Staniford, Vern Paxson, and Nicholas Weaver, 2002
• Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, by Ruby B. Lee, Princeton University
• Distributed Denial of Service, talk by John Ioannidis, April 2002
• Hop Count Filtering: An Effective Defense Against Spoofed Traffic, by Cheng Jin, Haining Wang, and Kang G. Shin
• A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, by Jelena Mirkovic, Janice Martin and Peter Reiher, UCLA Computer Science Department, Technical report #020018
• D-WARD: DDoS Network Attack Recognition and Defense home page (Peter Reiher, Gregory Prier, Scott Michael, and Jun Li)
• Computer Crime, by Ronald B. Standler, 2002 (section on DDoS and Mafiaboy case)
• An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, by Vern Paxson, June 2001
• UNISOG thread on Register.com DNS Reflector DoS attack, January 2001
• "Cyber Threat Trends and US Network Security," Statement for the Record for the Joint Economic Committee, Lawrence K. Gershwin, National Intelligence Officer for Science and Technology, 21 June, 2001
• CenterTrack, Robert Stone (a defunct research project that attempted to track DoS attacks at UUnet)
• The Strange Tale of the Distributed Denial of Service Attacks Against GRC.COM, by Steve Gibson, June 2, 2001(My responses to Steve Gibson's initial claims and his later claims of discovering a "new" reflection attack.)
• CERIAS Attack Traceback Summit Proceedings (PDF version)
• Inferring Internet Denial-of-Service Activity, by David Moore, Geoffrey M. Voelker and Stefan Savage, University of California, San Diego
• On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack, by Kihong Park and Heejo Lee, Network Systems Lab and CERIAS, Purdue Univerisity
• MULTOPS: a data structure for denial-of-service attack detection (PDF), by Thomer M. Gil (PostScript version)
• Guidelines for Evidence Collection and Archiving <draft-ietf-grip-prot-evidence-01.txt>, Dominique Brezinski and Tom Killalea (Internet Draft)
• Draft Convention on Cyber-Crime, Council of Europe (See also Cybercrime Solution Has Bugs, by Declan McCullagh, Wired News, May. 3, 2000)
• Source code to mstream, a DDoS tool, VULN-DEV post by Anonymous, April 29, 2000
• THE WAR ON HACKERS, by Gary Lawrence Murphy
• Distributed Denial Of Service Attacks (DDOS), by David Anderson, MIT
• Theories on new DoS Attacks v.1, by J. Oquendo
• On Magic, IRC Wars, and DDoS, by Robert Graham
• Client-side Distributed Denial-of-Service: Valid campaign tactic or terrorist act?, by the electrohippies collective
• Spaf's Summary of White House meeting, February 19, 2000
• DDoS Whitepaper by Bennett Todd (readable overview intended for non-techies)
• Crypto-Gram, by Bruce Schneier, February 15, 2000
• Current Events on The Net: Fact, Fiction, or Hype?, by Richard Forno
• DDoS FAQ, by Kurt Seifried
• 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks, by Mixter
• "Tribe Flood Network 3000": A theoretical review of what exactly Distributed DOS tools are, how they can be used, what more dangerous features can be implemented in the future, and starting points on establishing Network Intrusion Detection Rules for DDOS, by Mixter
• Protecting Against the Unknown -- A guide to improving network security to protect the Internet against future forms of security hazards, by Mixter
• Have Script, Will Destory (Lessons in DoS), by Brian Martin, Attrition.org
• Practical Network Support for IP Traceback, by Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, Department of Computer Science and Engineering, University of Washington
• ICMP Traceback Messages (IETF draft proposal), by Steven Bellovin
• Advanced and Authenticated Marking Schemes for IP Traceback, by Dawn X. Song and Adrian Perrig
• Host Identity Payload, Internet Draft, Robert Moskowitz, ICSA.net
• Host Identity Payload -- Architecture, Internet Draft, Robert Moskowitz, ICSA.net
• Host Identity Payload -- Implementation, Internet Draft, Robert Moskowitz, ICSA.net
• Purgatory 101: Learning to cope with the SYNs of the Internet, by NightAxis and Rain Forrest Puppy
• Distributed Attacks and the Way To Deal With Them, by Tim Yardley
• Strategies for Defeating Distributed Attacks, by Simple Nomad
• Hacktivism: Civil Disobedience, Cyberterrorism or Silly Posturing?, vigilante.com

