ProtonMail Statement about the DDOS Attack

As many of you know, ProtonMail came under sustained DDOS attack starting on November 3rd, 2015. At the current moment, we are not under attack and have been able to restore services, but we may come under attack again.

We are currently working with solution providers to find a way to mitigate this attack, however, it is quite unprecedented in size and scope so unfortunately finding a working solution is not easy. Because of the sophistication of this attack, we will also need to resort to quite expensive solutions which will burden our finances. It is for this reason that we are also collecting donations for a ProtonMail defense fund.

Donate to the ProtonMail Defense Fund

ProtonMail was originally created to provide privacy to activists, journalists, whistleblowers, and other at risk groups, and we have many of those people in the ProtonMail community. Unfortunately, there are groups out there determined to oppose this which has led to this incident. However, we are confident that with your support, we can overcome this attack and come back stronger than ever, and continue to provide a place where online privacy is protected.

As we will detail below, this attack has grown beyond just ProtonMail and is a full fledged cyberattack. We have been working with the Swiss Governmental Computer Emergency Response Team (GovCERT), the Cybercrime Coordination Unit Switzerland (CYCO), as part of an ongoing criminal investigation being conducted here in Switzerland and with the assistance of Europol. After much consultation, we have decided to release details about the full extent of the attack on us so the broader security and privacy community can stay informed.

Slightly before midnight on November 3rd, 2015, we received a blackmail email from a group of criminals who have been responsible for a string of DDOS attacks which have happened across Switzerland in the past few weeks.

This threat was followed by a DDOS attack which took us offline for approximately 15 minutes. We did not receive the next attack until approximately 11AM the next morning. At this point, our datacenter and their upstream provider began to take steps to mitigate the attack. However, within the span of a few hours, the attacks began to take on an unprecedented level of sophistication.

At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.

At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.

Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.

At present, ProtonMail’s infrastructure is still vulnerable to attacks of this magnitude, but we have a comprehensive long term solution which is already being implemented. Protecting against a highly sophisticated attack like the second one which was launched against us requires sophisticated solutions as we also need to protect our datacenter and upstream providers. Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents. In order to cover these costs, we are collecting donations for a ProtonMail defense fund, which can be found here:

Donate to the ProtonMail Defense Fund

We are fighting not just for privacy, but for the future of the internet. We would especially like to thank the thousands of users who offered their support and encouragement on Twitter and Facebook, we will never stop fighting for you. Over the next several weeks, we will begin putting in place the sophisticated protections that are necessary to withstand large scale attacks like this to ensure that online privacy can’t be taken down.

DDOS Update

DDOS Update

We’re sorry that we were unable to prevent this from happening and we are determined to get everyone access to their email as soon as possible.

On Tuesday November 3, 2015 ProtonMail was taken offline by an extremely powerful DDOS attack.

For people who don’t know what a DDOS attack is, here is a metaphor that best illustrates it:

Imagine yourself as a car on the freeway. You want to access ProtonMail, so you are driving to visit our site that’s located in Switzerland. Because the internet is amazing, it takes less than a second to arrive. During a DDOS attack, millions of fake cars join you on the freeway and cause a massive traffic jam. The result is that ProtonMail is unharmed and perfectly fine, but no one can visit because of the grid-lock.

The attackers began by flooding our IP addresses. That quickly expanded to the datacenter in Switzerland where we have our servers. In the process of attacking us, several other tech companies and even some banks were knocked offline temporarily.

Despite our best efforts, we have been unable to stop the attack but we are working non-stop to get back online.

Even though access is limited, an important thing to note is that our core end-to-end encryption holds strong and is 100% untouched. All user data is fine and safe.

To solve this problem we are working with the top companies and people both onsite in our Swiss data center and from around the world. We are confident we will be back online – we just wish it was sooner rather than later.

For the latest updates, Twitter is the best place to look.

If you or someone you know has experience with mitigating enterprise level DDOS attacks, we welcome your expertise. You can contact us via the following addresses:

Direct Access:
contact [at] protonstatus [dot] com (Recommended)

Andy Yen:
andyyen4 [at] yahoo [dot] com

Jason Stockman:
hello [at] jasonstockman [dot] com