This past Thursday at 10:26AM, Meetup CEO Heiferman got a strange email. "A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer." Before Heiferman could finish reading the email, the site came under attack, swamped with an 8.2 gigabit attack that took it down almost immediately. It took 24 hours to bring the site back online, and it didn't stay online for long. The site came up Friday morning, only to go down again Saturday afternoon. It came back Saturday at midnight, then went down again Sunday night. As of press time, they were still struggling to keep the it live.
"I can stop the attack for 300 USD."
It's a strange setup, but not as strange as you might think. Experts say Meetup's horrible weekend is a textbook DDoS extortion attempt, from the absurdly low payoff demand to the half-hearted reference to third-party attackers. Since sites aren't usually eager to discuss the extortion attempts behind their occasional downtime, the tactic has remained a fairly secretive one, but this time, Meetup was willing to break the silence. "We don't know why they chose us," CTO Gary Burns said, "except that we're a large platform that people all over the world use every day, and that makes us a target."
"We don't know why they chose us."
But stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection. And once the attack starts, it usually comes in force. "The attacks that are extortion-based tend to be the largest attacks that you see, almost bar none," Prince says.
This round of attacks may be particularly strong because of a recently adopted tactic that hijacks computers' Network Time Protocol, the coding function PCs use to keep their internal clocks in sync. By sending an NTP request — the equivalent of asking what time it is — an attacker can ask a short question and get a long answer, which is a useful tactic for amplifying traffic. And if the attacker spoofed their IP address, they can send the long answer to the DDoS targeted server. Put together, it can amplify an attack to hundreds of times its initial scale. Services are gradually patching servers to be immune to the attack, but it's been slow progress, and the result has left a powerful weapon in the hands of whoever wants to pick it up.
"Let's say you were to consider it. What happens next?"
In the meantime, sites like Meetup are left with an awkward choice of whether to pay up or fight. $300 is a bargain compared with a weekend of downtime, and there's no telling how many sites pay up, staying off the radar entirely. But for Burns, there was no question. "Let's say you were to consider it," he says. "What happens next?" As with any extortion, there's always the worry that the first charge will just be a down payment — especially when it's so suspiciously low. In the end, a little downtime is a small price to pay. "You can't negotiate with terrorists," he says.