Vendors marketing products in the DDoS space
(DISCLAIMER: Inclusion here does not imply I believe these products are or are not good solutions. These companies simply claim to have some kind of "solution" to the issues of DDoS.)

• Network level defenses (detect, stop floods)
  • Arbor Networks
  • Mazu Networks
  • Captus Networks
  • CS3
  • Riverhead Networks
  • Reactive Network Solutions
• Host level defenses (detect, stop handler/agent installation)
  • Entercept
  • Tripwire
• Augmented Intrusion Detection (detect)
  • Oneka
  • Recourse Technologies
• Managed Security Services (react)
  • TrustWave
  • Solsoft
  • Aprisma
• Work in progress research
  • Shai
• Notes from Lockheed Martin conference on DDoS vendor solutions, December 20, 2001

Selected news reports/interviews/panel discussions
(in reverse chronological order)

• Activists Launch Hack Attacks on Tehran Regime, by Noah Shachtman, Wired.com, June 15, 2009
• DDoS attack damaged public civil service for the first time, by Jang, Dong-joon, Kim, In-soon, Korea IT News, March 10, 2009
• Techwatch weathers DDoS extortion attack: Botnet blackmail, by John Leyden, The Register, January 30, 2009
• Internet Attacks Grow More Potent, by John Markoff, November 9, 2008 [One slight correction: The first major distributed reflected DDoS attack, as noted elsewhere on this page, occured in 2001 against Register.com.]
• Before the Gunfire, Cyberattacks, by John Markoff, New York Times, August 12, 200
• Feds: Teen made computers 'zombies', by Jared Miller, Star-Tribune capital bureau, June 27, 2008
• Radio Free Europe DDOS attack latest by hactivists, by Elinor Mills, News Blog, May 1, 2008
• SlideShare Slammed with DDOS Attacks from China, by Mark Hendrickson, TechCrunch Blog, April 23, 2008 [We didn't pay this person to advertise out book. Honestly.]
• DDOS Danger For Online Gambling Sites, Online-Casinos.com, February 20, 2008
• Quebec police bust alleged hacker ring, by Jan Ravensbergen, Canwest News Service, February 20, 2008
• 'Ragtag' Russian army shows the new face of DDoS attacks: Semi-organized people just as dangerous as botnets, by Dan Goodin, The Register, January 4, 2008
• Making malware unprofitable: economics key to slowing hackers down, by John Timmer, Ars Technica, November 20, 2007
• Security Pro Admits to Hijacking PCs for Profit, blog post by Brian Krebs, November 10, 2007
• Is IT losing the battle against DNS attacks?, by Michael Cooney, Network World, July 18, 2007
• Fast flux foils bot-net takedown, by Robert Lemos, SecurityFocus, July 7, 2007
• Anti-spam sites weather DDoS assault, by John Leyden, The Register, June 11, 2007
• Cyberwar is breaking out of sci-fi genre, Pavla Kozkov, Czech Business Weekly, June 11, 2007
• After Computer Siege in Estonia, War Fears Turn to Cyberspace, by Mark Landler and John Markoff, The New York Times, May 29, 2007
• When cyberattacks are politically motivated, by Robert Vamosi, Special to CNET News.com, May 29, 2007 [Interview with Jose Nazario of Arbor Networks]
• Estonian DDoS Attacks - A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007
• Cyber Assaults on Estonia Typify a New Battle Tactic, by Peter Finn, Washington Post Foreign Service, May 19, 2007
• Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks, Sydney Morning Herald, May 16, 2007
• Estonia and Russia: A cyber-riot, The Economist, May 10, 2007
• Biggest threat to Internet could be a massive virtual blackout, by Andrew Noyes, National Journal's Technology Daily, April 5, 2007
