Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Communications Cloud Crime Networking Privacy Security The Internet

Webmail Services Struggling Against DDoS Attacks (fastmail.com) 90

An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.
This discussion has been archived. No new comments can be posted.

Webmail Services Struggling Against DDoS Attacks

Comments Filter:
  • by Anonymous Coward
    They should have used WWindowS instead.
  • by Anonymous Coward on Wednesday November 11, 2015 @12:25PM (#50908843)

    Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.

    • More like, the companies who wrote the OS should be responsible.

      • by ShanghaiBill ( 739463 ) on Wednesday November 11, 2015 @12:39PM (#50908947)

        More like, the companies who wrote the OS should be responsible.

        No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.

          Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.

          Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Sn

        • by Anonymous Coward

          That will turn the internet into "cable TV" with dumb terminals connected to a few big content providers in the blink of an eye.

    • As the other reply said, the OS is responsible. Go after them. The computer is still a black box, the user has no idea what goes on inside. All they know is that if they let any smoke leak out, the machine is cooked. Like all other crimes you need to find the perpetrator. Don't fuck with those caught in the crossfire.

      • by KGIII ( 973947 )

        Then maybe, just maybe, they shouldn't own a computer. I know, I know... It's a horrible thought that people would be better served by knowing how to properly use the tools they own.

      • But the user is responsible for it. Like a car owner is responsible for their car. Users don't *have* to understand either of those things to own and use one, but they're still responsible.
    • by ArmoredDragon ( 3450605 ) on Wednesday November 11, 2015 @12:42PM (#50908969)

      I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.

      Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.

      That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.

      • You really don't understand this shit, do you?

        The goddam botnets are smart enough to change IP addresses at random, and often.

        It's Whack-a-Mole.

        • by myowntrueself ( 607117 ) on Wednesday November 11, 2015 @01:05PM (#50909127)

          You really don't understand this shit, do you?

          The goddam botnets are smart enough to change IP addresses at random, and often.

          It's Whack-a-Mole.

          Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.

          • Well first see my post here:

            http://slashdot.org/comments.p... [slashdot.org]

            And in addition to that, anybody who owns something that is being used as a reflector could be required to fix it (i.e. an open relay needs to add authentication) and in the case of passive services that can be used as reflectors (such as DNS) they can keep logs of what IP addresses are obviously using them as a DDoS reflector and report them to a proper authority.

        • by Anonymous Coward

          Oh, the botnet endpoints are smart enough to change the IP address assigned to the endpoint? Hrmm, how are they doing that on your typical user TWC or COX internet connection? Oh wait they aren't. You THINK they are because they just use different botnets for different attacks, or only utilize a % of the zombie PCs in their botnet.

          Having the ISP cut the user off is a valid solution, or at the least, drop it to 56k speeds. You stop the zombies from attacking, you stop the DDoS.

          • Centurylink - a company with plenty of reasons to hate it - will restrict internet access from machines deemed to be running malware until you talk to them and fix it.
          • by KGIII ( 973947 )

            I've been saying this for years. If you're exhibiting signs of malicious activity that indicates an infection then you get firewalled from the 'net in general but have access to the tools to repair it.

        • by ArmoredDragon ( 3450605 ) on Wednesday November 11, 2015 @01:14PM (#50909209)

          Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.

          In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to, but other than that most modems don't support this.)

          But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.

          Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.

        • You're talking past each other. To draw a car analogy, let's pretend that the streets around a particular business are getting clogged up by unlicensed teens borrowing their parent's cars to go joyriding. The previous poster is suggesting that we tell those parents that they're not allowed to drive on the road until they take steps to prevent their kids from using their cars illegally. I.e. We put the onus on the owners of the cars to properly secure their vehicle before we let them use a shared resource. Y

          • by ArmoredDragon ( 3450605 ) on Wednesday November 11, 2015 @01:36PM (#50909375)

            I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.

            As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.

            • you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week

              Isn't that what the widely hated Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECTIP) bills threatened to do?

              • The difference would be that, in the case of SOPA, just any random person could upload so much as a picture, and whether it belonged to the MPAA or not they could demand the site be shut down without any kind of evidence.

                However with what I'm proposing, there would have to be a pattern of deliberate attack. That is, you don't have a robot crawling websites looking for words like "Happy Gilmore" and then immediately issuing a DMCA takedown. Rather it would have to be a pattern of abuse (and you can establish

          • by tepples ( 727027 )

            A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network

            Is this malware scan available for OS X and major GNU/Linux distributions? Or does it work correctly in Wine? Or are students required to buy a copy of Genuine Windows® for each Mac or Linux laptop, reboot into Windows in order to connect to the Internet, replace iPad and Android tablets with Surface tablets, and leave the phones on cellular data?

