Cyber Incident Victim: Telegram
Date:
Jul 2015
Location:
China
Summary
The Telegram messaging service experienced a large-scale distributed denial of service (DDoS) attack involving a 200Gbps Tsunami TCP SYN flood, characterized by unusually large packet sizes that overwhelmed standard defenses. Originating from approximately 100,000 compromised servers across multiple major networks, the attack initially disrupted service for five percent of users in Asia, Australia, and Oceania before expanding globally. The company attributed coordination of the incident to East Asia and implemented continuous mitigation efforts without disclosing specifics to avoid aiding attackers. The incident marked the platform's first encounter with an attack of this magnitude, which leveraged recently emerged capabilities to generate unprecedented traffic volumes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 14, 2015, Telegram disclosed it had sustained a distributed denial-of-service (DDoS) attack peaking at 200 gigabits per second, which began the preceding Friday. The attack targeted Telegram’s Asia Pacific infrastructure with a Tsunami TCP SYN flood—a novel attack vector identified by Radware in October 2014. Unlike conventional SYN floods, this variant transmitted larger 100-byte packets, approximately double the standard 40–60-byte size, overwhelming bandwidth capacity and bypassing standard mitigation algorithms. Initial impacts disrupted service for users in Asia, Australia, and Oceania, affecting approximately 5% of Telegram’s 60 million active users. The attack originated from an estimated 100,000 compromised servers distributed across LeaseWeb B.V., Hetzner Online AG, PlusServer AG, NFOrce Entertainment BV, Amazon, and Comcast networks. No single host contributed more than 5% of the total attack volume, with coordination traced to East Asia. Telegram characterized the attack’s scale as unprecedented, noting such intensity had only recently become technically feasible.
By the third day, the DDoS escalated to global proportions, impacting Telegram users worldwide. The company’s Twitter account confirmed the attack persisted against its Asia Pacific cluster at the 200Gbps threshold, equating it to “3 Malaysian [internet] groups on a holiday.” Internal system administrators worked continuously to mitigate the attack but withheld technical countermeasure details to avoid aiding adversaries. The sustained SYN flood exemplified the growing sophistication of volumetric attacks, leveraging geographically dispersed botnets to maximize disruption. Telegram’s public communications emphasized the attack’s operational persistence while avoiding speculation on attacker motives or identities. Service degradation persisted intermittently throughout the incident’s duration, though the company did not disclose full restoration timelines or detailed user impact metrics beyond the initial regional outage figures.