• GoDaddy whacked by DDoS attack, by Kevin Murphy, Computer Business Review Online, March 12, 2007
• National Bolsheviks ousted from Runet, by CNews.ru, February 26, 2007
• Phish fighters floored by DDoS assault, by John Leyden, TheRegister.co.uk, February 20, 2007
• 2006: E-security in Vietnam shaken by crimes, VietNamNet Bridge, January 16, 2007
• CafePress wilts under DDoS assault, by John Leyden, The Register, December 22, 2006
• Analysis: Websites struggling for legal recourse for DoS attacks, by Matt Whipp, PC Pro News (UK), November 23, 2006
• Florida man charged in botnet attack on Akamai, by Caroline McCarthy, CNET News.com, October 24, 2006
• National Australia Bank hit by DDoS attack, by Munir Kotadia, ZDNet Australia, October 20, 2006
• Airline foils hackers with latest high-tech defences, by Bill Goodwin, Computer Weekly, September 27, 2006
• 20-year-old 'botmaster' faces years behind bars, Reuters, May 9, 2006
• Blue Security attack linked to blog crashes, by Tom Espiner, ZDNet (UK), May 4, 2006
• Cyberattack knocks millions of blogs offline, by Joris Evers, CNET News.com, May 3, 2006
• 'Second Life' fending off denial-of-service attacks, by Daniel Terdiman, CNET News.com, May 1, 2006
• Sun Grid hit by network attack, by Stephen Shankland, CNET News.com, March 22, 2006
• 'Botmaster' pleads guilty to computer crimes, Reuters, January 24, 2006 [Teen admits to controlling somewhere near 500,000 computers, must return $60,000 cash, computer equipment, and a BMW he bought with proceeds from renting the botnet. See also this eWeek blog entry and U.S. Department of Justice press release.]
• Blackmailers try to black out Million Dollar Homepage, by Dawn Kawamoto, CNET News.com, January 18, 2006
• FBI agents bust 'Botmaster', Reuters News Service, November 4, 2005
• 'Bot herders' may have controlled 1.5 million PCs, by Joris Evers, CNET News.com, October 21, 2005 [Note: This article doesn't say how the 1.5 million count was obtained, which could mean it is overstated by an order of magnitude or more. There are many reasons why counting things like IP addresses in logs, bot nicks, etc. can be way off the mark, such as DHCP lease times, moving from wired to wireless or dialup networks, etc.]
• Cops smash 100,000 node botnet: Largest zombie army ever detected, by Tom Sanders, vnunet.com, October 10, 2005 [Note: Actually, several botnets have been reported to be much larger than 100,000. E.g., see Thwarting the Zombies, by Dennis Fisher, eWeek, March 31, 2003, which quotes CERT/CC as saying they have tracked a botnet of 140,000 hosts]
• Hackers Admit to Wave of Attacks, by Kevin Poulson, Wired, September 8, 2005
• Teenager jailed for Web attacks, by Graeme Wearden, ZDNet UK, August 17, 2005
• Stalking the Internet, an army on the rise, by Stephen Labaton, The New York Times, June 24, 2005
• THE CASE OF THE HIRED HACKER: Entrepreneur and Hacker Arrested for Online Sabotage, FBI.gov headline story, April 18, 2005
• Rootkit Web sites fall to DDoS attack, by Paul Roberts, IDG News Service, April 11, 2005
• Duo charged over DDoS for hire scam, by John Leyden, The Register, March 22, 2005
• Michigan Man Arrested for Using New Jersey Juvenile to Launch Destructive "DDOS for Hire" Computer Attacks on Competitors, US Department of Justice press release, March 18, 2005
• Dutch hackers sentenced for attack on government sites: Teens were unhappy about cabinet," by Jan Libbenga, The Register, March 16, 2005
