For businesses that rely on their websites for revenue or as their customers’ main gateway to information, there’s nothing more frightening than the threat of a distributed denial of service (DDoS) attack. Revenue lost, service interrupted, brand identity marginalized, trade secrets or customer data stolen; it really does sound like the worst-case scenario. Some companies hope that they are too small to be noticed by hackers, others that their size alone implies they must have ample security to survive a DDoS attack. Both ways of thinking are horribly misguided, as has been proven time and again.

Compiling a list of the biggest DDoS attacks in history is about as gruesome as documenting the worst single-day drops in the history or the stock market or the most damage done by hurricanes. But the analysis of why the attacks happened and how they have helped the digital security world stronger as a result makes such record-keeping worth it.

As with history itself, if we can’t learn from these security mistakes, we are surely destined to repeat them.

Here’s a deeper dive into the five biggest DDoS attacks of all time and what hosting companies have learned from them.

This is part of a series of articles about DDOS protection.

Spamhaus, 2013

What Happened: Believe it or not, there are actual “good guys” on the Internet, and Spamhaus is one of them. Founded in 1998, the Spamhaus Project is a non-profit organization dedicated to weeding out spam emails and organizations. In March of 2013, Spamhaus was hit by a massive DDoS allegedly perpetrated by CyberBunker in retaliation for Spamhaus adding it to its blacklist. Using IP address spoofing, the spam requests directed at Spamhaus as part of the attack peaked at a previously-unheard of 300 gigabits/second and affected Spamhaus for more than a week. Spamhaus had allies to help it shoulder the load and hired Cloudflare to mitigate the nastiest parts of the attack, and it still took them more than seven days to get everything rolling again. At the center of this DDoS was a strategy known as a Domain Name System (DNS) reflection. This technique involves sending a request for a large DNS zone file using the source IP of the intended victim for the reply. The request is sent to a large number of DNS resolvers, all of which automatically reply with the large DNS zone file, thus flooding the victim’s IP address with requests.

What We Learned: It turns out the exploit was taking advantage of misconfigured DNS resolver software, specifically made by a company called BIND, which was set up to respond to a query from any IP address on the planet.  The Spamhaus attack happened because thousands of companies around the world had open DNS resolvers that had been used in the hack. Identifying them and shutting them down made the Internet a safer place for everyone.

Hong Kong, 2014

What Happened: Two years before parts of the US government accused Russian hackers of influencing the presidential election, Hong Kong independent media sites were attacked during rallies by pro-democracy advocates. The two news sites, Apple Daily and Pop Vote, had Cloudflare looking out for them, which said the two websites were getting hit with 500GB/second of junk traffic. Pop Vote was targeted first, with attacks on Apple Daily coming later that summer. The hackers were able to disguise huge packets of junk as legitimate traffic, bringing both sites grinding to a halt. The hackers also used the attack to break into both sites’ databases and sent phishing messages to PopVote staff members.

What We Learned: Hackers’ technology is going to keep advancing, so defenses have to keep advancing too. A year before Hong Kong, the Spamhaus attacks blew everyone’s mind by reaching 300GB/second of attacks. A year later, the Hong Kong attacks nearly doubled that statistic. Hackers aren’t going to use old technology, they’ll keep pushing for more powerful ways to attack. Defense and security must evolve to keep up.

Github, 2015

What Happened: For the uninformed, Github is one of the coolest spots on the Internet. It’s a development platform where you can host, share, build and manage your own codes and projects. While most people tend to see this type of website as reflective of the true “one world community” that represents the Internet at its best, others (such as certain countries who block such controversial websites like Wikipedia and Yahoo) clearly don’t care for the concept of sharing information freely, and decided to do something about it. Yes, Chinese hackers were behind the attack, their role confirmed by Rob Graham, the CEO of Errata Security. GitHub shut down for most of five days as two GitHub pages were loaded and reloaded again and again by thousands of computers. The “Great Firewall of China”, which is used by the Chinese government to censor its own citizens from viewing content from outside of its own borders, had now been turned into an offensive weapon, linking those private computers together to attack Github.

What We Learned: When a hacker or syndicate attacks your website, you can track them and bring up criminal charges. What do you do when the offender is an entire country – one that is so secretive that it censors the most basic of American websites from its citizens? More than a lesson learned, this attack was a eye-opener into the world of cyber espionage and how big it can get.

BBC, 2015

What Happened: On the last day of 2015, a group calling itself ‘New World Hacking’ brought down the BBC news website along with its on-demand iPlayer service. Quite proud of themselves, the New World Hacking group claimed they had used their own invention, the BangStresser, to launch a DDoS attack. The group claimed that the attack was to “test its power” as it prepares to take down the terrorist syndicate ISIS. Even more fascinating is that the attack appeared to use two Amazon Web Services (AWS) servers to harness ‘unlimited’ bandwidth.

What We Learned: Everything is vulnerable. Is that a little pessimistic? Maybe, but when a group can use AWS to take down the BBC, that’s a real punch in the gut to the presumed security of two trusted names. For the average person, the big news is that the BBC got knocked offline. For the more IT-savvy crowd, the fact that AWS products were used is the bigger deal. On the scene since 2006, AWS is a bit of a paragon of strength in the market. Hackers using AWS as a weapon to attack a trusted news service is a bit unnerving.

Dyn, 2016

What Happened: Remember Y2K and the pervading notion that at midnight on January 1, 2000, we’d all wake up to chaos and anarchy? (Spoiler alert: nothing happened.) Well that was the feeling a lot of people experienced on October 21, 2016, when DNS provider Dyn was struck three times by DDoS attacks. Websites taken offline by the attack included Twitter, Tumblr, Paypal, Pinterest, the BBC, Etsy, Fox News, GitHub, GroupHub, HBO, HostGator, iHeartRadio, Mashable, the New York Times, Reddit, Shopify, Slack, Spotify, Starbucks and more. Dyn itself called the attacks “highly sophisticated” and reported that there were tens of millions of IP addresses involved.

What We Learned: The Internet of Things (IoT) is remarkably vulnerable. Who would have though lax security on things like baby monitors and residential gateways could turn into a national nightmare? The hackers responsible infected these IoT devices and millions more with the Mirai malware and turned them loose on Dyn. The malware had been released as open-source code a few weeks prior on the Internet. Sort of like dumping the ingredients to a homemade bomb in the middle of a crowded shopping mall and walking away. Cloud and dedicated hosting companies responded with increased edge protection to enhance their ability to keep their clients safe.

Read More About DDoS Protection