I can’t help but feel that ProtonMail has let down every company on the internet.
The Geneva-based encrypted email service has suffered a distributed denial-of-service (DDoS) attack this week, preventing its users from accessing their inboxes.
Understandably, their users weren’t happy to find that their email was inaccessible.
At first, the reasons for the DDoS attack – described as “unprecedented in size and scope” – were unclear, but yesterday the company confirmed that blackmailers were demanding $6000 worth of Bitcoin for the internet attack to stop.
And ProtonMail decided to pay up.
The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.
I do feel sorry for ProtonMail. We must not forget that they were the innocent victims of a crime, and there were clearly other innocent victims caught up in events too (ProtonMail’s users, the ISP, other companies who used the targeted data centre). But that doesn’t mean I agree with how ProtonMail responded.
@BigDeesDad Over 100 companies were taken offline from the attack against us. Impacted companies asked us to pay, we couldn't refuse.
— ProtonMail (@ProtonMail) November 5, 2015
This was extortion plain and simple. Something I’m expecting we are going to see even more of in the years to come – whether it be in the form of attacks impacting website availability or the stealing of data with the threat of making it available to the public.
But the only reason criminals attempt to blackmail money out of anyone is because they believe there is a reasonable chance that we will pay the ransom.
Don’t pay internet blackmailers. All you have done is told the extortionists that you will consider giving them money for their crimes, and there is no guarantee that they – or other criminals – won’t try it again and again and again.
Paying blackmailers is only going to encourage more attacks, and is making the internet a less safe place for all of us.
Opinions are divided as to whether ProtonMail had options other than paying the blackmailers. My view is that there is always another way.
@martijn_grooten Shut down. Change service provider. Get DDoS protection. Paying blackmailing DDoSers doesn't work
— Graham Cluley (@gcluley) November 5, 2015
In case you’re curious, at the time of writing (Friday morning, 8:48 am UK time), the ProtonMail website is inaccessible. One has to assume that it is under a DDoS attack. Whether that is being orchestrated by the attackers who originally blackmailed them or others, I couldn’t say.
The company has set up a defence fund, asking supporters to raise $50,000 to help it improve its infrastructure and fend off future attacks. So far, after 14 hours or so, it has raised in excess of $10,000.
Our ISP came under renewed DDoS attack this morning so we are offline again. We need your help to fight this: https://t.co/RnC8L99U0U
— ProtonMail (@ProtonMail) November 6, 2015
Never pay a ransom, full stop. Paying the criminals will just create an economy for these types of attacks and encourage more and more of them to come back for more.
IT IS always a temptation to an armed and agile nation
To call upon a neighbour and to say: –
"We invaded you last night – we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: –
"Though we know we should defeat you,
we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: —
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
Paying the ransom was a red-herring because the attack proved to be more than a script-kiddie, it was as they say "a state-sponsored actor". So what do you recommend about standing up to bullying states, Graham?
As for which state, look at their twitter feed. Hours before the attack they criticised Theresa May's daft new law in an usually strident and political tweet by their standards. This has GCHQ's fingerprints all over it. Why not blog about that?
Why didn't they have DDOS protection in the first place? (I can't say that they didn't as I don't know, but I'm assuming not or that it was disabled).
There are plenty of companies out there like CloudFare, Incapsula, Akami who offer solutions. Do you have any suggestions on how to reduce or mitigate DDOS attacks Graham?
I disagree with them paying the ransom because: it encourages future breaches, may be used to fund other illegal activities and sets an unwelcome precedent. However if they had their hand forced by large clients then it's a case of cough up or go out of business.
The reason bind Protonmail did not use third-party services like CloudFlare is probably their main selling point: privacy. Once there is a middle man between a Protonmail user and the Protonmail servers, they cannot necessarily ensure that the traffic between them will not be captured, decrypted or saved for later.
Gabor, my understanding with CloudFare is that it inspects traffic prior to it hitting the destination.
You could argue that this means a third-party has IP data but that information on its own couldn't identify the Protonmail end-user. As far as I know CloudFare (or others) don't perform a MITM so once the connection to Protonmail has been successful there's no way the DDOS protection service can compromise privacy.
