How I became the first person to describe the advent of a new class of computer network attack tools.

20 Years of DDoS: August 5, 1999

Something is happening, but what?

Dave Dittrich
13 min readAug 6, 2019


20 years ago today — August 5, 1999 — I rode my mountain bike across the University of Washington campus to work like every other workday. Early mornings in the summer in Seattle can be pretty nice. Sunny, a little cool with dew on the grass.

Before there were signs requiring that bike riders walk their bikes, I could cruise across campus, bunny-hopping the small 2–3 foot flights of stairs in the Quad, entering Red Square heading south, and — at just the right speed — take the two flights of ten steps each on the south-west corner Suzzallo Library in just over a second. My bike lock strapped on the handle-bars was the “only” sound: TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!!…TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!! (Adrenaline is a decent — low cost, despite the high risk — substitute for coffee!)

The steps off Red Square by Suzzallo Library (Left: rider’s view southbound down Rainier Vista with Mt. Rainier at sunset; Right: Looking north with Kane Hall on left, Suzzallo Library on right)

I had an office on the ground floor of Mary Gates Hall (which is just south of Suzzallo) along with the rest of the Computing and Communications (C&C) Client Services group, the people who answer help@ email questions from faculty, staff, and students (coincidentally using a 4000+ line Perl email tracking system named QnA that I wrote as my first task at C&C in the early 1990s, but I digress.)

Take a number, please

August 5th was the first day that there was a noticeable uptick in reports of compromised Solaris 2.x systems on campus.

It wasn’t just one or two hosts, here and there. It was a dozen or more at a time, sometimes a full lab’s worth of computers, and spread across campus. I didn’t realize it at the time, but over a couple of weeks of investigations, the facts just kept building that there was a campaign (in the MITRE STIX sense, as we know it today) in progress.

I had created a rudimentary filesystem-based method of organizing information about security incidents that I used to keep track of things, as there was a steady stream of account abuse reports. We regularly received lots of reports from outside the UW about scanning…



Dave Dittrich

Information Security Researcher, Consultant, Writer. Support my writing by joining Medium (affiliate link — I get a portion of your fee)