DDoS attack tool timeline
- May/June, 1998 First primitive DDoS
tools developed in the underground -- small networks, only
mildly worse than coordinated point-to-point DoS attacks
- July 22, 1999 CERT releases
Note 99-04 mentioning widespread intrusions on Solaris RPC services
- August 5, 1999 First evidence seen at the UW
of programs being installed on Solaris systems in what appeared
to be "mass" intrusions.
- August 17, 1999 Attack on the University of Minnesota
reported to UW network operations and security teams.
- September 2, 1999 Contents of a stolen account used
to cache files was recovered
- September 27, 1999 CERT provided with first draft
of trinoo analysis
- Early October 1999 CERT goes through the painful
process of reviewing hundreds of Solaris intrusion reports
and finds many match the trinoo analysis. They arrange the
Distributed System Intruder Tools Workshop (the first time
they have done this.)
- October 15, 1999 CERT mails out invitations to the
- October 23, 1999 Final draft of trinoo analysis
and TFN analysis finished in preparation for the DSIT workshop.
- November 2-4, 1999 DSIT workshop held in Pittsburgh.
It is agreed by attendees that it is important to not
panic people, but instead provide meaningful steps to deal with
this new threat. All attendees are asked to keep information
about DDoS programs private until we all finish a report on how
- November 18, 1999 CERT releases
Note 99-07 mentioning DDoS tools. Work is still continuing
on DSIT Workshop report.
- November 29, 1999 SANS NewsBytes Vol. 1 Num. 35
mentions trinoo/TFN in the context of widespread Solaris
intrusion reports they were getting that were consistent with
CERT IN-99-07 and involving ICMP_ECHOREPLY packets.
- December 7, 1999 ISS releases an advisory on trinoo/TFN
after first non-technical mention of DDoS tools in a
Today article. CERT rushes out the
report of the DSIT workshop. I publish my analyses of
trinoo and TFN to the BUGTRAQ email list.
- (According to
December 8, 1999 NIPC
sends a note briefing FBI Director Louis Freeh for the first
- (According to
December 17, 1999
NIPC director Michael Vatis briefs Attorney General Janet Reno
as part of an overview of preparations being made for Y2K
- December 27, 1999 As final work on
analysis of "stacheldraht", a scan of the UW network was made
with "gag" (included in the stacheldraht analysis), which found
three active agents which were traced to a handler in the
southern US. The ISP and their upstream provider were able to
identify over 100 agents in this network.
- December 28, 1999 CERT releases
99-17 on Denial-of-Service Tools (covers TFN2K and
MacOS 9 DoS exploit).
- December 30, 1999 I publish my
stacheldraht to the BUGTRAQ email list. NIPC issues a press
release on DDoS programs and releases
of Service Attack Information (TRINOO/Tribal Flood Net)
(including a tool for scanning local file systems/memory for
- January 3, 2000 CERT and FedCIRC
2000-01 on Denial-of-Service Developments. Discusses stacheldraht
and NIPC scanning tool.
- January 4, 2000 SANS asks its
membership to use published DDoS detection tools to determine
how widely these tools are being used. Reports of successful
searches start coming in within hours.
- January 5, 2000 Sun releases bulletin
#00193, "Distributed Denial-of-Service Tools"
- January 14, 2000 Attack on OZ.net in
Seattle affects Semaphore and UUNET customers (affecting as
much as 70% of Puget Sound Internet users, and possibly other
sites in the US -- no national press attention until January 18.)
- January 17, 2000 ICSA.net organizes Birds
of a Feather (BOF) session on Distributed Denial of Service attacks
at RSA 2000 conference in San Jose.
- February 7, 2000 Talk by Steve Bellovin
on Denial of Service attacks, and another ICSA.net DDoS BOF at
NANOG meeting in San Jose. First attacks on eCommerce sites begin.
- February 8 - 12, 2000 Attacks on
eCommerce sites continue. Media feeding frenzy begins...
Important (in my opinion) points about the timeline
- Technical details of the developing DDoS tools was not
available to federal agencies until late September and
- It took CERT time to review a large set of intrusions and
determine the best way to respond (without causing a panic
reaction by the general public.)
- CERT announced the DDoS tools in mid November 1999, and
shortly after published an Incident Note and Advisory.
Any sites paying attention to CERT Incident Notes and
Advisories learned of trinoo, TFN, and TFN2K in November
- Anyone reading BUGTRAQ learned of trinoo and TFN on
December 7, 1999 and stacheldraht on December 30, 1999.
- NIPC's advisory and tool came out just after the technical
analyses were published, but because all
three commonly used DDoS tools were discussed publically by
late December it seems to me to
be overly critical to say the government "failed" to warn
eCommerce sites before February 7, 2000. They could have
learned about them from CERT's Incident Note, DSIT Workshop
Report, and postings to BUGTRAQ in November and December.
Dave Dittrich <email@example.com>
Last modified: Fri Mar 10 18:23:25 2000