[Voice] Incident related to NL Voice

Incident Report for Sound of Data

Postmortem

Customer Communication (English Incident Summary)

Incident: Network Connectivity Disruption (External DDoS Event)
Date/Time: 28 November 2025, 09:37–10:30 (CET)
Impact Window: 53 minutes (gradual recovery thereafter)

On 28 November 2025 at 09:37 CET, a major carrier partner experienced significant service disruption affecting network connectivity and related services. Initial investigation confirmed the issue was not isolated to a single network; multiple internet service providers experienced outages at the same time, indicating a broader internet-scale disturbance.

Monitoring systems detected abnormal traffic patterns immediately, and responsible teams initiated incident response within minutes. Technical analysis confirmed a large-scale Distributed Denial of Service (DDoS) attack originating from a botnet, targeting IP ranges within core network infrastructure, resulting in saturation of key interconnections and router instability/outages, causing widespread connectivity issues.

At peak, the attack reached approximately 2.5 Tbps (up to ~1 billion packets per second), which triggered cascading failures across critical network components.

This type of attack is designed to overwhelm networks with traffic. There is no indication of any data breach or compromise of customer data as a result of this incident.

The attack was partially mitigated immediately by existing DDoS defense mechanisms. Additional measures were being prepared when attack traffic began to decrease around 10:30 CET, at which point it is believed the attackers ceased activity. Network and application performance then recovered progressively, and by 11:00 CET demand and performance had returned to normal operating levels.

Following the incident, the carrier implemented and is continuing to implement additional protective measures to further strengthen core infrastructure resilience against large-scale DDoS attacks.

We continue to monitor the situation closely and are coordinating with partners to exchange intelligence and enhance collective defenses.

Post-Mortem

1) What happened

A large-volume DDoS attack originating from a botnet targeted core IP ranges at one of our main carrier partners, saturating interconnect capacity and causing instability in routers and critical links. Because multiple providers were impacted simultaneously, the disruption manifested as a wider internet connectivity issue, not limited to a single network.

2) Customer impact

Symptoms: intermittent or complete loss of connectivity, degraded performance, and downstream application impact dependent on internet routing/interconnect paths.
Duration: primary disruption from 09:37 to 10:30 CET, with gradual stabilization thereafter.
Data security: no evidence of data loss, breach, or customer data compromise.

3) Detection & response

Detection: immediate detection via monitoring systems identifying abnormal traffic.
Initial response: incident teams engaged within minutes and confirmed DDoS characteristics rapidly.
Mitigation: existing DDoS controls reduced impact, and additional mitigation steps were being deployed as traffic began to decline.

4) Root cause (technical)

Cause: botnet-based DDoS targeting core network IP ranges at a major carrier partner.
Magnitude: peak traffic approximately 2.5 Tbps and ~1B packets/second.
Mechanism of failure: saturation of key interconnects led to overload conditions, resulting in router instability/outages and cascading connectivity issues.

5) Resolution

Attack traffic reduced at approximately 10:30 CET (believed attacker stop).
Services recovered progressively.
By 11:00 CET, network demand and performance were back to baseline.

6) Corrective & preventive actions

Following the incident, additional steps have been taken and are ongoing to increase resilience, including:

strengthening protections around core IP ranges,
enhancing traffic scrubbing and mitigation capacity,
improving interconnect resilience and failover behavior,
ongoing collaboration with external partners for threat intelligence sharing and coordinated response.

7) Communication

We will continue to share relevant updates with customers through established channels and remain available for incident-related questions.

Posted Dec 05, 2025 - 16:06 CET

Resolved

We have received confirmation that the issue is resolved.
The underlying cause was one particular carrier experiencing packet loss and routing problems on their core network which resulted in degraded audio quality or connectivity problems.

The issue has been resolved and our mitigating efforts are still in place.
We are putting things on high alert and our team is actively monitoring for additional quality assurance purposes.

If you still experience any issues, please reach out to our support team. We're glad to help you out!
We apologize for the inconvenience caused.

Posted Nov 28, 2025 - 12:00 CET

Monitoring

We were seeing 50% packet loss and latency on one of the major internet exchanges. This has been mitigated since about 2 minutes. The issue appears to be external to Sound of Data and we are working with our partners to find the root cause of the network issues.

As of now all services and should be okay. We are still conducting tests to verify.

Posted Nov 28, 2025 - 11:35 CET

Investigating

We are investigating an issue with NL voice traffic, both inbound and outbound. The issue is impacting audio quality for inbound and outbound calls. Some calls take longer than normal to establish.

We are rerouting and taking mitigating efforts.
We are investigating the the underlying cause.

Next update in 15 minutes.

Posted Nov 28, 2025 - 11:29 CET

This incident affected: ITSP | Services (Voice Services).