Big questions after attack on CO.ZA

Internet service providers, hosting companies, domain registrars, and other industry stakeholders are asking questions after the ZA Registry Consortium (ZARC) announced that a cyberattack caused an outage that impacted CO.ZA domains.

ZARC executive for registry operations Jerry Maleka told MyBroadband that South Africa’s country code top-level domain (ccTLD) — specifically secondary domains under their administration — were under a denial of service attack.

Maleka said the attack had started on 6 March 2025. While ZARC also manages net.za, org.za, and web.za, co.za domains appeared to be worst-hit.

However, industry stakeholders have questioned whether ZARC’s infrastructure provider, Domain Name Services (DNS Business), suffered an actual attack or whether the outage was an own goal.

ZARC is a joint venture with DNS Business — not to be confused with the DNS protocol. DNS Business handles the technical infrastructure of the .ZA zone.

In a notice sent to stakeholders on Thursday evening, ZARC stopped short of confirming that it suffered a distributed denial of service attack (DDoS).

Instead, it described the event as “extraordinary system load that effectively caused a denial-of-service”, which automatically triggered its DDoS protection mechanisms.

“Over the past few days, the .ZA namespace experienced extremely high traffic loads on its nameservers, impacting some of its users,” ZARC stated.

“This surge in traffic triggered our DDoS protection procedures, which, as part of the design, temporarily restricted some traffic to maintain overall system stability,” it added.

“Our investigation revealed that an extraordinary system load effectively caused a Denial of Service, impacting our DNS services. Our team has since implemented measures to mitigate this.”

As a result of the outage, several people in the industry queried .CO.ZA’s infrastructure, and found that it only had three nameservers, one of which was backed by anycast-based infrastructure.

Nameservers are part of the domain name system (DNS), a critical Internet protocol that translates Internet domains like mybroadband.co.za into the numbers that routers and servers can understand. DNS can be thought of as the phone book of the Internet.

Anycast is a network addressing and routing methodology in which a single IP address is shared by servers in multiple locations.

Internet routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms.

In addition to speeding up response times, anycast also helps mitigate denial-of-service attacks.

ZARC responds to questions

MyBroadband asked ZARC why it does not have more nameservers on anycast addresses and why it had not previously established an anycast-based system within South Africa.

“ZARC utilises the services of Netnod, which is a leading anycast provider in the world,” Maleka said.

“An anycast instance consists of multiple servers spread across the globe. Netnod has developed one of the largest, most advanced DNS anycast networks in the world.”

Maleka said that Netnod’s network is available in more than 80 locations globally.

“Packet Clearing House (PCH), also an excellent service provider, provides complimentary anycast services for the other .za zones,” he added.

Maleka said it was common practice amongst top-level domains to have one anycast and multiple unicast servers.

“A unicast nameserver is just a regular server or cluster of servers. An anycast is a set of servers at different locations all using the same IP but appearing to be a single server,” he explained.

“The anycast constellation’s job is to mitigate DOS attacks like this. Even if an attacker manages to take down one server it will only interrupt service in one location with the rest remaining up.”

Maleka said that ZARC was exploring the possibility of establishing an additional regional anycast solution in partnership with a specialist provider to reduce the costs of adding an extra full global anycast service.

Industry sources disputed ZARC’s contention that it was common practice to a single anycast instance and multiple unicast servers.

“The ZARC anycast instance is spread across the globe with a unicast instance based in the US,” Maleka said.

“The other nameservers are located in South Africa, as the majority of the DNS traffic and queries originate from South Africa and would benefit from lower latency.”

As an example, Maleka explained that a DNS query from the South African region would take around 20 milliseconds to complete versus around 200 milliseconds from an international nameserver such as in the US.

“Our primary method of providing a presence in multiple countries is via anycast,” he said.

“Currently, there are more than 80 Netnod DNSNODE locations across six continents, including North America, South America, Europe, Asia, Australia and Africa,” he said.

Maleka said they have already added another unicast server at Netnod’s data-centre in Sweden.

MyBroadband also asked why net.za continued working, while co.za experienced problems.

“It might be related to the simple size of the zones of these commercial second-level domain names,” Maleka told MyBroadband.

“Net.za is a much smaller zone with less than 3,000 domains, whilst co.za has more than 1.3 million domains with greater traffic volumes, thus resulting in the impact of a DDoS attack being more severe.”