            • It was back in the early 2000s. At the time, their policy only required Windows machines to do the scan. Macs and Linux didn't have to.

              Again, I'm not suggesting it was or is a good policy, nor that it's something to model national policy after. I was merely pointing out that there is precedent for similar sorts of policies at a smaller scale.

          • A tighter car analogy would have considered a place where people can drive without license, car vendors increasingly hide technical details such as control lights and rev counters, and it is generally considered unfeasible for drivers to be their own security managers.

      • And how do they stop it if they don't have Internet access to download the latest patches? What if there are no patches?

        • Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch, and have your WAN edge configured as stateful and drop all unsolicited packets, which is easy to do with most SOHO gear. Don't know how to do that? Well then you should probably either learn how or hire somebody. Either way, that's better than a fine.

          • by tepples ( 727027 )

            Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch

            How would you download the image with which to "rebuild from scratch" and download patches released since the image was created without Internet access?

            • The image is already onsite, on removable media.

              If not. Oh well. What kind of crapware OS were you running, again?

              • and download patches released since the image was created

                The image is already onsite, on removable media.

                The copy on removable media is more than likely not yet patched up to today. Or do you make a new install image every month with all updates slipstreamed in?

                • The vast majority of the time somebody runs a compromised system these days, flaws in the host OS weren't the attack vector used. It's typically somebody downloading "free app that you must try now" or going to bad sites that have a flash or java exploit.

                  Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows, or any recent Linux distribution, you aren't going to get an infected system just for having it on the network.

                  • Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows

                    I seem to remember that Windows XP RTM was vulnerable because it connected to the network before its firewall was up. This meant a PC could get remotely compromised before it could finish downloading updates, even if it ran no applications other than Windows Update. The workaround was to purchase and install an external firewall appliance. Do more recent versions of Windows have an analogous vulnerability that would require someone to have to burn an install disc with a slipstreamed service pack in order to

                    • Vanilla Windows XP had a firewall, but IIRC it was off by default and was borderline useless. Microsoft didn't change that until SP2.

        • And how do they stop it if they don't have Internet access to download the latest patches?

          Devices not yet cleared for Internet access would have access to hosts other than the ones used for update services blocked. Better yet, the ISP could run a mirror of Apple Software Update, Windows Update, and Ubuntu trusty-security and wily-security.

          What if there are no patches?

          If patches do not exist because the operating system has reached its date of end of support, it is the subscriber's responsibility to purchase an upgrade to customer-provided equipment. If patches do not exist because the defect is still 0-day, I don't know. If

          • I wouldn't even concern with 0-day. Use a stateful firewall to block all unsolicited packets, use a modern web browser, disable all NPAPI plugins. Only do otherwise if you know what you're doing, because its your problem if you get blocked again.

            If something is still exploited even after that (like say a brand new copy of Insecure Explorer 2.1 has zero day in its jpeg rendering library) then the ISPs should allow a grace period until that gets patched.

          • I was actually thinking of limiting access to certain sites but the original proposal was to just cut off all access and I was trying to make a point. While an ISP may consider hosting a mirror of updates for Apple or Microsoft (assuming they would go for it) I don't know if they would be interested in doing it for Linux and similar OS's. I've been out of the Linux environment for a while now so I don't know how fragmented it is or has it narrowed down to one or two distributions?

            The other problem is what

  • by Sir_Eptishous ( 873977 ) on Wednesday November 11, 2015 @12:27PM (#50908863) Homepage
    Will this push the privacy oriented webmail providers further to the margins and create a landscape where only the big players such as Google and Microsoft can survive?
    • You forgot to mention Facebook, since that's email for more people than the aliases and multiple accounts served by Google and Microsoft. What we need is a truly decentralized communication system.
    • So, Google and Microsoft are behind this? Not that I would really be surprised, but I kinda doubt it, if only to avoid being tagged as a "theorist".

      • No, I didn't infer that. What I'm getting at is their infrastructure, and others, such as Facebook, can easily deflect and withstand attacks like these.
        Smaller webmail providers can't.
  • NSA (Score:3, Insightful)

    by Anonymous Coward on Wednesday November 11, 2015 @12:28PM (#50908869)

    Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.

