Cyber Incident Victim: Delta
Date:
Aug 2020
Location:
Netherlands
Summary
A Dutch ISP, Delta, was among multiple European providers in Belgium, France, and the Netherlands targeted by short-lived but disruptive DDoS attacks focusing on DNS infrastructure. The attacks, which included DNS amplification and LDAP vectors peaking at 300Gbit/s, caused temporary service outages and coincided with extortion demands for Bitcoin payments, though attribution remained unclear; a separate CenturyLink outage was later linked to a misconfigured DDoS mitigation rule during these incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2020, multiple European internet service providers experienced distributed denial-of-service (DDoS) attacks targeting their Domain Name System (DNS) infrastructure. Among the affected organizations was Delta, a Netherlands-based ISP, alongside providers in Belgium and France including EDP, Bouygues Télécom, K-net, and Caiway. The attacks occurred over approximately one week, with each incident lasting no longer than a single day before mitigation. Service disruptions were reported during active attack periods, though specific outage durations for individual providers were not detailed. Technical analysis by the Dutch ISP association NBIP identified the attacks as combining DNS amplification and Lightweight Directory Access Protocol (LDAP) attack vectors, with peak traffic volumes reaching 300 gigabits per second. These techniques overwhelmed targeted systems by exploiting misconfigured servers to amplify malicious traffic. The timing coincided with separate reports of DDoS extortion campaigns against financial institutions, though investigators found no confirmed connection between these events at the time of initial reporting.
Mitigation efforts successfully contained each attack within a 24-hour window, restoring normal operations for affected ISPs including Delta. NBIP provided technical characterization of the attacks but did not disclose specific defensive measures employed by member organizations. On September 4, 2020, the Dutch National Cyber Security Centre (NCSC) confirmed that some DDoS incidents during this period involved extortion demands requesting Bitcoin payments, though they did not attribute these demands to any specific attack group or directly link them to Delta's incident. Separately, a misconfigured Flowspec rule intended to mitigate DDoS traffic caused an unrelated service outage at CenturyLink during the same timeframe, highlighting operational challenges during large-scale network attacks. No further technical specifics regarding Delta's infrastructure compromises, customer impact metrics, or financial consequences were disclosed in available reports.