Home / Blogs

So Long, Farewell: The Worst DDoS Attacks of 2016

The year 2016 will go down in infamy for a number of reasons. It was the year an armed militia occupied an Oregon wildlife refuge, Britain voted to Brexit, an overarching event that will simply be referred to as The Election occurred, and Justin Bieber made reluctant beliebers out of all of us.

2016 was also the worst year on record for distributed denial of service (DDoS) attacks by a margin that can only be considered massive. This year’s DDoS attacks—cyberattacks launched from botnets or large clusters of connected devices—ushered in a new breed of botnet: ones comprised of devices from the Internet of Things.

The abominable snowstorm(s)

What happened: Following the release of the Legion expansion to the mega-popular World of Warcraft game in August, Blizzard Entertainment was slammed with three distributed denial of service attacks in August and another one in September.

The DDoS details: While the company has not released specifics on the attacks, the modus operandi was standard for taking aim at a gaming company: wait until the servers are overloaded with users excited about a new game or expansion, then push those servers over the brink with malicious traffic. DDoS for hire service PoodleCorp has claimed responsibility.

The damage done: These attacks affected not only World of Warcraft players, but people trying to use the Blizzard platform for other games, including Diablo III and Overwatch. Gamers are known for their emotional reactions to outages, which is one of the reasons gaming platforms are frequently targeted, and PoodleCorp succeeded in causing widespread anger over Blizzard’s failure to protect their platform from DDoS attacks once again.

The lesson that needs to be learned: website or platform users don’t get used to DDoS-related outages, they get increasingly angry over them. Gaming platforms are at a disadvantage due to their overworked servers, the single point of failure nature of their systems, and the emotional reactions of their users.

The jewelry store hold-up

What happened: In June a brick and mortar jewelry store had their website taken offline for days by a distributed denial of service attack. They got their website restored, only to have it knocked offline again.

The DDoS details: As small as the jewelry store may have been, this is big news since the attack came from a botnet fully made up of CCTV cameras, 25,000 of them, sending 50,000 requests per second.

The damage done: This wasn’t a large-scale attack affecting hundreds of thousands of people like the others in this list, but what makes it stand out was that it was one of the first known uses of an IoT botnet that used only CCTV devices.

The lesson that needs to be learned: As the world becomes increasingly connected, DDoS attackers are amassing more and more weapons. There are two lessons here: secure your IoT devices by changing the default passwords, and get professional DDoS mitigation if your website does not have it. There are simply too many opportunities for attackers now.

The Mirai deluge

What happened: This is actually a set of three separate attacks, all coming courtesy of the Mirai botnet. First computer security blogger Brian Krebs had his site rendered useless by a 620 Gbps attack in September. Days later French hosting provider OVH was hit with a 1 Tbps attack. The biggest one came in October: the Dyn DNS provider was slammed by a 1.2 Tbps attack that knocked major websites and platforms offline, including Netflix, Twitter and PayPal.

The DDoS details: It’s hard to get a handle on just how big the Mirai botnet is, but security experts agree it’s an IoT botnet consisting of well over 100,000 devices capable of throwing attack traffic from tens of millions of IP addresses. Due to the sheer number of devices in this botnet, its attackers tend to use it for distributed denial of service flooding attacks.

The damage done: Each of these three DDoS attacks held the title of biggest ever, at least until the next one came along. The Dyn attack reigns supreme, for now. The Dyn attack was one of the first DDoS attacks to grab the attention of the public due to the high-profile nature of the websites and platforms affected. It became such a major news story that the White House had to give multiple briefings and updates on it.

The lesson that needs to be learned: IoT botnets are currently grabbing headlines for these staggering attacks, but the average website owner needs to know that the biggest use of these botnets is assuredly going to be as DDoS for hire services. That means the extraordinary power of these botnets can be rented for a nominal fee, and everyone is a potential target.

Make no mistake about it. We haven’t even begun to scratch the surface of what went on in DDoS attacks this year. As ugly as this round-up is, next year’s is likely only going to be worse. May a new Justin Bieber album soothe us all!

By Patrick Vernon, Writer

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix