ProtonMail DDoS Attack – Sustained & Sophisticated

Keep on Guard!


So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail.

ProtonMail DDoS Attack - Sustained & Sophisticated

It seems to have mitigated the bulk of attack, but is still going up and down. In a way it’s a good thing tho, it’s improved the reputation of ProtonMail and shows that it’s fairly likely their system is very secure, if it wasn’t breached.

Sustained DDoS attacks are the domain of frustrated people who can’t get into a site/service any other way – so they make it inaccessible. Remember security is a triangle of confidentiality, integrity and availability. If you can’t breach the confidentiality or integrity, go after the availability.

ProtonMail has announced that it has successfully mitigated the DDoS attacks which had hobbled it since last week, while also confirming security systems had not been breached.

The encrypted email service was still being hit as of yesterday, after paying a Bitcoin ransom to one of the two DDoS attackers (the smaller, seemingly less powerful one), known as the Armada Collective, largely due to pressure from other affected companies.

The Swiss Government’s CERT (Computer Emergency Response Team) has today published a notice discouraging the payment of ransoms to DDoS attackers.

ProtonMail stated that it is “happy to announce … that after several days of intense work, we have largely mitigated the DDoS attacks against us.”

“These attacks took ProtonMail offline making it impossible to access emails, but did not breach our security,” according to a statement sent to The Register.

The attacks against the company have continued, but due to “the valiant efforts” of ProtonMail partners, IP-Max and Radware, they “are no longer capable of knocking ProtonMail offline for extended periods of time.”

“As our infrastructure recovers over the next several days, there may still be intermittent service interruptions, but we have now largely restored all services.”

The DDoS targeting ProtonMail was extremely sophisticated, according to the company, which prides itself on offering a means of secure communication to “activists, dissidents, and journalists”.


There’s been a a fair bit of confusion too, with ProtonMail claiming there’s two attackers, one of which they’ve paid a ransom to. Their is a lot of collateral damage from this attack, as with any fairly sustained, heavyweight DDoS attack – it attacks anyone remotely near the victim (in the context of network infrastructure).

Those companies in the same datacenter would be down too, as the DDoS moves up the network chain to the ISP, the upstream Tier 2 provider and beyond. Depending how big it is – it can even impact an entire country or in the worse case scenario, the whole Internet.

It was “the largest and most extensive cyberattack in Switzerland,” according to ProtonMail, “with hundreds of other companies also hit as collateral damage”. The attack also completely took down the the data centre housing ProtonMail’s servers and even affected “several upstream ISPs, causing serious damage”.

Referencing the 300Gbps DDoS attack against Spamhaus in 2013, Herberger stated “basically, we have the attackers trying all possibilities to get to a DDoS situation”.

Asked about attribution, Herberger suggested the resources necessary for such a sizeable, varied, and persistent attack could indicate a nation state.

“It’s interesting,” he told The Register. “The conjecture around here is that a ‘truly’ secure email service is more likely to receive these kind of attacks” as it is the only way of preventing these “dark” communications, he added.

ProtonMail has stated that the attack set back its development timeline, and announced that it would no longer be releasing ProtonMail 3.0 at the end of November.

The Register understands that the attack was exceptionally aggressive, with ProtonMail previously stating that there were two stages (and two attackers) that had provoked the company’s woes.

With this kind of fire-power, it could definitely be a nation state attack. Briefly before the attack started, ProtonMail publicly critiquing the UK policies regarding encryption.

That’s a pretty far fetched conspiracy theory, but there’s a lot of stuff going around, especially with other encrypted e-mail providers and TOR exit nodes suffering DDoS attacks.

ProtonMail managed to raise over $50,000USD from a crowd-sourced campaign to help them mitigate the DDoS attack, so they seem to be ok for the moment.

You can keep up with the latest ProtonMail updates here:

Blog: ProtonMail Blog
Announcements: ProtonMail WordPress
Twitter: @ProtonMail

Source: The Register

Posted in: Cryptography, Networking Hacking, Privacy

, ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Comments are closed.