Cyber Incident Victim: NS1
Date:
May 2016
Location:
United States of America
Summary
A major DNS provider experienced a sustained, sophisticated DDoS attack involving dynamically shifting botnets across multiple regions, generating tailored DNS queries for non-existent domains at rates up to 60 million packets per second. This caused initial service disruptions and collateral impacts on partner services, despite attack volumes being moderate (30-50 Gbps) compared to historical amplification incidents. The provider mitigated the assault through upstream traffic filtering based on behavioral analysis but withheld technical specifics to prevent attacker adaptation. The incident exposed broader DNS ecosystem challenges, as proprietary infrastructure modifications by leading providers have hindered interoperability, complicating redundancy efforts for customers. Some organizations resorted to internal configuration translation tools or dedicated network solutions to maintain service continuity during the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Beginning on or around May 18, 2016, NS1—a major DNS and traffic management provider—experienced a sustained distributed denial of service (DDoS) attack lasting over a week. The attackers employed an evolving bot army originating from eastern Europe, Russia, China, and the United States, cycling through these regions to launch tailored DNS lookup requests at NS1’s name servers. These requests targeted nonexistent hostnames across NS1’s customer networks, reaching volumes of 30–50 gigabits per second and 50–60 million packets per second. Unlike conventional DNS amplification attacks that flood targets with raw data, this attack mimicked legitimate traffic patterns to specifically degrade NS1’s DNS response capabilities. Early in the attack timeline, NS1 suffered service interruptions, and the attackers expanded their focus to NS1’s partners, disrupting the company’s website and ancillary services unrelated to its core DNS platform. NS1 mitigated most attack traffic by implementing upstream filtering with behavior-based rules designed to distinguish malicious requests from genuine DNS queries. CEO Kris Beevers declined to disclose technical specifics of these countermeasures to avoid alerting attackers to potential workarounds.
The incident exposed critical challenges in DNS infrastructure redundancy due to proprietary modifications adopted by NS1 and similar providers. Industry-wide divergence from standardized DNS protocols—including the obsolescence of zone transfers and slave configurations—prevented seamless interoperability between providers, complicating customers’ efforts to deploy backup DNS services during outages. Some NS1 customers resorted to in-house tools to manually translate configurations between providers, which proved partially effective during the attack. NS1’s dedicated-network service, which allowed clients to host the company’s DNS technology independently, provided additional resilience when the primary network was targeted. Beevers characterized the attack as part of an escalating trend of sophisticated DDoS campaigns against DNS and CDN providers, noting a prior surge in February–March 2016 that saw weekly 20 Gbps attacks and probing activities for network vulnerabilities. While the attack’s origin and motives remained unidentified, it underscored operational risks posed by DNS ecosystem fragmentation and heightened customer demand for multi-vendor failover solutions.