Cyber Incident Victim: Neustar UltraDNS
Date:
Apr 2014
Location:
United States of America
Summary
A DNS provider experienced a distributed denial-of-service (DDoS) attack causing significant service disruptions, including resolution latency and intermittent network saturation primarily affecting customers in the Western U.S. The attack, reportedly around 100 Gbps, targeted a specific customer, prompting the provider to implement black-holing measures to mitigate the impact, which resulted in global resolver nodes resetting. Mitigation efforts were ongoing with refinements to address remaining latency issues, while affected users expressed frustration over communication gaps regarding the outage. The incident highlighted broader trends of large-scale volumetric attacks exploiting DNS amplification techniques, with attackers increasingly combining DDoS disruptions with advanced persistent threats to facilitate data exfiltration during network chaos.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 30, 2014, DNS provider UltraDNS, a Neustar subsidiary, experienced a prolonged distributed denial-of-service (DDoS) attack that disrupted services for much of the day. The attack targeted one of UltraDNS’s customers, generating approximately 100 Gbps of malicious traffic, which caused network saturation in the Western United States. This saturation resulted in DNS resolution latency and intermittent outages for other UltraDNS customers relying on specific segments of the provider’s Name Server addresses. The SANS Internet Storm Center documented widespread reports of DNS resolution failures, attributing the disruptions to the volumetric attack. UltraDNS mitigated the incident by black-holing traffic to the targeted customer, a measure that restored service for most users but left residual latency issues for those still affected. Network infrastructure, particularly resolver nodes globally, experienced instability, requiring resets to maintain functionality. Customers expressed frustration over the lack of public communication from Neustar, with social media criticism highlighting the absence of real-time status updates or acknowledgments during the outage.
Neustar’s security team confirmed ongoing mitigation efforts, focusing on refining traffic filtering to address remaining latency for impacted customers in the Western U.S. segment. The company provided updates through its standard customer notification channels but did not issue broad public statements until late in the day. The attack exemplified trends observed in 2014, where large-scale DDoS incidents exceeding 100 Gbps had become increasingly common, with Arbor Networks reporting over 70 such attacks that year. Amplification techniques, such as DNS reflection or Network Time Protocol exploitation, were frequently employed in these campaigns, leveraging millions of open DNS resolvers to magnify traffic volumes. Motivations ranged from ideological disruption to financial crimes, including data exfiltration during diversionary DDoS events. Verizon’s Data Breach Investigations Report noted a rise in combining DDoS with advanced persistent threats (APTs), where attackers used network chaos to mask intellectual property theft or fraud. The UltraDNS incident underscored the operational risks posed by volumetric attacks to critical DNS infrastructure and their cascading effects on dependent services.