Monday, March 2, 2026
[Incident Report #027][DNS] Name Server Attack
What Happened?
From around 0000 to 0400EST last night, our name servers were
hit with a large amount of traffic originating from a data center
in the Netherlands. The traffic was spread across multiple IPv6
subnets and volume was high enough the it saturated the virtual
bridges that our name servers are operating behind. This is the
third attack of this kind that our network seen in the past two weeks.
What damages Resulted?
During the attack, we saw the following issues:
- Accounting service lost contact with both NS1 and NS2
- Shell access was slow or non-responsive
- Legitimate name lookups were being dropped or timed out
- The NMS lost SNMP contact entirely with NS1
- High CPU load on Nardoragon router
What are we doing to deal with this?
Going forward, the following steps will be taken to try and maintain
the usability of our name servers during similar attacks:
- Deploy a separate virtual bridge and network interface for management
- Tightening per subnet rate limits and mask sizing
- Banning AS numbers that partake in attacks like this
- Increasing virtual bridge bandwidth to allow for more throughput
- Redirecting recurring problematic subnets and AS ranges to null