European ISPs report mysterious wave of DDoS attacks

Over the past week, multiple ISPs in Belgium, France, and the Netherlands reported DDoS attacks that targeted their DNS infrastructure.
Written by Catalin Cimpanu, Contributor

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.

The list of ISPs that suffered attacks over the past week includes Belgium's EDP, France's Bouygues TélécomFDNK-netSFR, and the Netherlands' CaiwayDeltaFreedomNetOnline.nl, Signet, and Tweak.nl.

Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.

NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week's incidents.

"Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs," a spokesperson said. "Most of [the attacks] were DNS amplification and LDAP-type of attacks."

"Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume," NBIB said.

The DDoS attacks against European ISPs all took place starting with August 28, a day after ZDNet exposed a criminal gang engaging in DDoS extortion against financial institutions across the world, with victims like MoneyGram, YesBank India, Worldpay, PayPal, Braintree, and Venmo.

While ZDNet does not yet have any evidence that the two series of incidents are connected, the DDoS attacks against financial services subsided right as the attacks against European ISPs got underway.

Furthermore, sources tracking the extortion group told ZDNet that just before attacking financial services, the same gang had also targeted several ISPs in Southeast Asia just weeks before.

In addition, several security experts have also told ZDNet that the massive CenturyLink outage that took place over the weekend is believed to have been the result of an initial DDoS attack. In separate reports, both Cisco and CloudFlare said the outage was caused by a bad Flowspec rule, a typical tool usually deployed when mitigating DDoS attacks.

Update on September 4: The Dutch cyber-security agency (NCSC) has published an advisory today confirming that the Dutch ISPs attacked this past week have been the subject for DDoS extortion attempts, with the attackers demanding large sums of money in Bitcoin to stop the attacks — similar to the attacks against financial institutions reported by ZDNet last week. There was no attribution to the attacks, so we still can't confirm it's the same group.

Europol’s top hacking ring takedowns

Editorial standards