In late 1999, more and more weaknesses were being found in computer networks, mostly in Microsoft Windows systems. As more people continued to leap onto the Internet, the number of targets swelled immensely, and some hackers began to realize that there might be more to life than rummaging through random people’s computers for interesting information — though that certainly still happened. Instead, an idea began to grow in the underground that by leaving vulnerable targets relatively intact and unmolested, you could build something that the world had never seen: the biggest hammer anyone had ever held, as long and as wide as the Internet itself.
They called it a Distributed Denial of Service attack — or DDoS. If the Internet, for having been designed to stay online through nuclear holocaust, was the closest thing we had to an immovable object, then a DDoS wasn’t far from its irresistible force. A DDoS couldn’t take down the entire Internet, though it could press hard against some important parts of it and make them cry.
How did someone make a great big hammer out of a bunch of Windows machines? Well, hackers had already begun taking it upon themselves to scan large swaths of the Internet looking for machines that seemed to be vulnerable in one way or other. The scanning tool would attempt to exploit a vulnerability, and if it was successful then it would install a tiny little app in the background of the computer, set to come back up with every system restart. The application was intended to be lightweight, low impact to its environment — it’d be best if the host never became aware that it had been taken over. The invading code came preconfigured with the addresses of some other machines that had already been taken over in a similar way, and which had been chosen to serve as central control points for the growing army. That way, the hackers could hide behind the central command-and-control machines, delivering them instructions which they would then pass along to the other bots.
A few months after the tools first became available, some people suddenly found themselves in control of a huge number of hosts. As hackers traded lists with one another, several lists of hundreds of compromised hosts became one list of more than a thousand, then lists of thousands became a single list of tens of thousands, and pretty soon someone held the reins of the first bot army big enough to do some pretty serious site smashing, raining down hammer strikes, essentially identical to valid Web requests, from all across the world.
There were plenty of places besides Packet Storm where you could find copies of DDoS attack tools, though we were one of the most prominent. It was a particularly bad decision by Brad, the Packet Storm project owner, that brought the authorities to our door. In December of 1999, he ran a little contest, offering $10,000 for the best analysis of how to handle a large-scale DDoS attack — which, as far as nearly everyone knew at the time, was a purely hypothetical question. Internally, a few of us took bets as to how many submissions we would get. I guessed six. Brad, the Packet Storm project owner, thought we’d only get one. We ended up getting two, but both of them from the same person, a young German hacker called Mixter who’d written one of the most popular bot control tools, TFN, Tribal Flood Network. Shortly afterwards, an even more advanced tool appeared on the scene, called Stacheldraht, which means “barbed wire” in German. It seemed to have been based on TFN, and even though Mixter never publicly took credit for it the math looks pretty simple.
So yes, we gave ten grand to a 24-year-old German DDoS hacker not long before the newest generation of his code was fingered as being responsible for the first large-scale public DDoS attacks, in which an oppressive number of remotely orchestrated computers took down Yahoo, Amazon, eBay, eTrade, and others, for as long as ninety minutes at a time during crucial business hours, causing an estimated $1.7 billion in damage in just three days.
Jim McCoy was not the only one who didn’t find it particularly clever that we might have aided these attacks, however distantly. Someone at the FBI wasn’t impressed, either.