  • You should always call any bluff of DDOS extortion. These botnets aren't free and cost money to get time on them. You might feel a little pain, but better than giving in to demands.

    Better yet, use Cloudflare or subscribe to Spamhaus to preemptively deny traffic.

    • by alex67500 ( 1609333 ) on Wednesday November 11, 2015 @12:39PM (#50908951)

      Denying traffic takes computing time too, if the attacks are as massive as the TFS suggests, any device used to filter the incoming requests would soon be overwhelmed and the service would be down anyway...

    • by Anonymous Coward

      If this is a government attack then most likely money is no object.

      The extortion demand isn't necessarily aimed at making a profit, it could be intended to further harm the targets' ability to continue doing business.

    • Botnets that aren't free and cost money to get time on are botnets that thus need to have a traceable revenue stream. Clearly more can be done to exterminate the people running the botnets, or at least make it hard to pay for the medical care they need after nearly exterminating them.

      It's organized crime, and there are government agencies tasked with dealing with organized crime.

    • by Bronster ( 13157 )

      Cloudflare only helps with web.

      Spamhaus - lovely, but the traffic is already coming down your uplink by then - we were already firewalling it all, doesn't help.

      (FastMail Ops btw)

      But we have a solution in place now, so we're in a lot nicer place than we were on Sunday when we were first hit.

  • Givernment attacks? (Score:5, Interesting)

    by wardrich86 ( 4092007 ) on Wednesday November 11, 2015 @12:30PM (#50908887)
    Judging by the systems being hit, I can't help but wonder if the attacks are being done by a government agency.
    • by Ralph Wiggam ( 22354 ) on Wednesday November 11, 2015 @01:13PM (#50909201) Homepage

      ProtonMail suspects a "state actor" but has zero evidence to support that. It makes no sense for a government to just DDOS a mail service. Governments would hack into the servers.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Governments would hack into the servers.

        Unless they couldn't. Then they would want to "discourage" people from using the service. Governments aren't all-powerful (yet).

        • by cdrudge ( 68377 )

          Then they raid/confiscate with a FISA warrant.

          • by Anonymous Coward

            It's a legal service in a foreign country. They can't. What they can do is leverage one of the bot-nets they may have taken over, to try and destroy the service. Everything about this reeks NSA and GHCQ.

        • In my eyes, this is great advertising for Protonmail. If someone that powerful couldn't hack or social-engineer their way into their server, it speaks volume about the quality of their security.
          • Maybe they instituted amazing security recently. But they got hacked last year.


  • by Anonymous Coward

    This service has always been a joke. First off, they've been hacked multiple times, executing JS inside emails. It's ran by incompetent people, and you cannot secure these types of services from a faked signed SSL cert and injected JS to send off your unencrypted email contents the second they're displayed. Protonmail is the ILLUSION of security, the world is better off without it.

  • That way, we'd see less spam...
    • by Anonymous Coward

      Relative infrastructure. The same DDoS that cripples ProtonMail would be a small percentage change in normal gmail traffic, even less noteworthy if it was not fired off during a peak usage time.

  • by Anonymous Coward

    Big centralized services are vulnerable to these kinds of attacks.

    Perhaps if the service were distributed over tens of thousands of nodes in thousands of data centers, it would be more difficult to perform the attack.

    Anybody can hire a botnet to flood one data center. Can they flood every data center on the entire Internet at the same time?

  • Is there anyway to solve DDOS attacks for good? Would a more robust DNS system work? Say one that dynamically assigns multiple IPs and rotates them with a frequency based on load?
    • Botnets must be addressed anything else is just spitting in the wind.
  • by Anonymous Coward

    on the part of the provider's ISP. It would be easy to learn which are the offending IP addresses and simply blackhole them at the router level. The the provider's ISP is too small to effect much of a change, the supplying ISP could easily do this. When I worked firewall and router security for the largest ISP in the US, we simply bllackholed the IP and, in some instances, entire class Cs and in a few instances, a class B coming out of Korea because the ISP wouldn't listen to reason. When enough of their cu

    • by jonwil ( 467024 )

      Except when its a distributed attack and its comming from infected machines belonging to clueless users all over the world its not possible to black hole all the traffic...

  • Has anyone done a recent analysis of where these machines are, and what version of Windows they are running? XP use is finally fading, and I have seen a surprising number of home PCs successfully upgraded from Windows 7 or 8 to Windows 10.
    I would not expect a malware infection to survive the update.
    So are the number of bots in the network declining?

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears