Cyber Incident Victim: Blender / blender.org
Date:
Nov 2023
Location:
Netherlands
Summary
Blender.org experienced a significant DDoS attack involving a botnet that generated over 1.5 billion malicious requests at peak rates of 100,000 requests per second, causing intermittent outages and eventual unavailability of its main website and associated services like developer forums, wikis, and documentation. The attack overwhelmed initial mitigation efforts, including IP blocking, leading to a multi-day disruption until services were migrated to a dedicated DDoS protection provider, restoring core functionality with temporary CAPTCHA challenges for visitors. While the main site and downloads were stabilized, some subdomains faced extended downtime before full restoration; no data compromise occurred, and the attackers' motives remain unknown.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blender.org infrastructure experienced a significant distributed denial-of-service (DDoS) attack beginning on November 18, 2023, marking the largest cyberattack in the organization's history. Initial malicious traffic targeted the main website, prompting administrators to block offending IP addresses as a first response. By November 19, the attack intensified with botnet traffic from hundreds of IP addresses, peaking at 100,000 requests per second (rps) and intermittently disrupting website availability. The situation escalated on November 20 when ancillary services—including the developer forum, wiki, documentation portals, and download systems—became inaccessible due to traffic overload. Traditional IP blocking measures proved ineffective as attackers rapidly shifted to new IP ranges. During brief lulls in the attack, pent-up legitimate user requests further overwhelmed servers, creating cyclical infrastructure failures described as a "loop of self-destruction."
By November 21, the attack reached maximum intensity, forcing administrators to fully take blender.org offline. The response team—comprising Anna, Arnd, Danny, Oleg, Pablo, and Sergey—implemented a strategic shift to a dedicated DDoS mitigation service, restoring www.blender.org by day's end though non-www domains remained inaccessible. Attackers persisted through November 22, generating over 5 million requests per minute, requiring continued CAPTCHA challenges for visitor verification. Secondary services including code repositories, developer portals (devtalk), documentation, and wiki remained offline during restoration efforts. The primary attack concluded on November 22 at 10:30, though a secondary surge occurred that evening before final cessation on November 23. In total, mitigation systems processed over 2.1 billion malicious requests across the five-day incident. Core project data and user information remained uncompromised throughout, with the attack exclusively focused on service disruption rather than data exfiltration. Full restoration of all blender.org subdomains and services was confirmed by November 22 evening, with the organization declaring the incident resolved on November 23 after ensuring stable operations.