Cyber Incident Victim: DreamHost
Date:
Aug 2024
Location:
—
Summary
DreamHost experienced a significant DDoS attack targeting its domain name servers following its brief, inadvertent hosting of a neo-Nazi website, which had exploited an automated signup process in violation of the company's terms of service. The attack disrupted connectivity for numerous customers before mitigation efforts restored full operations, while the hosting provider terminated the offending account upon discovery. This incident occurred amid separate legal challenges involving a government request for visitor data from another protest-related site hosted by the company, which was contested on privacy grounds.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 24, 2024, DreamHost experienced a significant distributed denial-of-service (DDoS) attack targeting its domain name servers, causing widespread connectivity issues for its customers. The attack followed DreamHost’s brief, unintentional hosting of a new domain associated with the neo-Nazi website Daily Stormer, which had recently been evicted by multiple providers including GoDaddy, Google, and Zoho due to violations of their terms of service. The Daily Stormer had republished defamatory content targeting Heather Heyer, a victim of the 2017 Charlottesville "Unite the Right" rally, prompting its removal from mainstream hosting platforms. DreamHost’s automated signup system allowed the site’s operators to register a new domain, PunishedStormer, without immediate detection. Within hours of the site appearing on DreamHost’s infrastructure, unidentified attackers launched a sustained DDoS campaign aimed at overwhelming the company’s DNS infrastructure, disrupting access to over 1.5 million hosted websites. DreamHost’s administrators initially reported investigating connectivity issues before confirming the DDoS attack and initiating mitigation efforts. Service degradation persisted intermittently until engineers fully restored operations later that day.
DreamHost terminated the Daily Stormer’s account upon discovering the violation of its Terms of Service, which prohibit users from creating multiple accounts to bypass restrictions. The company stated the site had previously been removed “many years ago” for similar violations and emphasized the new registration was unauthorized. External actors described as “determined internet vigilantes” launched the DDoS attack before DreamHost completed its internal enforcement actions, amplifying disruptions for unrelated customers. Concurrently, DreamHost faced legal pressure from a separate Justice Department warrant demanding visitor logs for Disruptj20.org, a site it hosted that coordinated protests during President Trump’s 2017 inauguration. With support from the Electronic Frontier Foundation, DreamHost challenged the warrant as unconstitutionally broad, leading the DOJ to narrow its request—a outcome DreamHost characterized as a “clear victory for user privacy.” The DDoS attack’s collateral damage sparked customer complaints on social media, though DreamHost confirmed no lasting infrastructure compromise. Services were fully operational by the time of the article’s publication on August 29.