DDoS attacks (short for distributed denial-of-service) are among the most common and easy-to-execute cyberattacks. These attacks flood DNS servers and other endpoints with overwhelming amounts of DDoS traffic to prevent them from functioning as intended.
Hackers typically achieve this by generating a flood of traffic using botnets—networks of compromised connected devices. Often poorly secured, these devices are turned into bots that simultaneously target specific systems, leading to negative performance or total failure and making it challenging for legitimate users to access your services.
Almost anyone who wants to launch an attack can do so with relative ease, which is why it is so important to fortify your infrastructure. Implementing a robust protection service is crucial in mitigating these attacks. There are countless examples of DDoS attacks that span across decades and vary in scale and severity.
In this post, we’ll examine some of the most significant DDoS attacks on record to gain insight into the devastation they can cause.
Amazon AWS Attack (2020)
In February 2020, Amazon Web Services (AWS) was at the epicentre of one of the most extensive DDoS attacks ever recorded. This distributed denial-of-service attack peaked at 2.3 Tbps (terabits per second), a staggering effort orchestrated by cybercriminals to bring down AWS’s target servers, disrupting their services and customers. The attack lasted three days.
The hackers employed multiple techniques, such as amplification (sending a large request to a server and receiving a much larger response). The primary method, however, was using CLDAP reflection, which involved exploiting compromised Connection-less Lightweight Directory Access Protocol web servers to transmit an increased data volume back to the target IP address.
By making small requests to web servers with spoofed IP addresses, hackers caused the servers to return more significant responses, amplifying the attack’s impact. The scale of the attack was 44% higher than previous records, cementing it as the largest DDoS attack as of October 2024.
Thankfully, AWS’s mitigation efforts were swift and effective. Downtime and disruption were minimal, and the overall impact was far lower than it could have been under different circumstances. Although the outcome was positive, this case shows first-hand how devastating DDoS attacks can be, even to industry-leading services like Amazon’s AWS.
GitHub DDoS Attack (2018)
GitHub, an online code management service used by millions of developers worldwide, endured a 1.3 Tbps DDoS attack in February 2018. Unlike the AWS attack, this one did not involve botnets; instead, it was a memcached DDoS attack.
Memcached is a database caching system that speeds up websites and networks by temporarily storing data objects in memory. Hackers took advantage of specific vulnerabilities in this system to amplify their attack by approximately 50,000 times.
Despite the sheer scale of the attack, GitHub managed to avoid the worst of it. Their DDoS protection measures alerted the team of the attack within ten minutes, which gave them ample time to mitigate and stop it. Metrically, this DDoS attack is one of the most extensive in recent history, but it only lasted around 20 minutes, as GitHub was able to avert most of the potential damage.
Occupy Central – Hong Kong (2014)
2014 was a turbulent year for Hong Kong. Waves of pro-democracy protests, organised and carried out as part of the Occupy Central movement, resulted in various silencing and communication disruption efforts.
PopVote, a website used to host an unofficial referendum, was hit hard by a barrage of distributed denial-of-service attacks. Other pro-democracy platforms, such as HKGolden and Next Media, were also targeted extensively.
The target websites saw a peak of 250 million DNS requests per second. In particular, PopVote was hit so hard that they extended their voting deadlines and created contingency plans to pre-empt a total collapse. DDoS mitigation provider CloudFlare—responsible for defending PopVote’s site at the time—reported an aggregate of 500 Gbps while the botnets were at their busiest. These volumetric attacks flooded networks with substantial traffic, overwhelming their bandwidth and complicating the differentiation between legitimate traffic and malicious activity.
American cybersecurity firm FireEye identified a link between the attack and advanced persistent threat (APT) actors based in China. The malware and tools used shared similarities to previous state-sponsored espionage activities, inferring the involvement of the Chinese government itself. These actors leveraged botnets to send HTTP requests and DNS floods in massive volumes, exhausting available resources and exploiting weaknesses in firewalls and other defensive measures.
While there have been larger-scale attacks since 2014, this example was the most extensive of its time. Because of its context, it’s one of the most significant cyberattacks of all time; not only was it potentially state-mandated, but it was also a direct attack on democracy and free speech efforts in Hong Kong.
Internet Archive Attack (2024)
The Internet Archive is a nonprofit Internet service that provides free access to digitised materials such as websites, applications, and music. It aims to record and preserve digital history and has compiled over 48 petabytes of content since 1996.
In May 2024, the Internet Archive experienced a DDoS attack claimed by SN_BLACKMETA, a hacker group associated with Anonymous Sudan. The group never clarified the motive behind its decision, but the attack traffic was enough to temporarily take the website offline.
In October, the site was DDoSed again multiple times. Hackers also managed to access 800,000 support tickets and 31,000,000 usernames and passwords. The Internet Archive failed to rotate many of the API keys that were exposed previously, and the hackers took advantage of that as an attack vector.
For years, the Internet Archive has been acclaimed for its extensive preservation efforts and resilience against large corporations that want to scrub compromising records from the Internet. Because of this perception, the attack has been met by the public with extreme disdain, with some likening it to ‘shooting a medic on a battlefield’.
As of October 2024, this attack is still ongoing. The continuous DDoS attacks are part of a broader operation involving other volumetric attacks.
Mirai Dyn Attack (2016)
On the morning of October 21st, 2016, many of the world’s most popular online services went silent. People trying to check Twitter, stream Netflix, or browse Reddit found themselves unable to access these platforms.
Dyn, a DNS provider responsible for routing traffic for many of the Internet’s most prominent platforms, had been hit with a brutal cyberattack that came in waves throughout the day. The attackers used an extensive fleet of compromised Linux-based IoT devices to generate over 1.2 Tbps worth of traffic, making it one of the largest DDoS events recorded at the time.
The Mirai botnet, released as open-source weeks earlier, exploited vulnerabilities in IoT devices—most notably the use of default credentials—to conscript these devices into the botnet. Several other notable DDoS attacks were carried out using the Mirai botnet, and its open-source nature made it difficult to find any perpetrators. Hacktivist group Anonymous claimed responsibility, but this was never confirmed.
The attack resulted in major disruptions not just for Dyn but also for its platform providers. Many household names—Amazon, Reddit, Netflix, BBC, Spotify, to name a few—experienced noticeable disruptions and, in some cases, complete downtime.
DDoSing in the Current Threat Landscape
The examples above affirm that cybercrime and DDoS attacks are still rife in today’s threat landscape. The previous traffic record gets beaten every few years, emphasising its rise and severity as a potential risk. You do not want to put your organisation on the line—even a minor attack can inflict financial and reputational damage on any business.
At Stream Networks, one of our core cybersecurity offerings is DDoS scrubbing. This means your Internet traffic stays protected from all types of DDoS attacks and remains online without losing service. We analyse your servers live to monitor the number of requests and remove malicious traffic, all while ensuring your customers have constant access to your online services.
With 1 Tbps of protection against DDoS threats, live statistics and layer 7 filtering, 24/7/365 support, and no DDoS blackhole, you can trust us to keep you online and protected in the wake of any cyber threat.