Deutsche Bahn back on track after DDoS yanks the brakes

Hackers target German national rail systems

A distributed denial of service (DDoS) attack knocked Deutsche Bahn’s booking systems and mobile apps offline for several days. The national rail company confirmed that the attack disrupted services across its entire digital footprint, preventing travelers from purchasing tickets or checking train schedules.

The outage hit the company’s primary digital tools, including the DB Navigator app and the bahn.de website. These platforms serve hundreds of thousands of commuters daily. When the systems failed, passengers could not access digital tickets or view real-time updates on train delays.

The disruption began on February 17 at 15:45 UTC. Travelers attempting to use the company’s web services encountered error messages or total timeouts. Deutsche Bahn technicians worked through the weekend to mitigate the incoming traffic and restore access to the servers.

Digital services face multi-day disruption

Deutsche Bahn restored most of its services by Wednesday at 13:00 UTC. The recovery process took longer than typical DDoS incidents because the attack occurred in multiple waves. Each wave forced the company to adjust its defensive posture and traffic filtering rules.

The company maintained temporary limitations on its systems even after the restoration. These limits helped manage the surge of legitimate users returning to the site. The Verge understands that these constraints were necessary to ensure the stability of the DB Navigator backend.

Deutsche Bahn stated that its countermeasures were effective in minimizing the impact on customers. Despite this claim, the multi-day window of instability suggests the attackers successfully overwhelmed the company’s initial defenses. The rail giant continues to monitor its network for signs of a follow-up assault.

How the DDoS attack worked

A DDoS attack floods a target server with junk traffic until it can no longer process legitimate requests. Unlike a standard hack, these attacks do not necessarily involve breaking into a database. Instead, they weaponize the sheer volume of the internet to choke a service’s bandwidth.

Deutsche Bahn described the scale of this specific attack as considerable. The hackers targeted the IT interfaces that connect the rail company to other travel platforms. This approach caused a ripple effect, breaking booking functionality on third-party sites that rely on Deutsche Bahn’s data.

Typical targets for these attacks include:

• Public-facing websites: The primary portal where users search for schedules and prices.
• Mobile APIs: The data streams that feed information to the DB Navigator app.
• Payment gateways: The systems that process credit card and PayPal transactions for ticket sales.
• Third-party aggregators: Travel agencies and partner apps that sell German rail tickets.

Critical infrastructure remains a target

The attack on Deutsche Bahn highlights the vulnerability of national transportation networks. While a DDoS attack is often temporary, it creates significant economic friction. Germany’s rail network is a central pillar of the European transport system, moving millions of tons of freight and millions of people.

Cybersecurity experts categorize these incidents as nuisance attacks rather than destructive ones. They differ from ransomware, where hackers encrypt files and demand a payment. In this case, the goal appeared to be the interruption of public service rather than financial gain through extortion.

Deutsche Bahn has been a frequent target for IT attacks in recent years. The company confirmed it remains in close contact with the Federal Office for Information Security (BSI). These authorities help the company analyze traffic patterns to identify the origin of the malicious requests.

The search for the perpetrators

Deutsche Bahn refused to comment on the identity of the attackers. The company also declined to say whether the perpetrators made contact or issued any demands. This silence is common for organizations managing active security incidents involving federal law enforcement.

Hacktivist groups often claim responsibility for such attacks to draw attention to political causes. These groups use botnets—networks of compromised computers—to launch traffic at their targets. Because the traffic can come from thousands of different IP addresses globally, identifying the specific person behind the keyboard is difficult.

The company emphasized that its top priority is the protection of customer data. No evidence currently suggests that hackers stole personal information or payment details during the outage. DDoS attacks rarely lead to data theft because they focus on the "availability" of a system rather than its "integrity."

Comparing DDoS to other threats

Security researchers distinguish between different types of digital threats based on the attacker's motive. State-backed groups typically avoid DDoS because it is loud and easily detectable. These advanced actors prefer malware that provides long-term, quiet access to sensitive systems.

Financial criminals usually prefer ransomware because it has a clear path to a payout. By contrast, DDoS is the tool of choice for digital protesters. These groups want to prove they can shut down a major institution, often for a few hours or days, to gain media attention.

Deutsche Bahn’s experience follows a trend of increased pressure on European infrastructure. Recent years have seen similar attacks on airports, utility companies, and government portals. The rail company’s ability to survive this "considerable" attack suggests its defense mechanisms are functioning, even if they cannot prevent every outage.