ProtonMail DDoS Attack – Sustained & Sophisticated

Use Netsparker


So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail.

ProtonMail DDoS Attack - Sustained & Sophisticated

It seems to have mitigated the bulk of attack, but is still going up and down. In a way it’s a good thing tho, it’s improved the reputation of ProtonMail and shows that it’s fairly likely their system is very secure, if it wasn’t breached.

Sustained DDoS attacks are the domain of frustrated people who can’t get into a site/service any other way – so they make it inaccessible. Remember security is a triangle of confidentiality, integrity and availability. If you can’t breach the confidentiality or integrity, go after the availability.

ProtonMail has announced that it has successfully mitigated the DDoS attacks which had hobbled it since last week, while also confirming security systems had not been breached.

The encrypted email service was still being hit as of yesterday, after paying a Bitcoin ransom to one of the two DDoS attackers (the smaller, seemingly less powerful one), known as the Armada Collective, largely due to pressure from other affected companies.

The Swiss Government’s CERT (Computer Emergency Response Team) has today published a notice discouraging the payment of ransoms to DDoS attackers.

ProtonMail stated that it is “happy to announce … that after several days of intense work, we have largely mitigated the DDoS attacks against us.”

“These attacks took ProtonMail offline making it impossible to access emails, but did not breach our security,” according to a statement sent to The Register.

The attacks against the company have continued, but due to “the valiant efforts” of ProtonMail partners, IP-Max and Radware, they “are no longer capable of knocking ProtonMail offline for extended periods of time.”

“As our infrastructure recovers over the next several days, there may still be intermittent service interruptions, but we have now largely restored all services.”

The DDoS targeting ProtonMail was extremely sophisticated, according to the company, which prides itself on offering a means of secure communication to “activists, dissidents, and journalists”.


There’s been a a fair bit of confusion too, with ProtonMail claiming there’s two attackers, one of which they’ve paid a ransom to. Their is a lot of collateral damage from this attack, as with any fairly sustained, heavyweight DDoS attack – it attacks anyone remotely near the victim (in the context of network infrastructure).

Those companies in the same datacenter would be down too, as the DDoS moves up the network chain to the ISP, the upstream Tier 2 provider and beyond. Depending how big it is – it can even impact an entire country or in the worse case scenario, the whole Internet.

It was “the largest and most extensive cyberattack in Switzerland,” according to ProtonMail, “with hundreds of other companies also hit as collateral damage”. The attack also completely took down the the data centre housing ProtonMail’s servers and even affected “several upstream ISPs, causing serious damage”.

Referencing the 300Gbps DDoS attack against Spamhaus in 2013, Herberger stated “basically, we have the attackers trying all possibilities to get to a DDoS situation”.

Asked about attribution, Herberger suggested the resources necessary for such a sizeable, varied, and persistent attack could indicate a nation state.

“It’s interesting,” he told The Register. “The conjecture around here is that a ‘truly’ secure email service is more likely to receive these kind of attacks” as it is the only way of preventing these “dark” communications, he added.

ProtonMail has stated that the attack set back its development timeline, and announced that it would no longer be releasing ProtonMail 3.0 at the end of November.

The Register understands that the attack was exceptionally aggressive, with ProtonMail previously stating that there were two stages (and two attackers) that had provoked the company’s woes.

With this kind of fire-power, it could definitely be a nation state attack. Briefly before the attack started, ProtonMail publicly critiquing the UK policies regarding encryption.

That’s a pretty far fetched conspiracy theory, but there’s a lot of stuff going around, especially with other encrypted e-mail providers and TOR exit nodes suffering DDoS attacks.

ProtonMail managed to raise over $50,000USD from a crowd-sourced campaign to help them mitigate the DDoS attack, so they seem to be ok for the moment.

You can keep up with the latest ProtonMail updates here:

Blog: ProtonMail Blog
Announcements: ProtonMail WordPress
Twitter: @ProtonMail

Source: The Register

Posted in: Cryptography, Networking Hacking, Privacy

, ,


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


Comments are closed.