How I became the first person to describe the advent of a new class of computer network attack tools.

20 Years of DDoS: August 5, 1999

Something is happening, but what?

20 years ago today — August 5, 1999 — I rode my mountain bike across the University of Washington campus to work like every other workday. Early mornings in the summer in Seattle can be pretty nice. Sunny, a little cool with dew on the grass.

Before there were signs requiring that bike riders walk their bikes, I could cruise across campus, bunny-hopping the small 2–3 foot flights of stairs in the Quad, entering Red Square heading south, and — at just the right speed — take the two flights of ten steps each on the south-west corner Suzzallo Library in just over a second. My bike lock strapped on the handle-bars was the “only” sound: TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!!…TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!! (Adrenaline is a decent — low cost, despite the high risk — substitute for coffee!)

The steps off Red Square by Suzzallo Library (Left: rider’s view southbound down Rainier Vista with Mt. Rainier at sunset; Right: Looking north with Kane Hall on left, Suzzallo Library on right)

I had an office on the ground floor of Mary Gates Hall (which is just south of Suzzallo) along with the rest of the Computing and Communications (C&C) Client Services group, the people who answer help@ email questions from faculty, staff, and students (coincidentally using a 4000+ line Perl email tracking system named QnA that I wrote as my first task at C&C in the early 1990s, but I digress.)

Take a number, please

August 5th was the first day that there was a noticeable uptick in reports of compromised Solaris 2.x systems on campus.

It wasn’t just one or two hosts, here and there. It was a dozen or more at a time, sometimes a full lab’s worth of computers, and spread across campus. I didn’t realize it at the time, but over a couple of weeks of investigations, the facts just kept building that there was a campaign (in the MITRE STIX sense, as we know it today) in progress.

I had created a rudimentary filesystem-based method of organizing information about security incidents that I used to keep track of things, as there was a steady stream of account abuse reports. We regularly received lots of reports from outside the UW about scanning…