back to article ProtonMail 'mitigates' DDoS attacks, says security not breached

ProtonMail has announced that it has successfully mitigated the DDoS attacks which had hobbled it since last week, while also confirming security systems had not been breached. The encrypted email service was still being hit as of yesterday, after paying a Bitcoin ransom to one of the two DDoS attackers (the smaller, seemingly …

  1. Stuart 22 Silver badge

    More than two bad guys

    Of course one shouldn't pay ransoms. Thankfully few of us have faced the dilemma. What should be unlawful is other people putting pressure on the victim to pay. The excuse that they were suffering collateral damage is not enough. DDoS are an established problem to all hosters. Just like a server or network failure they should have contingencies in place. A server elsewhere.

    Failure to this and pressuring the victim to give sustenance to criminals because of these other hosters' lack of preparedness is unforgivable.

    I have some sympathy for ProtonMail whose options are more limited. If they shift to a backup server the DDoS will just follow. They have to see it out or pay. I'd like to think I would be getting support to see them off and not this.

  2. Anonymous Coward
    Anonymous Coward

    There's always a silver lining to this kind of story.

    Withstanding a determined attack of this nature, and being able to declare that nothing was stolen, and returning able to claim that service is back up despite the ongoing onslaught has got to have a positive effect on their credibility.

    1. Danny 2 Silver badge

      Well, the fact they were DDoSed so heavily does suggest that was the only way to take them down, meaning their underlying security is good. I guess they really should have been more up to speed on the evolving nature of the DDoS threat, but at least they are now. Lot's of users have been asking them to speed up their plans for a premium paid service which shows how appreciated they are.

      I hope this is such a high profile attack that experts will be able to identify the culprit.

    2. Vic

      Withstanding a determined attack of this nature, and being able to declare that nothing was stolen

      But ... but ... but ...

      DDoS is how stuff gets stolen. Dido Harding herself told me so.


  3. Danny 2 Silver badge

    I'm guessing the nature of their business made Proton Mail especially vulnerable to an encrypted flood attack, if that what this is. Things have changed since my day, the things we used to do to protect ourselves now themselves are the vulnerability. Swords versus shields I guess but you young web security bods have all my sympathy.

    1. The humble print monkey

      ramping up capacity

      I do hope that once this storm has passed, pm will be in a position to expand their facilities, to take on many many more users. I have no valid requirement for encrypted email, other than a loathing of advertisers, and a wish to quietly add to noise.

      I'd happily pay an annual subscription for this formyself and for my family and would recommended pm to any who would listen. And I haven't even tried their services.

      I for one welcome my cuckoo nest winding, slurp denying, future email provider.

      1. Danny 2 Silver badge

        Re: ramping up capacity

        ProtonMail is good for non-techie users, you really should at least try it. Any PM 2 PM emails are uncrackable, as this DDoS indicates.

        My mother can use it to encrypt emails to strangers who don't know what encryption is just by hitting a tick-box. Not by reading the OpenPGP manual, just by ticking a box. No offence to my mother, but honestly she thought her wireless printer she just bought wouldn't need a power cord - and she now has the same level of encrypted email that most of us do.

        (Disclaimer: Other secure email providers are available. All the good ones are also being DDoSed just now)

  4. Sanctimonious Prick


    I can't help but be a little suspicious about there being two different attackers... and how the ransom was paid after the first attack finished... then the second wave started...

    I dunno... just sounds like a fantastic marketing ploy to me.

    Bring on the downvotes! :)

    1. Danny 2 Silver badge

      Re: Sceptical

      No down vote because scepticism and facts are in short supply, but from the time-line I read elsewhere I think the ransom was paid after the first attack, to the first attackers, because Proton Mail initially conflated the first attackers with the second attackers.

      They initially refused to pay the script-kiddies small ransom, and then caved when they, and everyone close to them, got hit with the tsunami.

      My guess on this - feel free to be sceptical again - is that GCHQ (or a similar APT trying to make GCHQ look bad) had been monitoring the Armada Collective, and was ordered by Theresa May (or a similarly ugly APT) to coat-tail on the initial DDoSing.

      Forgive my paranoia and simplistic interpretation, personal experience informs me, but ProtonMail had just slagged the UK spy laws on Twitter hours before the attack.

      Alternative theory if you prefer: Some immensely powerful yet sad piss-stained hacker got annoyed that ProtonMail were featured in 'Mr Robot'.

