A sophisticated distributed denial-of-service (DDoS) blocked Dutch government and privately run commercial sites from the public for more than 10 hours Tuesday.
The ministry of General Affairs, the National Cyber Security Center (NCSC), website hosting company Prolocation and services provider Centric are working to determine the specific methods used in the attack and who was behind it.
The attack, which started at 9:45 a.m. local time, was difficult to deflect because the attack patterns changed regularly, said Prolocation’s director, Raymond Dijkxhoorn. The attack was different from the usual DDoS attempts that happen on an almost daily basis and are easier to defend against, he said.
“It is the first time that we couldn’t deal with it,” Dijkxhoorn said.
The attack targeted the sites of the federal government directly, but also caused other sites that were hosted on the same network to go down, Dijkxhoorn said. Blog site Geenstijl.nl and telecom provider Telfort’s site were among those blocked in the attack.
A few of the sites on the network used DDoS-deflecting services from providers like Cloudflare, Dijkxhoorn noted. But unless all clients on a network are able to ward off a DDoS attack, there is a risk for other sites on that network, he said.
Geenstijl, for instance, uses Cloudflare, which will usually allow traffic to reach the site’s server when a DDoS attack targets the site. However, Geenstijl’s server can still become unreachable as a result of a DDoS attack aimed at other sites on the network that don’t have such protection, Dijkxhoorn said. The Dutch government did not use such external DDoS protection services, he said.
The DDoS attack consisted of mix of methods used alternately, according to Dijkxhoorn. Though Prolocation has experience with DDoS attacks, this was the first time they encountered this strategy, he said. He declined to provide more details about the attacks, since he has agreed with the NCSC not to do so until the investigation is finished.
The NCSC and Centric both declined to comment on details of the attack, pending the investigation.
Prolocation, however, has discussed the incident with engineers at Prolexic and Akamai, who say they have seen similar methods used in DDoS attacks in other places around the world.
Sites hosted on the same IP block can go down as collateral damage when one site is the focus of the attack, confirmed Akamai’s manager for Belgium, the Netherlands and Luxembourg, Hans Nipshagen. If the government sites had used external DDoS filtering services, the network might have stayed up, he said.
While it was difficult to tell from the outside the exact methods used against the government sites, the DDoS attack seems to have been large-scale, employing a vast amount of traffic, Nipshagen said. Some big DDoS attacks use multiple vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed, swarming target sites, according to an Akamai report. These incidents have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry, Akamai said.