• BitTorrent servers under attack, by Robert Lemos, CNET News.com, December 2, 2004
• Antispam screensaver downs two sites in China, by Dan Ilett, ZDNet News (UK), December 2, 2004
• Lycos Europe denies attack on zombie army, by Dan Ilett, ZDNet News (UK), December 1, 2004,
• Experts fret over online extortion attempts: 'Bot' armies capable of toppling big sites, some say, by Bob Sullivan, MSNBC, November 10, 2004
• Lawmaker: Beware of cyber-Pearl Harbor, Reuters, November 5, 2004
• Online payment firm in DDoS drama, by John Leyden, November 3, 2004
• Child porn threat to betting site, BBC News, October 27, 2004
• Dutch government sites attacked, correspondents in Amsterdam, Australian IT, October 6, 2004
• WorldPay struggles under DDoS attack (again), by John Leyden, The Register, October 4, 2004
• Zombie armies behind cyberscrime sprees, by Dan Illet, ZDNet (UK), October 1, 2004
• Update: Credit card firm hit by DDoS attack, by Jaikumar Vijayan, Computerworld, September 22, 2004
• Attacks disrupt some credit card transactions, by Rob Lemos, CNET News.com, September 22, 2004
• Extortion Online: Technology can help fight the growing cyberextortion threat, but experts say not enough companies are prepared, by George V. Hulme, InformationWeek, September 13, 2004
• FBI busts alleged DDoS Mafia, by Kevin Poulsen, SecurityFocus, August 26, 2004 [ Indictment against Paul G. Ashley, Jonathan David Hall, Joshua James Schichtel, Richard Roby, and Lee Graham Walker]
• Police say Russian hackers are increasing threat, by Oliver Bullough, Reuters, July 28, 2004
• DoubleClick blacks out from Web attack, by Jim Hu, CNET News.com, July 27, 2004
• MyDoom.M virus slams search sites, by Byron Acohido and Jon Swarz, USA Today, July 26, 2004
• British cybercops nab alleged blackmailers, by Graeme Wearden and Andy McCue, ZDNet (UK), July 21, 2004
• Scotland Yard and the case of the rent-a-zombies, Reuters, July 7, 2004
• 'Zombie' PCs caused Web outage, Akamai says, by Robert Lemos and Jim Hu, CNET News.com, June 16, 2004
• Business allegedly attacked via Web: FBI investigates area owner's extortion claim, by Caroline Lynch, The Courier-Journal, May 10, 2004
• Alarm Grows of Bot Software, by Rob Lemos, CNET News.com, April 30, 2004
• Bookies suffer online onslaught, by Mark Ward, BBC News Online, March 19, 2004 (Netcraft graphs of UK betting sites)
• Hackers Embrace P2P Concept: Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or Denial-of-Service Attacks, by Brian Krebs, washingtonpost.com, March 17, 2004
• Mydoom lesson: Take proactive steps to prevent DDoS attacks, by Jaikumar Vijayan, February 6, 2004
• The FBI Called Again, by simul, Kuro5hin.org (targetted by DDoS attacks), February 4, 2004
• Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004
• Attack on SCO sites at an end, by Rob Lemos, CNET News.com, December 12, 2003
• New computer virus variant floods Web sites of anti-spam activists, by Anick Jesdanun, The Associated Press, December 3, 2003
• E-commerce targeted by blackmailers, by BBC News, November 26, 2003
• Dutch blogsites fight cyberwar against spammer, by Jan Libbenga, The Register, November 24, 2003
• ISPs take on DDoS Attacks, by Denise Pappalardo, Network World, November 19, 2003
• Zombie machines fueling new cybercrime wave, by Bernhard Warner, computerworld.com, November 17, 2003
• East European gangs in online protection racket, by John Leyden, The Register, November 12, 2003
• High-Tech Gangsters Who Shoot on Site, by Chris Nuttall, Financial Times, November 12, 2003
