2000 in review: the year of distributed attacks
Looking back at 2000. The year is harder to summarise than 1999 was. Distributed attacks dominated; structural shifts continued; the threat landscape moved faster than I had expected.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged ddos — 13 results.
A small DDoS, my own
Last week my home connection went offline for six hours. The cause turned out to be a small DDoS aimed at my own honeypot's IP range. A walk through what happened and what I learned about response.
What ISPs should be doing now
After the Mafiaboy attacks, the conversation about ISP responsibility is finally serious. Here is the operational checklist of what every ISP could do, ranked by impact, written for the operations team that has now been told to do something.
Mafiaboy aftermath — the structural lessons
A week on from the Yahoo/eBay/Amazon/CNN attacks. The investigative picture is forming and the technical details are clearer. The structural lessons are large enough to deserve their own post.
Yahoo and eBay are down — what we know on the morning of
Yesterday afternoon Yahoo went offline for about three hours under what is being described as a distributed denial of service attack. This morning eBay is reporting similar trouble. The category change I have been writing about is now the front page.
Stacheldraht: the Bugtraq post that ends the year
On the 30th of December, a tool called Stacheldraht was reported on Bugtraq. It is the third major DDoS toolkit of the year and visibly the most sophisticated. The architecture combines features of Trinoo and TFN with proper encryption and authentication. The trajectory continues.
TFN evolves: the DDoS toolkit family widens
Tribe Flood Network has been quietly improving since it appeared earlier this year. The latest reports describe a more capable tool with better operational discipline. The pattern of refinement is itself worth attention.
Building defences against floods, when you cannot defend
I cannot stop a distributed flood at my edge. What I can do — and have done over the past fortnight — is reduce the cost of being targeted, and make sure my hosts are not part of the problem. A walk through the small-scale interventions.
What a UDP flood looks like in tcpdump
I set up a small lab to generate a UDP flood against my own honeypot, and watched it with tcpdump. The signature is distinctive once you have seen it. A walk through the patterns.
The University of Minnesota DDoS: a category-defining incident
Last week, a single computer at the University of Minnesota was knocked off the network for two days by a coordinated attack from over 200 compromised hosts. This is the first widely-publicised distributed denial of service attack. The defensive implications are profound and mostly unanswered.
Egress filtering: the cheap defence we keep not implementing
If every operator on the internet did one cheap thing — filter outgoing packets to ensure source addresses are correct — most distributed attack tools would not work. We do not do this. The reasons are interesting and mostly not technical.
Trinoo: distributed denial of service has arrived
A new DDoS tool called Trinoo has been seen in the wild. It is the first widely-discussed example of a coordinated multi-host denial of service attack. The defensive response is fundamentally unsolved.
What I expect to be reading about in 1999
An opening note for the year. The five trends in defensive computing I expect to spend my evenings on, with notes on why each one is interesting beyond its current obvious form.