      I hope the facts do come out because I am guessing and I'd like to know. I've just never been wrong before by blaming GCHQ, it's an increasingly good default setting lately. That bitch be mad.

      1. Sanctimonious Prick
        Black Helicopters

        Re: Sceptical

        Danny 2 "I hope the facts do come out because I am guessing and I'd like to know. I've just never been wrong before by blaming GCHQ, it's an increasingly good default setting lately. That bitch be mad."

        I too have been a bit like that with The 5 Eyes, especially with hacking of Sony, LavaBit, RSA, McAfee, Linux, accusations of Chinese State sponsored hacking, BitCoin (Mt.Gox), and maybe I exaggerated a bit? :)

        In regard to ProtonMail, I too have read the timeline of events - the first attack lasting only 15 minutes, waited a few hours, paid the ransom, then a few hours later the attack resumed with much more sophistication.

        The theory that it is two different attackers originated from a message left by the "original" criminal in a BTC transaction declaring 'it's not me' (or similar). Oo's gonna beleev dat: the words from a criminal?

        You know, even I sucked in at first, by going to their website, reading their blogs and Twitter accounts, even signed up and reserved an e-mail address.

        Marketing ploy, I tells ya! :D

        1. This post has been deleted by its author

        2. Danny 2 Silver badge

          Re: Sceptical

          I will upvotes you just because you are honest rather than I agree with you.

          Sony - definitely a pissed off sacked Sony sys admin, I've seen that before;

          LavaBit - flawless, proof any individual can outsmart an APT, he gave us all hope;

          RSA - do you mean the NSA corruption attempt or Adi Shamir 'post encryto speech'? - if the latter then that does worry me, he's way smarter than me and if he is suggesting relying on exfiltration instead of encryption, then I'm doomed, we're all doomed - if the former then we are reliant on the Ladar Levisons of this world ;

          McAfee - this packet of peanuts may contain nuts;

          Linux, accusations of Chinese State sponsored hacking, BitCoin - file under 'shit happens'. Take the punch and roll with it.

          "Marketing ploy, I tells ya!"

          You won't believe me then, or at best you'll believe me and not my beliefs. I'll say it anyway, if you doubt me then I have an unusual but traceable history. I trust them more than any other third-party provider. I have been fucked over repeatedly by my state, seen that repeatedly happen to others too. It sprang from CERN, and most brains there are pure science, and most ancillary engineers and support there are infected by that. They are bitchy to each other but they are not marketeers in the normal sense.

          Everything eventually comes down to trust in a world where people are paid to lie. I've been betrayed obviously by someone who is a state employee as our private communications couldn't have been hacked, he and the courts kind of admitted it, at least to my satisfaction. If you are doubtful of anyone, anything, then test it through black box testing.

          I have been wrong in the recent past. I assured someone a few years ago that they were being paranoid for things Snowden has since proven to be common-place. So don't take my word for it, test it. I am about to go in prison next week for a silly, non-security related reason. I'd have been in prison last year if PM was dodgy - trust me?! Nah, try it for yourself. Is OpenPGP marketing - is, well what ever you do trust? Some things just work. Some people are just decent.

  5. Anonymous Coward
    Anonymous Coward

    This isn't just Proton Mail. Check out /r/DarkNetMarkets/comments/3s8c19/massive_ddoses_being_reported_everywhere_on_the/

    on Reddit. TOR exit nodes are being massively DDOS'd.

    This has a whiff of a TLA.

    1. g e

      TOR nodes?

      Presumably by spaffing known (but seemingly random) packets at enough TOR nodes you can start to fathom relationships between ingress and egress points and correlate it with other data?

      Assuming you have enough nodes of your own to make the comparisons?

      Just wondering, probably don't understand enough about the mechanics of TOR, not being a user.

  6. leeroy9090

    Re: G E's post above:

    "I am the operator of several exit nodes and would like to stay anonymous due to the nature of the given attacks.

    Since Thursday (05.11.2015 1800 UTC) I have seen large DDoS attacks on each of my exit nodes from a common /16 source.

    The attacks originate from UK."


    "Technically speaking, if it is indeed a correlation attack, they are not trying to take down the relay with the attack - so it's effectively no DDoS. They're just trying to impact the relay and see how the effects of that attack impact the requests of the user that they are trying to correlate."

    Sounds like a correlation attack.


    Won't post the full link or the link to the pastebin in the original post, I'm sure you can add the prefix :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022