ProtonMail still under attack, discloses details and writes “lessons learned”
About a month after the DDoS attacks started on their infrastructure[1], ProtonMail says they are still getting hit by 40 to 50 Gbps attacks.
The initial attacks knocked them offline, but with new equipment & mitigation service they purchased (#RadWare) they were able to withstand these attacks.
In a recent blog post they disclosed details about the attacks. The next day they were hit with a 59 Gbps attack...
In that blog post they also give some (basic) advice on how to protect against DDoS, such as:
• baseline your legitimate traffic
• take into account vulnerabilities outside your perimeter, such as your ISP or datacentre
• take into account reaction of your third parties, such as your ISP or datacentre; they may decide to take you offline so as to not disrupt the service of their other clients.
• don’t compromise on security: careful if you chose to provide your SSL keys to your DDoS mitigation service, because that also means they can scan ALL your traffic, all the time.
When facing a truly large scale DDoS, the attackers will also go after your upstream providers. In ProtonMail’s case, all of our upstream ISPs were attacked, and in fact the entire data centre we [and other companies there] are located at was taken offline,
What ProtonMail did:
• implement a direct connection to Tier-1 #Level3 and become their own ISP
• contract a cloud-based DDoS mitigation service, to help protect against volumetric attacks
What it cost them:
Networking equipment: $30’000
BGP/GRE DDoS Mitigation (per year): $50’000 – $100’000
Dedicated IP Transit (per year): $20’000
Maintenance Overhead: $10’000+
ProtonMail DDoS attack details can be found here:
_
[1] See also ►http://seenthis.net/messages/425368