Meetup, a popular social networking site for organizing group activities, said today that it spent the weekend fending off what it called a “massive attack” on its servers that caused the site to be unavailable to many users. The attackers attempted to extort the company by email to stop the attacks in exchange for a $300 payment.
Writing on the company’s blog, CEO Scott Heiferman described how the attack began on Thursday morning with an email saying that “a competitor asked me to perform a DDoS attack on your website.”
“Simultaneously, the attack began, our servers were overwhelmed with traffic, and our services went down,” Heiferman wrote.
The perpetrators launched what’s known as a distributed denial of service attack in which thousands of compromised computers are commanded to overwhelm a target a site by barraging it with so many requests for attention that the target is unable to respond to legitimate requests and thus becomes unavailable.
The initial attack left the site unavailable for about 24 hours, until engineers were able to install protection. A second attack that began Saturday knocked the site offline for another eight hours. A third attack launched on Sunday night has left the site offline, and as of 9 am PT today, it was still unavailable.
Meetup is an unusually high-profile target for this kind of DDoS extortion. And the amount demanded is weirdly low. Meetup is a large company that had raised about $19 million in venture capital funding since 2002, and which recently closed a venture round of an undisclosed amount. Obviously the issue wasn’t the 300 bucks, but the fact that giving in would likely lead to a larger demand. Heiferman explained:
We chose not to pay because:
1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world.
4. We were confident we can protect Meetup from this aggressive attack, even if it will take time.
These types of attacks are on the rise, both in the number of attacks carried out and in their severity. Prolexic, a division of the Internet infrastructure company Akamai that specializes in helping companies fight off DDoS attacks, said that the number of attacks overall rose by about one-third in 2013.
And the amount of traffic that attacks could direct at targeted sites reached as high as 179 gigabits per second. That peak is nearly four times the average traffic seen in DDoS attacks as recently as the first quarter of 2013. Basically the fire hoses of traffic that attackers are able to spray at their targets are getting ever more powerful.
Extortion attempts are on the rise, but you rarely hear about them. Last year, two Polish programmers were jailed after attempting to extort money from the owner of a U.K. casino and from a U.S. software company that has not been identified. The programmers demanded a 50 percent share of the profits from the casino company and threatened to knock it offline, which they did in an attack that lasted five hours. They were later arrested at London’s Heathrow airport after an executive of one of the targeted companies contacted police.
In another recent case, the creators of the game Wurm Online offered a 10,000-euro bounty for tips leading to the arrest of an attacker who launched a DDoS attack against it last month. The site was down for about two days and ultimately moved its servers to a new host.