ProtonMail suffers DDoS attack that takes its email service down for minutes

It’s been an unexpectedly slack day for digital comms services. It’s not just workplace IM tool Slack suffering outages but end-to-end encrypted email service ProtonMail too.

In the latter case, the company has blamed several hours’ worth of sporadic outages on a major DDoS attack.

In a statement on Reddit the company says the attack is “unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis” — which in turn meant its upstream DDoS protection service (Radware) needed more time than usual to mitigate the attack.

The longest outage has been “on the order of 10 minutes”, according to ProtonMail.

Back in 2015 the then fledgling startup suffered a major DDoS attack. And felt compelled to pay a ransom to fend off the hackers — a decision which earned it criticism from some segments of the security industry, and is perhaps coming back to haunt it now. Although the experience also led ProtonMail to spend on upgrading its defenses.

Since then it’s had a good record with uptime, despite dealing with DDoS attacks on a daily basis.

That said, while it’s claiming today’s attacks were orders of magnitude bigger than usual, its CTO Bart Butler also sounds less than pleased with how things went down today, tweeting in response to a user: “We will be evaluating this incident in the future, as it definitely should have been handled better.”

“Radware is making adjustments to their DDoS protection systems to better mitigate against this type of attack in the future,” the company also writes on Reddit. “While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record.”

“It is multi-vector, and they are dynamically changing the type of attack traffic they are sending at us, so it’s a higher level of sophistication than the usual ones,” founder Andy Yen told us, in the midst of firefighting the attack earlier today.

He also pointed out that the attackers’ Twitter feed included them having “called in a lot of fake bomb threats recently”, adding: “They are clearly bad actors and we will pass on any intelligence we gather to the appropriate authorities after we make our own investigation and research.”

A little later today, and a little more comfortable about having got the attack under control — despite confirming the attackers are “still hitting us” — Yen said: “Throughout the day, we have gotten a lot better at blocking this type of attack so now things are stable.

“I wouldn’t go so far as to say we have ‘won’ as these things can sometimes go on for multiple days, but its much harder for them to get through now.”

Asked why he thought ProtonMail is being targeted he declined to speculate. “The reason behind these attacks is always hard to know for sure. For instance, a lot of times, the stated reason is a cover for the actual reason.”

Meanwhile the Russian hackers claiming responsibility for ProtonMail’s attack — a group calling itself Apophis Squad — had been using Twitter (where they appear to have had an account since October 2016) to taunt ProtonMail users and trade insults with Butler.

Summing up Yen dubs it “a rough day for messaging”.

Though at the time of writing it’s still not clear what the root cause of Slack’s issues are.