Cyber Incident Victim: Online.nl
Date:
Aug 2020
Location:
Netherlands
Summary
A wave of DDoS attacks targeted multiple ISPs across Belgium, France, and the Netherlands, disrupting services through DNS amplification and LDAP-type attacks peaking at 300Gbit/s. The incidents, mitigated within a day, involved extortion demands in Bitcoin as confirmed by Dutch authorities, though attribution remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2020, multiple European internet service providers experienced distributed denial-of-service (DDoS) attacks targeting their DNS infrastructure. The incidents affected ISPs across Belgium, France, and the Netherlands between approximately August 28 and early September, with Dutch providers including Delta (parent company of Online.nl) and Caiway confirming disruptions. Attacks typically lasted less than a full day but caused measurable service outages during active bombardment periods. The Netherlands' NBIP, representing Dutch ISPs, characterized the attacks as employing DNS amplification and LDAP attack vectors, with some traffic peaks reaching 300 gigabits per second. Mitigation measures were implemented by affected providers to restore services, though specific technical countermeasures weren't detailed in public reports. By September 3, ZDNet documented the attacks as part of a broader regional pattern, though no explicit connection was established between these ISP attacks and contemporaneous DDoS extortion campaigns targeting financial institutions. On September 4, the Dutch National Cyber Security Centre (NCSC) confirmed that Bitcoin extortion demands accompanied some attacks, though no attribution to specific threat actors was verified.
The wave of attacks disrupted operations for at least five confirmed ISPs: EDPnet in Belgium, Bouygues Télécom and K-net in France, and Caiway and Delta in the Netherlands. DNS infrastructure served as the primary attack surface, compromising domain resolution services essential for customer connectivity. While providers successfully mitigated all attacks within 24 hours, the incidents highlighted vulnerabilities in critical internet routing systems. Separately, a CenturyLink outage during this period was attributed to a misconfigured Flowspec rule intended to mitigate DDoS traffic, though this was reported as a distinct incident rather than a direct consequence of the European attacks. The NCSC's confirmation of cryptocurrency extortion demands represented the only publicly verified motive, with no further elaboration on attacker identity, geopolitical context, or financial impact metrics disclosed by the affected organizations. Service restoration timelines varied by provider, with no reported persistent compromises beyond the immediate DDoS disruptions.