Full Report
Docomo has revealed a DDoS attack on Thursday took down key services
Analysis Summary
# Incident Report: NTT Docomo DDoS Attack
## Executive Summary
NTT Docomo, Japan’s largest mobile operator, experienced a significant Distributed Denial of Service (DDoS) attack on January 2, 2025, causing network congestion that disrupted several key online services for nearly 12 hours. While the primary services were restored, some associated content updates were delayed due to recovery efforts. The incident highlights infrastructure susceptibility to high-volume attacks despite the company's large subscriber base.
## Incident Details
- Discovery Date: January 2, 2025 (Attack began)
- Incident Date: January 2, 2025 (05:27 JST to 16:10 JST)
- Affected Organization: NTT Docomo
- Sector: Telecommunications/Mobile Operator
- Geography: Japan
## Timeline of Events
### Initial Access
- **Date/Time:** January 2, 2025, 05:27 JST
- **Vector:** Distributed Denial of Service (DDoS) attack.
- **Details:** Attackers overwhelmed Docomo's network infrastructure, leading to severe network congestion.
### Lateral Movement
- Not applicable, as the incident was a volumetric network attack (DDoS) rather than an intrusion requiring lateral movement.
### Data Exfiltration/Impact
- **Impact:** Disruption of customer access to several key services, including the "goo" web portal, Lemino video streaming service, dpay billing service, and the "Golf me" service.
### Detection & Response
- **How it was discovered:** The network congestion was detected internally, leading to subsequent public acknowledgment via their website notice.
- **Response actions taken:** Service impacts were addressed, and access issues were resolved by 16:10 JST. Recovery measures also impacted some content updates.
## Attack Methodology
- **Initial Access:** Volumetric DDoS attack targeting network availability.
- **Persistence:** Not applicable (attack was transient).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Standard for DDoS, aiming to overwhelm standard bandwidth and defense thresholds.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Degradation/denial of service for customer-facing applications and portals.
## Impact Assessment
- **Financial:** Not disclosed, but implied costs related to mitigation and potential loss of revenue/customer goodwill.
- **Data Breach:** No indication of data exfiltration or breach occurred.
- **Operational:** Significant operational disruption to core customer services for approximately 11 hours and 43 minutes.
- **Reputational:** Potential negative impact as Japan’s largest mobile provider experienced prolonged service disruption.
## Indicators of Compromise
- **Network indicators:** Traffic saturation, high connection attempts, specific source ranges associated with the DDoS botnet (details not specified in the source).
- **File indicators:** Not applicable.
- **Behavioral indicators:** Sustained, high-volume illegitimate traffic targeting network ingress points.
## Response Actions
- **Containment measures:** Mitigation of the high-volume traffic flood (likely involving rate limiting, blackholing specific sources, or engaging upstream DDoS mitigation partners).
- **Eradication steps:** Removal of malicious traffic from the network path.
- **Recovery actions:** Restoration of normal service availability, followed by checks to ensure stable content updates across affected platforms.
## Lessons Learned
- Despite being the largest provider, NTT Docomo's critical services remain vulnerable to large-scale DDoS attacks causing significant downtime.
- Recovery measures, while essential for ending the disruption, can sometimes introduce secondary delays (e.g., content update backlogs).
## Recommendations
- Increase capacity and resilience of DDoS mitigation strategies, especially against known volumetric attacks.
- Review and optimize Application Layer DDoS defenses to ensure core portals/services remain responsive during network congestion events.
- Develop and practice rapid response playbooks specifically tailored for high-volume infrastructure attacks that minimize secondary service impacts during the recovery phase.