But to those who specialise in the field, it was inevitable; and so, they say, are further attacks if the industry and users do not react faster and more effectively to warnings. "It was just a matter of time, as these tools matured, that they got turned on some big players," says Robert Moskowitz, a senior technical director at the International Computer Security Association. "We were expecting it," says Steve Bellovin, network security research fellow for AT&T Labs and author of the classic book Firewalls and Internet Security: Repelling the Wily Hacker with William Cheswick.Industry professionals had been aware of the risk for months. "Word started circulating in the security community last fall," Bellovin says. "There was a small workshop at Cert (Computer Emergency Response Team) in November. Public advisories were issued by CERT in December." CERT warned: "We have received reports of intruders installing distributed denial-of-service tools. Tools we have encountered utilise distributed technology to create large networks of hosts capable of launching large co-ordinated packet flooding denial-of-service attacks."The technology was relatively well understood, too.

Distributed denial of service tools like Trinoo and Tribe Flood Network, developed by the German hacker Mixter, were already in use."In late June and early July of 1999, one or more groups were installing and testing Trinoo networks and waging medium- to large-scale denial-of-service attacks employing networks of over 2,000 compromised systems," wrote Dave Dittrich, a specialist at the University of Washington."These attacks involved, and were aimed at, systems around the globe. In late August/early September of 1999, focus began to shift from Trinoo to TFN, presumed to be the original code by Mixter." He had also developed a more sophisticated version, TFN2K.A new tool was also emerging: Stacheldraht, a more complex form, started showing up in September and October on systems in Europe and the United States.It added encryption of communication between the attacker and the "masters", which controlled the attacking "daemons". "Stacheldraht was a natural progression or maturing of the earlier programs," Moskowitz says.In many respects the early-warning system worked as it should have. America's National Infrastructure Protection Office (NIPC), run by the Federal Bureau of Investigation (FBI), put out an alert at the end of the year.

"During the past few weeks the NIPC has seen multiple reports of intruders installing distributed denial-of-service tools on various computer systems, to create large networks of hosts capable of launching significant co-ordinated packet flooding denial-of-service attacks," it said."Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial-of-service attacks." Cert put out a new alert on 3 January which warned that something was imminent. "A distributed denial-of-service tool called 'Stacheldraht' has been discovered on multiple compromised hosts at several organisations," it said."In addition, one organisation reported what appears to be more than 100 different connections to various Stacheldraht agents."But the timing of the attack was uncertain: whoever was behind the attacks kept the element of surprise. "There was some concern that it was going to be launched at midnight, 1 Jan, to exploit the Y2K paranoia; I'm glad that that didn't happen," Bellovin says. "There was 'beer talk' that the hackers were probably waiting a reasonable period after 1 Jan so asnot to get confused with Y2K bugs, but there was no firm data on this," Moskowitz adds.By the beginning of the year, ICSA had put together groups to discuss the threat; scanning software had been developed, and all the current distributed denial-of-service tools had been analysed and details published."The technical vulnerabilities used to install these denial-of-service tools are widespread, well-known and readily accessible on most networked systems," the FBI warned before the attacks. "The tools appear to be undergoing active development, testing and deployment on the Internet.