DDoS attack tool timeline

• May/June, 1998   First primitive DDoS tools developed in the underground -- small networks, only mildly worse than coordinated point-to-point DoS attacks
• July 22, 1999   CERT releases Incident Note 99-04 mentioning widespread intrusions on Solaris RPC services
• August 5, 1999   First evidence seen at the UW of programs being installed on Solaris systems in what appeared to be "mass" intrusions.
• August 17, 1999   Attack on the University of Minnesota reported to UW network operations and security teams.
• September 2, 1999   Contents of a stolen account used to cache files was recovered
• September 27, 1999   CERT provided with first draft of trinoo analysis
• Early October 1999   CERT goes through the painful process of reviewing hundreds of Solaris intrusion reports and finds many match the trinoo analysis. They arrange the Distributed System Intruder Tools Workshop (the first time they have done this.)
• October 15, 1999   CERT mails out invitations to the DSIT workshop.
• October 23, 1999   Final draft of trinoo analysis and TFN analysis finished in preparation for the DSIT workshop.
• November 2-4, 1999   DSIT workshop held in Pittsburgh. It is agreed by attendees that it is important to not panic people, but instead provide meaningful steps to deal with this new threat. All attendees are asked to keep information about DDoS programs private until we all finish a report on how to respond.
• November 18, 1999   CERT releases Incident Note 99-07 mentioning DDoS tools. Work is still continuing on DSIT Workshop report.
• November 29, 1999   SANS NewsBytes Vol. 1 Num. 35 mentions trinoo/TFN in the context of widespread Solaris intrusion reports they were getting that were consistent with CERT IN-99-07 and involving ICMP_ECHOREPLY packets.
• December 7, 1999   ISS releases an advisory on trinoo/TFN after first non-technical mention of DDoS tools in a USA Today article. CERT rushes out the final report of the DSIT workshop. I publish my analyses of trinoo and TFN to the BUGTRAQ email list.
• (According to USA Today article) December 8, 1999   NIPC sends a note briefing FBI Director Louis Freeh for the first time.
• (According to USA Today article) December 17, 1999   NIPC director Michael Vatis briefs Attorney General Janet Reno as part of an overview of preparations being made for Y2K
• December 27, 1999   As final work on analysis of "stacheldraht", a scan of the UW network was made with "gag" (included in the stacheldraht analysis), which found three active agents which were traced to a handler in the southern US. The ISP and their upstream provider were able to identify over 100 agents in this network.
• December 28, 1999   CERT releases Advisory 99-17 on Denial-of-Service Tools (covers TFN2K and MacOS 9 DoS exploit).
• December 30, 1999   I publish my analysis of stacheldraht to the BUGTRAQ email list. NIPC issues a press release on DDoS programs and releases Distributed Denial of Service Attack Information (TRINOO/Tribal Flood Net) (including a tool for scanning local file systems/memory for DDoS programs.)
• January 3, 2000   CERT and FedCIRC jointly publish Advisory 2000-01 on Denial-of-Service Developments. Discusses stacheldraht and NIPC scanning tool.
• January 4, 2000   SANS asks its membership to use published DDoS detection tools to determine how widely these tools are being used. Reports of successful searches start coming in within hours.
• January 5, 2000   Sun releases bulletin #00193, "Distributed Denial-of-Service Tools"
• January 14, 2000   Attack on OZ.net in Seattle affects Semaphore and UUNET customers (affecting as much as 70% of Puget Sound Internet users, and possibly other sites in the US -- no national press attention until January 18.)
• January 17, 2000   ICSA.net organizes Birds of a Feather (BOF) session on Distributed Denial of Service attacks at RSA 2000 conference in San Jose.
• February 7, 2000   Talk by Steve Bellovin on Denial of Service attacks, and another ICSA.net DDoS BOF at NANOG meeting in San Jose. First attacks on eCommerce sites begin.
• February 8 - 12, 2000   Attacks on eCommerce sites continue. Media feeding frenzy begins...

Important (in my opinion) points about the timeline

• Technical details of the developing DDoS tools was not available to federal agencies until late September and early October.
• It took CERT time to review a large set of intrusions and determine the best way to respond (without causing a panic reaction by the general public.)
• CERT announced the DDoS tools in mid November 1999, and shortly after published an Incident Note and Advisory. Any sites paying attention to CERT Incident Notes and Advisories learned of trinoo, TFN, and TFN2K in November and December.
• Anyone reading BUGTRAQ learned of trinoo and TFN on December 7, 1999 and stacheldraht on December 30, 1999.
• NIPC's advisory and tool came out just after the technical analyses were published, but because all three commonly used DDoS tools were discussed publically by late December it seems to me to be overly critical to say the government "failed" to warn eCommerce sites before February 7, 2000. They could have learned about them from CERT's Incident Note, DSIT Workshop Report, and postings to BUGTRAQ in November and December.

[Next] | [Prev] | [Top]