Cyber Incident Victim: Cool Ideas
Date:
Sep 2019
Location:
South Africa
Summary
A South African internet service provider suffered a multi-wave DDoS attack utilizing a carpet-bombing technique, overwhelming its network infrastructure and causing widespread service disruptions. Attackers employed DNS and CLDAP amplification to flood random customer IP addresses within the provider’s network, bypassing traditional mitigation systems by distributing traffic across thousands of endpoints rather than targeting a single point. This approach gradually saturated border routers, leading to intermittent connectivity loss and degraded international access for users. The attackers dynamically adjusted their strategy, launching subsequent waves immediately after partial service restoration attempts. The incident highlighted the effectiveness of carpet-bombing in evading flow-based detection and overwhelming ISP-scale defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident began on September 21-22, 2019, when Cool Ideas, a major South African ISP, suffered sustained distributed denial-of-service (DDoS) attacks that disrupted services for its customers. Attackers employed a "carpet bombing" technique using DNS and CLDAP protocol amplification attacks, targeting random IP addresses within the ISP's network rather than concentrating on specific servers. This approach flooded Cool Ideas' entire IP address pool with amplified junk traffic, causing each customer connection to receive a portion of the malicious data flow. While individual customer connections weren't overwhelmed, the cumulative effect exceeded the capacity of the ISP's border routers and edge infrastructure. The attacks occurred in multiple waves, with subsequent strikes launching minutes after Cool Ideas announced partial service restoration following initial mitigation efforts. A fourth attack occurred on September 24, shifting focus to the ISP's website rather than its core network infrastructure. This followed an earlier unrelated DDoS incident on September 11, marking the second major attack against the provider within two weeks.
The attacks caused intermittent connectivity loss and degraded performance for customers accessing international services, though the ISP maintained local network functionality. Cool Ideas' external peering connections with other networks collapsed under the traffic volume, as verified through open-source network monitoring tools. The carpet bombing technique effectively bypassed conventional DDoS mitigation systems by distributing attack traffic across thousands of IP addresses, preventing detection of concentrated malicious patterns. Paul Butschi, company co-founder, confirmed attackers actively monitored mitigation efforts and adapted their tactics in real-time. Network security analysts noted this attack methodology specifically targets ISP infrastructure, frustrating black-hole routing defenses and evading flow-based detection mechanisms. The incident mirrored previous carpet bombing attacks against ISPs in Liberia and Cambodia, demonstrating a pattern of disruption aimed at causing maximum customer dissatisfaction and operational damage during peak usage periods. No attribution or motive for the attacks was disclosed in available reporting.