ProtonMail: what we learned from being the victim of Europe's biggest DDoS attack

After going public about the DDoS attack that took it down, encrypted email provider is hit by another massive surge in traffic

Last month encrypted email provider ProtonMail was knocked offline by "an extremely powerful DDoS attack". The Swiss company, which believes there were at least two distinct perpetrators behind the attack, says it is still ongoing with traffic hitting its infrastructure at a rate of 40-50 Gbps (gigabits per second), making it one of the longest and most powerful DDoS attacks ever recorded. It believes it may be being hit by a state actor because it provides secure email communications for journalists and activists.

By installing new equipment the company has managed to stay online in spite of this and has now decided to share what it has learned in a blog post entitled "Guide to DDos protection".

"We decided to share this information because DDoS attacks are a growing problem that threatens the entire security community," CEO Andy Yen told Computing.

He continued: "Unfortunately, these sorts of attacks are being increasingly exploited by criminal and state sponsored actors, and attackers have become much more sophisticated in the past couple years. An attack with the size and scope of the one we faced is an anomaly today, but this could become the norm in a few years.

"Because of this, it is critically important that this information be made available to the larger security community. That is why we're willing to run the risk of further attacks to ensure this happens. Unfortunately this has already happened as we have been under intense bombardment since we went public with the details."

Indeed, after publishing the blog post yesterday, the firm reports it was hit by another surge in traffic measuring 59 Gbps, which was fortunately mitigated by the measures taken.

ProtonMail advises organisations of all types to profile their legitimate traffic, be that web traffic over ports 80 and 443 or emails over port 25. "A sophisticated attacker will in fact attack all aspects of your infrastructure," it says.

Next it advises working out points of vulnerability that fall outside of the company's remit - such as the ISPs it uses.

"When facing a truly large scale DDoS, the attackers will also go after your upstream providers. In ProtonMail's case, all of our upstream ISPs were attacked, and in fact the entire data centre we are located at was taken offline," it says, adding that mitigating such an attack is extremely difficult and can only be done by isolating infrastructure as far as possible from other services.

Because other companies using those same ISPs were also taken offline when ProtonMail was attacked, the pressure on those service providers to take the victim offline became intense, the firm says.

"... given the choice between keeping you online (and risking hundreds of other companies), versus taking you offline, most service providers will opt to take your site offline. In fact, at the height of the attack against us, even if we wanted to relocate to a different data centre, it was very unlikely that we would have found one willing to take us in given the risk of massive collateral damage following us."

What ProtonMail did

In order to isolate its infrastructure from its data centre and ISPs ProtonMail created a direct connection to the Tier-1 carrier Level 3 Communications.

"We effectively became our own ISP," the blog explains."Now that we had made ProtonMail our own ISP, attacks against the data centre or upstream ISPs could no longer impact us. However, a large DDoS can still manage to saturate our link or overload our load balancer. We needed a way to block DDoS attack traffic before it even hits our network. To do this, we went with a cloud-based DDoS mitigator."

This sort of mitigation does not come cheap. Protonmail estimates new networking equipment would typically cost around $30,000, a cloud based-DDoS mitigation services will be $50,000 - $100,000 annually with a dedicated IP networking coming in at $20,000 per year. The firm launched a fund-raising campaign after the attack which has raised more than $62,000 to date.

The company says it has come under a wide range of attacks, listing the various attack vectors on the blog and providing a partial data dump. Interested readers are advised to visit the ProtonMail website which covers the issue in more detail.

Recent Computing research found that 40 per cent of IT professionals now use encrypted email.

Rocco Labellarte, IT head at the Royal Borough of Windsor and Maidenhead, also shared his experiences of a DDoS attack recently.