• Crime gangs extort money with hacking threat, by Chris Nuttall, Financial Times of London, November 11 2003
• 'DDoS' Attacks Still Pose Threat to Internet, by David McGuire, washingtonpost.com, November 4, 2003
• Virtual girlfriend 'inspired Internet attack', by Munir Kotadia, Special to CNETAsia, October 13 2003
• 11,000 IP addresses found on accused hacker's PC, by Munir Kotadia, ZDNet UK, October 8, 2003
• 'Revenge' hack downed US port systems, by Andy McCue, silicon.com, October 7, 2003
• Cloaking Device Made for Spammers, by Brian McWilliams, October 9, 2003 [reports one group controlling 450,000 bots]
• Sobig linked to DDoS attacks on anti-spam sites, by John Leyden, September 25, 2003
• Teenager arrested in 'Blaster' Internet attack, by Jeordan Legon, CNN, August 29, 2003
• Hackers cut off SCO Web site, by Martin LaMonica, CNET News.com, August 25, 2003
• Porn Purveyors Getting Squeezed, by Noah Shachtman, Wired News, July 10, 2003
• DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003
• Rise of the Spam Zombies, by Kevin Poulson, Security Focus, April 27, 2003
• The Palestinian-Israel: cyberwar, by Patrick D. Allen and Chris C. Demchak, Military Review, March-April, 2003,
• Thwarting the Zombies, by Dennis Fisher, eWeek, March 31, 2003 [quotes CERT/CC as saying they have tracked a botnet of 140,000 hosts]
• Al-Jazeera hobbled by DDOS attack: News site targeted for second day, by, Paul Roberts, Infoworld, March 26, 2003
• DDoS attack cripples Uecomm's AU links, by Patrick Gray, ZDNet Australia, March 20, 2003
• Thousands 'trojaned' through net shares: CERT, by Patrick Gray, ZDNet Australia, March 12, 2003
• Worm could be clearing path for DDoS attack, by Patrick Gray, ZDNet Australia, March 10, 2003
• US and UK arrests in computer worm probe, by John Leyden, March 6, 2003
• Could Attack on DALnet Spell End for IRC?, by Thor Olavsrud, internetnews.com, January 24, 2003
• Attacks Fell on Online Community, by Justin Jaffe, Wired News, January 27, 2003
• DDOS attack 'really, really tested' UltraDNS, by ComputerWire, The Register, November 26, 2002
• Future Hacking: How Vulnerable is the Net?, by James Maguire, NewsFactor Network, November 4, 2002
• Attack On Internet Called Largest Ever, by David McGuire and Brian Krebs, washingtonpost.com, October 22, 2002
• channel takeover", Valinor IRC glossary
• Hacking IRC - The Definitive Guide
• rEfnet Old News (look for "TakeOver" and "split")
• Why EFnet Sucks, by Mixter
• Bots Are Hot!, by Andrew Leonard, Wired magazine, April 1996
• Romanian Cracker Takes Down the Undernet, by Kristi Coale, Wired News, January 14, 1997
• Out of Band Bug Kicks Users Off Networks, by Mark Joseph Edwards, Wired News, May 12, 1997
• Smurfing Cripples ISPs, by James Glave, Wired News, January 7, 1998
• CIAC-2318: "IRC On Your Dime? What You Really Need to Know About Internet Relay Chat (PDF), (PostScript), CIAC, Dept. of Energy, June 1998
• Denial of Service Attack Information, by Craig A. Huegen (1998)

Sociological aspects of DoS and DDoS

• Anti-Social Behavior Online Poses Challenge, GameMarketWatch.com, August 9, 2003
• The Bad Boys of Cyberspace: Deviant Behavior in Online Multimedia Communities and Strategies for Managing it, Suler, J.R. and Phillips, W., 1998

Humor

• Cartoon Explanation of SYN/ACK DoS, imgur
• Hacker Attacks! by all of the top editorial cartoonists

---

Dave Dittrich <dittrich @ u dot washington dot edu>

via staff.washington.edu