18 comments

[ 4.3 ms ] story [ 53.5 ms ] thread
> There was a DDoS attack directed against the Proton network. We have mitigated the attack and recovered all services.

This was issued at about 11:15am eastern time.

What are the steps to mitigate a large-scale DDoS?

Say you're running a website fronted by Cloudflare, for example.

GitHub fought the largest ever recorded ddos using Akamai Prolexic. At least according to Wired. https://www.wired.com/story/github-ddos-memcached

I think protonmail is experiencing the same type of attack (memcached amplified)

Akamai's Prolexic platform was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached.

Interesting. The impressive part is that their platform correctly identified the attack and automatically applied the solution within 20 minutes. I wonder how?

Possibly a team of smart sysadmins on standby? It's easy to detect when you're being attacked, but hard to mitigate. So whenever you get attacked, set up your site to automatically forward over to this service, and their clever humans take it from there.

Some of the most impactful tech projects are just mechanical turks, so it wouldn't be surprising. But I wonder what the truth is.

you monitor netflow for anomalies - when they occurred you change the routing via BPG to prolexic (e.g. the attacked /24) - they have huge amount of available bandwidth and hardware to filter out unwanted traffic - if you get a known attack like in this case, it's completely automated in case you want it... - your traffic is forwarded to the original destination via GRE
After the Github attack, there was a larger, 1.7Tbps DDoS against an unnamed client of Arbor Networks using the same memcached tactic. I hope someone is working on getting all those open memcached servers secured..
That's going to be hard. More than likely the solution will come from ISPs blocking port 11211 on public networks.
I was wondering why I did but have access earlier today :-) just assumed it was a 'normal' outage
Thanksfully it's only mail. So any outage is not critical. It really needs to be bombarded 4 days for 100% to cause real lossage.
They have VPN service as well. It could be critical for VPN.
So then would DDoSage be to lossage as DDoS is to loss?
Why would someone want to take down protonmail..?
If you want someone to not get email for a few hours.
Maybe it's a way to test the attacker's infrastructure against a semi-hardened target?

I say "semi" because it still seems like a small-ish player, and while I do trust PM to have some very capable people handling their infrastructure, I doubt they have tens of millions in their security budget (vs e.g. Cloudflare or Google or perhaps certain banks).

(comment deleted)
Protonmail provides my only non-work email address for everything. Is it a good idea to have multiple email accounts with multiple service providers? Seems inconvenient. But then, perhaps I am taking a risk with my current set up.
SMTP is pretty resilient. Unless you have some critical process where email can’t be delayed a few hours, I wouldn’t worry about it. You could, if needed, get your own domain, and swap MX records to a different provider if something like this arises. Yandex might be a good backup. They have a pretty good, and free, service that allows you to bring your own domain.