100 Gbps DDoS on ProtonMail
November 3rd 2015 ProtonMail suffered an interesting attack.
First it received a ransom demand, followed by a typical 15-minute DDoS flooding their IP addresses to prove the attackers meant business. As they did not pay, two separate DDoS effectively managed to shut down its datacenter. (which subsequently affected other companies present in that datacenter).
Then they paid the 15 BTC (5.380 EUR) ransom but the attacks didn’t stop. Instead, it moved upstream and attacked the ISP’s infrastructure.
This is a fairly recent and new approach which may have an interesting outcome not in the advantage of the attackers.
On top of the 15 BTC ransom, ProtonMail also had to pay the ISP and the datacenter for the collateral damage incurred.
Because ProtonMail was unreachable it had to set up a communication channel via Wordpress:
You can find there details about the attack
This threat was followed by a DDOS attack which took us offline for approximately 15 minutes. We did not receive the next attack until approximately 11AM the next morning. At this point, our datacenter and their upstream provider began to take steps to mitigate the attack. However, within the span of a few hours, the attacks began to take on an unprecedented level of sophistication.
At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just #ProtonMail.
The attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated.
It is believed that the ProtonMail attack is likely to have been operated by two separate groups. The first one calls themselves the Armada Collective, and the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors,, ProtonMail said.