NSFocus: DeepSeek AI hit with 'well planned' DDoS attacks

DeepSeek is facing a series of DDoS attacks, according to research published Friday by cybersecurity vendor NSFocus.

AI startup DeepSeek has been met with fervor since the Jan. 20 introduction of its first-generation large language models, DeepSeek-R1-Zero and DeepSeek-R1. In addition to its models' capabilities, the vendor gained attention for the reportedly low cost to train them. DeepSeek remains ahead of ChatGPT on the Apple App Store's free apps chart a full week after initially picking up steam.

On Jan. 27, DeepSeek said it was responding to "large-scale malicious attacks" against its services and that it would limit new user registrations as it responds to the attacks. The disruption lasted several days and has only recently become available again for some users.

DeepSeek did not specify the nature of the attacks or attackers and did not respond to requests for comment from Informa TechTarget.

On Friday, NSFocus reported that its Global Threat Hunting System detected "3 waves of DDoS attacks targeting IP address 1.94.179.165 at 15:33:31 on January 25, 2025, 13:12:44 on January 26, 2025, and 18:09:45 on January 27, 2025 respectively (GMT+8), which was the address resolved by DeepSeek's API interface (api.deepseek.com)." The cybersecurity vendor, which provides DDoS mitigation services, said the average attack duration was 35 minutes, and that adversaries primarily targeted DeepSeek via Network Time Protocol (NTP) reflection and memcached reflection attacks.

In addition to DeepSeek's API interface, NSFocus detected two waves of attacks against DeepSeek's chat system interface Jan. 20 -- the day DeepSeek-R1 was released -- and Jan. 25. Attack duration averaged one hour, and primary attack methods included NTP reflection and Simple Service Discovery Protocol reflection.

Moreover, the vendor found that when the resolving IP address of DeepSeek was switched on Jan. 28, the attacker "quickly adjusted" its strategy and launched a new round of DDoS attacks on the main domain name, the API interface and the chat system. This, researchers said, reflects "high tactical literacy."

"After DeepSeek completes the resolution address switching, the attacker quickly adjusts the attack policy and launches a new round of DDoS attacks on the core service system of DeepSeek," the research read. "From the selection of attack targets to the accurate grasping of timing, and then to the flexible control of attack intensity, the attacker shows extremely high professionalism in every attacking step. This highly coordinated and precise attack suggests that the incident was not accidental, but likely a well-planned and organized cyberattack executed by a professional team."

The top three sources of attack infrastructure were the U.S. (20%), the U.K. (17%) and Australia (9%).

Informa TechTarget contacted NSFocus, but the company had not responded as of press time.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.