Cyber Incident Victim: NIC.tr
Date:
Dec 2015
Location:
Turkey
Summary
A massive Distributed Denial of Service (DDoS) attack targeted Turkey's official domain name servers, overwhelming the NIC.tr infrastructure responsible for managing all .tr domains. The attack, peaking at 40 Gigabits per second, incapacitated all five nameservers by midday, rendering most .tr domains unreachable due to concentrated targeting of critical IP addresses. Attackers adapted their methods to circumvent mitigation efforts by Europe’s RIPE Network Coordination Centre, which served as a secondary DNS provider. In response, Turkish authorities blocked all external inbound traffic to the affected systems to contain the disruption. The incident highlighted vulnerabilities in national internet infrastructure, though attribution remained elusive given the inherent challenges of tracing cyberattack origins.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 27, 2021, Turkey's internet infrastructure experienced a significant disruption when NIC.tr, the administrative body responsible for managing all .tr country-code top-level domains, became the target of a sustained Distributed Denial of Service (DDoS) attack. The incident began on Monday morning, with attackers overwhelming NIC.tr's five nameservers through a high-volume traffic flood measuring 40 Gigabits per second. This bombardment caused complete service degradation by noon, rendering most .tr domains inaccessible due to the central role of NIC.tr's nameservers in resolving these addresses. Attackers demonstrated adaptability by modifying their assault methods to circumvent mitigation measures implemented by the RIPE Network Coordination Centre, Europe's regional internet registry that provided secondary DNS support for NIC.tr. The attack's effectiveness stemmed from its precise focus on NIC.tr's limited infrastructure—concentrating firepower on just five critical nameservers maximized disruption across Turkey's entire .tr domain ecosystem.
Turkish authorities responded through the National Response Center for Cyber Events, which implemented network containment measures by Monday evening. This involved blocking all incoming international traffic to NIC.tr's infrastructure, effectively isolating the systems from foreign connections while domestic access details remained unspecified in available reporting. The attack's origins proved difficult to attribute, with no threat actor claiming responsibility or being identified in initial analyses. Cybersecurity experts contextualized the 40 Gbps attack as substantial but noted that attacks reaching ten times that volume had become increasingly common globally. The incident highlighted structural vulnerabilities in Turkey's internet architecture, particularly the dependency on a single administrative entity for critical domain resolution services, though no secondary impacts—such as data breaches or system compromises beyond availability issues—were documented in the immediate aftermath.