I know Protonmail (in their blog post) bemoaned the high cost of some of these services but surely there are cheaper alternatives?
There are two types of anti-DDoS protection. Generally, those two types are called DNS and BGP/GRE.
DNS protection involves handing control of your DNS over to the anti-DDoS provider. The provider then sets their own DNS name servers as your resolver and delivers IP addresses for your servers based on the location of the incoming query. The anti-DDoS provider has thousands of servers at major network peering locations around the world. So, a UK client would get the anti-DDoS provider's UK server and a client in Singapore would get the Singapore server etc. That's how DNS based anti-DDoS services work. The thousands of servers either filter the traffic or deliver cached content preventing the actual secret servers from getting overloaded or having the network that connects them get overloaded. In order to
do this type of filtering with TLS, you need to have the encryption keys. So, this is where the man in the middle happens. CloudFlare primarily offers the DNS type although they also have a BGP/GRE offering that is being built out. If Protonmail used CloudFlare's DNS based filtering, ClouldFlare would be able to decrypt and modify the traffic between customers and ProtonMail. If they just decrypted the traffic, they would see PGP encrypted e-mail that they couldn't read. But, the problem is that they could also insert, under secret US (or other) Government compulsion, Javascript that would record or modify the decryption key for the PGP encrypted e-mails. Since all connections to ProtonMail's webserver are TLS based (encrypted w/ https://) CloudFlare could have provided little benefit unless they were given decryption capabilities. This problem is not unique to CloudFlare, but includes all DNS based filtering options.
BGP/GRE involved using routing information to cause all traffic to a site like Protonmail to first pass through filtering servers before reaching it's destination. BGP/GRE does not require the disclosure of secret keys for encrypted TLS sessions. The traffic is analyzed for validity at the filtering point and then "clean" traffic is routed back to the customer, ProtonMail in this case. The main issue with these services is their cost. Their cost is bandwidth dependent and can be as much as a few hundred thousand euros a year. BGP/GRE also requires 10's of thousands in equipment and a network engineer on staff that typically makes over 100K.
Neither DNS or BGP/GRE are guaranteed. Reutgers recently spent millions on DDoS prevention and was still knocked off line after getting everything set up and in place.
Finally, regarding them paying the blackmailers, hundreds or other companies had already been hit and had paid including some of the best known in the country. So, ProtonMail's actions under pressure from their providers hardly had a role in creating an economy that already existed and was robustly active.
I'm going to say something crazy…
I fully believe that crime shouldn't pay – paying ransoms is mentally illogical (http://www.imdb.com/title/tt0117438/) – this is not the crazy part.
The actual "actors behind the curtain" probably don't have a 100Gb pipe, or have even invested in any more than a solid connection or connections & their time & effort in compromising unwitting accomplices' computer systems (now bots, I guess).
The accomplices in the DDoS are in part, responsible for the network abuse, even if they're not thought of while we talk about these sort of Internet-based crimes, but if there were fewer bots, the bot-nets would be less effective and maybe the rest of us would be a little safer.
The ISPs of these compromised hosts must also be partially culpable. Not many users' usage profiles are going to consist of mainly ICMP traffic, or whatever UDP amplification vulnerability is currently flavour-of-the-month.
I wonder, if there were fines payable by ISPs and end-user/subscribers, for "number of spams sent", or "amount of bandwidth used in DDoS attack", caused by carelessness, apathy, incompetence or ignorance – would there be fewer compromised systems for the black-hatted actors to use to do their dirty work? I'd like to think so.
Also, what about having a register of white-hatted actors, who could be the knights of the Internet super-highway and evangelize about and actually be the ones we pay cash to, for their help, advice and expertise in making sure that we have basic security in place on our devices and perhaps teach those who want to actually be tech-savvy, what OpSec is.
Discuss :)
According to Akamai, attacks of script kiddie's who extorted ProtonMail peaked at 772 Mbps.
https://blogs.akamai.com/2015/11/operation-profile-armada-collective.html
It sounds like those script kiddies are using 1 dedicated server with 1 Gbps port to make floods.
It's strong enough to ddos home connections and small servers, but 1000x stronger attack is needed to shut down 3 data centers + 3 or more email providers at the same time.