On the 14th of February 2026, attackers targeted the Inter.link network with a large-scale distributed denial-of-service attack.
This attack pushed traffic volumes into the multi-terabit range and temporarily impacted connectivity at several edge locations. It is the most significant attack Inter.link has experienced in recent times and therefore required analysis so that we can make operational improvements to more effectively manage any future attacks.
Inter.link sincerely regrets the disruption caused by this event and the impact experienced by affected customers. We recognize that reliable connectivity is critical infrastructure for many organizations, and we remain committed to continuously improving both our technical defenses and operational processes.
This article summarizes the validated technical details, lessons learned, and corrective actions taken since completion of the internal post-incident review.
Breaking Down the DDoS Attack
Further analysis confirmed that the attack traffic was highly
distributed across a large number of originating autonomous systems and countries, indicating the use of a broadly dispersed botnet
and amplification infrastructure. The attack primarily targeted UDP services, most notably
traffic directed at ports UDP/443 and UDP/8080, and consisted of multiple concurrent vectors.
Inter.link’s scrubbing infrastructure classified the attack traffic as a combination of:
- Invalid Packet attacks – Send malformed, mangled, or structurally incorrect network packets to a target system
- Session Attacks – Steals, fixes, or hijack a legitimate user’s active session identifier (like a cookie or token) to gain unauthorized access to a system
- UDP Flood traffic – Overwhelms a target server with a massive influx of User Datagram Protocol (UDP) packets, typically on random ports
- UDP Fragmentation attacks – Sends a high volume of large, fragmented UDP packets, typically exceeding 1500 bytes
The attack’s multi-vector nature and global distribution contributed to increased traffic volume and spread the load across many ingress points.
The overall size of the attack reached multi-terabit levels and resulted in congestion across multiple network ingress and egress interfaces. Due to the distributed arrival characteristics of the traffic, several edge locations experienced temporary saturation before mitigation measures fully converged across all routing paths.
Attacks of this magnitude remain rare across the global Internet and represent a serious operational challenge even for
large-scale DDoS protection providers, as they are specifically designed to stress shared interconnection capacity rather than individual mitigation
systems alone.
Mitigation and Infrastructure Response
Our post-incident review confirmed that the network’s scrubbing systems operated as designed and successfully mitigated a substantial portion of malicious traffic throughout the incident.
Internal escalation procedures and engineering collaboration functioned effectively under high operational pressure, and mitigation tooling allowed protective routing measures to be applied once escalation thresholds were reached. These elements contributed to restoring overall network stability despite the exceptional scale of the attack.
Improvements Being Made
Inter.link continuously expands backbone and interconnection capacity to maintain sufficient headroom against evolving attack sizes.
As part of an ongoing network-wide capacity expansion program, upgrades are currently being deployed across Internet Exchanges, private peerings (PNIs), and upstream transit connections alike.
This includes, among others, upgrades toward 800G interconnection capacity at major European exchange locations such as AMS-IX and DE-CIX, alongside broader increases in peering and transit port capacity across the backbone. These upgrades are being rolled out continuously over the coming weeks and months to further strengthen overall edge resilience.
Operational Lessons Learned
The incident identified several operational areas requiring improvement.
Monitoring thresholds used to detect imbalances between scrubbed and non-scrubbed traffic were found to be overly static and insufficiently sensitive to extremely short but high intensity traffic bursts. Detection sensitivity has since been increased to improve early visibility of similar attack patterns. In addition, scrubbing infrastructure currently relies on a separate internal orchestration system for automated routing actions such as RTBH deployment. Integration between these systems has been improved to reduce response latency and operational dependency between mitigation components.
The investigation further highlighted limitations in traffic analysis workflows. Flow analysis currently relies on internally operated tooling based on Akvorado, where deeper
investigation requires manual correlation and analysis. Inter.link has already begun migration toward an established third-party industry solution and is expected to be completed during Q1 2026 to accelerate analysis and reduce operational complexity during active incidents.
Operational review also identified that the on-call escalation model placed simultaneous demands on a single engineer during peak incident periods, including mitigation activities, internal coordination, and customer communication. The volume of incoming calls and alerts created competing priorities during active mitigation. Inter.link is therefore evaluating procedural and tooling improvements to better separate operational mitigation responsibilities from communication handling during large-scale incidents, including enhancements to alert routing and incident coordination workflows.
Summary
In summary, the incident demonstrated that core mitigation systems and network protections functioned as intended under extreme conditions, while also
providing valuable insight into detection sensitivity, automation integration, operational workload distribution, and capacity planning in the context of multi-terabit attack scenarios.
Inter.link is already actively implementing these corrective actions.
We sincerely regret the disruption caused by this event and appreciate the continued trust and cooperation of our customers and partners as we further strengthen the resilience of our network against increasingly large and sophisticated attacks.
