ProtonMail On Battling A Sustained DDoS Attack

Encrypted webmail provider, ProtonMail, has been fighting a wave of DDoS attacks since November 3 that, by last Friday, had taken its service offline for more than 24 hours. At the time of writing the attacks are still coming.

They have included what ProtonMail co-founder Andy Yen described as a “co-ordinated assault” on its ISP that exceeded 100Gbps and attacked not only the Swiss datacenter but routers in various locations where the ISP has nodes — taking multiple services offline, not just ProtonMail’s email.

“We’re under renewed attack again, given the scope of the attack, proper protection can’t be put in overnight so even though we have already started the process, it could take a few days to finish implementation. It’s complicated because it also involves our datacenter and ISP since they are being hit too,” said Yen in an email to TechCrunch on Friday.

The Swiss startup took in $2 million in seed funding earlier this year to scale its zero access email product, following a crowdfunding campaign that raised around $550,000 from some 10,000 backers. As of August it had invited 500,000 beta signs up. Its mission: “to guard against mass surveillance”, as Yen put it back in mid 2014, by making PGP encryption accessible to anybody and everybody.

But that goal puts ProtonMail at odds with powerful forces. End-to-end encryption has been under sustained rhetorical assault from government intelligence agencies in countries such as the U.S. and the U.K. ever since NSA whistleblower Edward Snowden disclosed the extent and scope of their mass surveillance programs — including efforts to compromise or circumvent encryption.

We are definitely the sole target for the second attack because when our ISP stops defending us, they stop getting attacked.

Whether such political heat has anything to do with the current DDoS attack on ProtonMail is unclear. But only last week the U.K. government introduced proposed new surveillance legislation that contains clauses which appear to suggest there will be a legal requirement for companies to be able to decrypt data when issued with a warrant by the security services.

Where that would leave services like ProtonMail, which offer end-to-end encryption — and therefore have no with no ability to hand over decrypted data — remains to be seen.

Yesterday Yen didn’t have time for a phone call to discuss the DDoS attack in detail, not least because it was still ongoing, but he responded to a few of TechCrunch’s questions via email…

You say the DDOS attack became “unprecedented in terms of sophistication”. Can you explain in more detail what exactly makes this attack so damaging?
Usually, a DDoS tries to just take a site offline. This one was different because it went after an entire datacenter and ISP, hitting nodes in multiple countries just to get to us. The attackers systematically probed the entire infrastructure of the ISP and then launched a coordinated assault on multiple sites.

Who do you believe is behind the attack, and what do you think are their motives for attacking Protonmail — you suggest “state-sponsored actors”. Which state do you suspect of being behind the attack and why?
We will need to analyze the data more carefully with experts before we know for sure. Top DDoS experts from around the world have gotten in touch and will help us with the investigation.

Are you able to know technically where the DDOS attack is originating from?
We don’t know conclusively at this time.

It sounds like you believe multiple groups could be behind the attack? Why do you think that, and do you believe Protonmail is intended as the sole target of the attacks by all these groups?
Two reasons. First, the methods of attacks are very different. Secondly, the first group in fact reached out to disclaim responsibility for the second attack. We are definitely the sole target for the second attack because when our ISP stops defending us, they stop getting attacked.

Do you think this is intended as an attack on Protonmail’s privacy mission, rather than an attempt to extract money from the company?
The second attack did not come with any monetary demands, and unlike the typical DDoS attacks, nobody has publicly taken credit for it. We know certain at-risk groups are using ProtonMail to communicate and there are actors out there who would benefit from disrupting their communications.

You’ve been criticized by people in the security industry for paying a ransom. How much did you pay? And why did you feel it was necessary to pay?
By 3:30PM Geneva time on the 4th of November, the attack had taken down both the ISP and the datacenter, impacting hundreds of companies and causing hundreds of thousands of dollars of damage. Even the ability of the ISP and datacenter to remain in business was being called into doubt. At this stage, all the impacted companies forced us to pay because the collateral damage was too high. I don’t agree with the decision, but I can’t really say I blame them for that.

You’re crowdfunding for a Defense fund. Are you confident Protonmail will be able to raise enough to protect the service from similar attacks in future? Will you be hiring additional security staff?
We will have to see how the donation campaign goes. So far, we have received incredible support from our users through this ordeal and anything is possible when people stand up for a cause like this.

You have raised VC capital for scaling the product earlier this year. Why was more not spent on bolstering security? An encrypted email service seems a pretty attractive target for hackers…
There are many levels of attacks, the one that hit us is 100Gbps and capable of taking down an ISP. This is the sort of extreme case scenario a seed funded startup can’t budget for. Furthermore, the solutions are complex and expensive because in addition to protecting us, the datacenter and upstream providers also need protection.

You mentioned you have started to implement a security solution. Is this an industry standard system that was just too expense for Protonmail to have implemented prior to this attack?
There are solutions for this, but they can run up to $100k per year, especially to protect against attacks with this level of sophistication and size. We are implementing them now at great cost, but it will be a strain on our budget.

Are you confident you’ll be able to protect Protonmail from such attacks in future?
Once we get the new protection mechanisms in place, we should be able to withstand even larger attacks.

Is the attack over at this stage? 
It is still continuing unfortunately, and given the complexity and costs of the solution, we won’t be able to implement all the protection we need overnight.