Cyber Incident Victim: Linode
Date:
Dec 2015
Location:
United States of America
Summary
A virtual server hosting provider experienced a prolonged distributed denial-of-service attack targeting multiple data centers, initially disrupting services in Dallas before expanding to facilities in Atlanta, Newark, London, and Fremont. The sustained assault caused significant website and management portal outages, degraded performance across infrastructure, and rendered customers' virtual servers intermittently inaccessible over several days. While partial restoration occurred intermittently, operational instability persisted with primary impacts shifting back to Dallas. The incident generated substantial customer dissatisfaction, including public complaints and threats to migrate services to competing platforms, amid limited real-time communication from the company regarding mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The distributed denial-of-service (DoS) attacks against Linode began on December 25, 2015, initially targeting the company’s Dallas, Texas, data center and its web management interface. Linode first acknowledged the incident in the early hours of Christmas Day via a status update, noting degraded access to its Manager/Website and Dallas infrastructure. By 3:00 AM on December 26, the attack intensity against Dallas appeared to subside, but the assailants promptly redirected their efforts to Linode’s Atlanta, Georgia, and Newark, New Jersey, data centers, as well as its London hosting facility. This shift caused renewed disruptions, including server outages for customers hosted in those regions. Later on December 26, the attackers resumed targeting the Dallas facility, resulting in further downtime for virtual servers. Linode restored service to Atlanta, Newark, and London by December 27, but the attackers subsequently overwhelmed these three locations again, along with the Fremont, California, data center, which had not been previously mentioned as affected. By December 29, the fourth day of the incident, only the Dallas data center remained under active attack, though Linode reported ongoing "degraded performance" there. Throughout the event, the company provided intermittent status updates but did not disclose technical specifics of the attacks or mitigation measures.
Customer frustration escalated due to prolonged outages and limited communication from Linode. Users reported disruptions across multiple subreddits, including r/linuxadmin and r/webdev, with some threatening to migrate services to competitors like Vultr and DigitalOcean. The attacks caused intermittent unavailability of virtual servers and management tools across at least five data centers over four days, though London operations stabilized after the initial retaliation. Linode did not identify the attackers or their motives, and no spokesperson was available for comment during the incident. The company’s public response consisted solely of status page notifications acknowledging the DoS activity without detailing restoration timelines or root causes. Service instability persisted in Dallas as of December 29, with no further resolution confirmed in the available source material.