On Sunday, 8 Nov 2015, at around 01:08 UTC, FastMail was hit by a DDoS attack that briefly made some services unavailable before we enabled mitigation strategies to block it. A further attack followed on Monday, 9 Nov 2015 at around 00:34 UTC. These attacks were accompanied by an extortion demand that threatened further attacks this week if we did not pay the attacker 20 Bitcoin (approximately US$7500).
First of all, we would like to make one thing clear. We do not respond to extortion attempts, and we will not pay these criminals under any circumstances. We have dealt with DDoS attacks before, and have recently been strengthening our defences to deal with such issues. However, there is still a chance that the attacks will cause some disruption for our users, so we are publishing this as an advance warning and to give as much information as we can on what to expect.
A Distributed Denial of Service attack is where a criminal uses a large number of computers, “distributed" all over the world, to flood a particular site with requests. If they can send enough requests to use up the target’s resources, legitimate users are unable to get through and the site appears to be down.
Please note, even in the event of a successful attack, this does not lead to your data being compromised or any mail being lost. It is like being unable to get to your post box because a huge crowd has formed around the front door of the post office. The mail is still safe inside and any new mail will be delivered once the crowd has gone.
Over the last week, several email providers, including Runbox, Zoho, Hushmail and ProtonMail have been hit by large scale DDoS attacks, accompanied by an extortion demand from the attacker to stop. The goal of the attacker is clearly to extort money in the hope that the services will not be prepared to deal with the disruption. With one exception where ProtonMail paid the criminals and was still attacked, we do not believe the extortion attempts have been successful, and we fully intend to stand up to such criminal behaviour ourselves.
Primarily we are working with our data centres and upstream network providers to enable strong controls at every stage of the network to ensure attacks are blocked and legitimate traffic will continue to get through. We also have preparations in place for mitigating various other DDoS scenarios, and are ready to adapt to whatever form of attack might come through.
We have also notified CERT (Cyber Emergency Response Team), the Australian federal agency for dealing with cyber attacks, and we are working with relevant Australian and international law enforcement to provide them with details of the attack.
Primarily we appreciate your patience and understanding should we experience service disruptions this week. We respect that you pay us to deliver a rock solid service and we will do our utmost to do just that. In the event of any service disruption, we will be providing full details of our current status on our Twitter feed and status site.