ProtonMail DDoS Attack – Sustained & Sophisticated

Outsmart Malicious Hackers


So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail.

ProtonMail DDoS Attack - Sustained & Sophisticated

It seems to have mitigated the bulk of attack, but is still going up and down. In a way it’s a good thing tho, it’s improved the reputation of ProtonMail and shows that it’s fairly likely their system is very secure, if it wasn’t breached.

Sustained DDoS attacks are the domain of frustrated people who can’t get into a site/service any other way – so they make it inaccessible. Remember security is a triangle of confidentiality, integrity and availability. If you can’t breach the confidentiality or integrity, go after the availability.

ProtonMail has announced that it has successfully mitigated the DDoS attacks which had hobbled it since last week, while also confirming security systems had not been breached.

The encrypted email service was still being hit as of yesterday, after paying a Bitcoin ransom to one of the two DDoS attackers (the smaller, seemingly less powerful one), known as the Armada Collective, largely due to pressure from other affected companies.

The Swiss Government’s CERT (Computer Emergency Response Team) has today published a notice discouraging the payment of ransoms to DDoS attackers.

ProtonMail stated that it is “happy to announce … that after several days of intense work, we have largely mitigated the DDoS attacks against us.”

“These attacks took ProtonMail offline making it impossible to access emails, but did not breach our security,” according to a statement sent to The Register.

The attacks against the company have continued, but due to “the valiant efforts” of ProtonMail partners, IP-Max and Radware, they “are no longer capable of knocking ProtonMail offline for extended periods of time.”

“As our infrastructure recovers over the next several days, there may still be intermittent service interruptions, but we have now largely restored all services.”

The DDoS targeting ProtonMail was extremely sophisticated, according to the company, which prides itself on offering a means of secure communication to “activists, dissidents, and journalists”.


There’s been a a fair bit of confusion too, with ProtonMail claiming there’s two attackers, one of which they’ve paid a ransom to. Their is a lot of collateral damage from this attack, as with any fairly sustained, heavyweight DDoS attack – it attacks anyone remotely near the victim (in the context of network infrastructure).

Those companies in the same datacenter would be down too, as the DDoS moves up the network chain to the ISP, the upstream Tier 2 provider and beyond. Depending how big it is – it can even impact an entire country or in the worse case scenario, the whole Internet.

It was “the largest and most extensive cyberattack in Switzerland,” according to ProtonMail, “with hundreds of other companies also hit as collateral damage”. The attack also completely took down the the data centre housing ProtonMail’s servers and even affected “several upstream ISPs, causing serious damage”.

Referencing the 300Gbps DDoS attack against Spamhaus in 2013, Herberger stated “basically, we have the attackers trying all possibilities to get to a DDoS situation”.

Asked about attribution, Herberger suggested the resources necessary for such a sizeable, varied, and persistent attack could indicate a nation state.

“It’s interesting,” he told The Register. “The conjecture around here is that a ‘truly’ secure email service is more likely to receive these kind of attacks” as it is the only way of preventing these “dark” communications, he added.

ProtonMail has stated that the attack set back its development timeline, and announced that it would no longer be releasing ProtonMail 3.0 at the end of November.

The Register understands that the attack was exceptionally aggressive, with ProtonMail previously stating that there were two stages (and two attackers) that had provoked the company’s woes.

With this kind of fire-power, it could definitely be a nation state attack. Briefly before the attack started, ProtonMail publicly critiquing the UK policies regarding encryption.

That’s a pretty far fetched conspiracy theory, but there’s a lot of stuff going around, especially with other encrypted e-mail providers and TOR exit nodes suffering DDoS attacks.

ProtonMail managed to raise over $50,000USD from a crowd-sourced campaign to help them mitigate the DDoS attack, so they seem to be ok for the moment.

You can keep up with the latest ProtonMail updates here:

Blog: ProtonMail Blog
Announcements: ProtonMail WordPress
Twitter: @ProtonMail

Source: The Register

Learn about Cryptography



Posted in: Cryptography, Networking Hacking, Privacy

, ,

Latest Posts:


AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.
Time Warner Hacked - AWS Config Exposes 4M Subscribers Time Warner Hacked – AWS Config Exposes 4M Subscribers
What's the latest on the web, Time Warner Hacked is what it's about now as a bad AWS S3 config (once again) exposes the details of approximately 4M subs.


Comments are closed.