Basecamp, formerly known as 37signals, has managed to largely mitigate a DDoS attack that started today (March 24) at 8:46 central time and which made its services unavailable for users for a few hours.
“The goal is to make Basecamp, and the rest of our services, unavailable by flooding the network with bogus requests, so nothing legitimate can come through. This attack was launched together with a blackmail attempt that sought to have us pay to avoid this assault,” Basecamp’s David Heinemeier Hansson explained in a post on GitHub.
“Note that this attack targets the network link between our servers and the internet. All the data is safe and sound, but nobody is able to get to it as long as the attack is being successfully executed. This is like a bunch of people blocking the front door and not letting you into your house. The contents of your house are safe — you just can’t get in until they get out of the way.”
The company has refused to pay the attacker, and their investigation revealed that in the last few weeks, the same criminals have been mounting this type of attack against Fotolia, Meetup, GitHub, and many others.
“We’ve pooled our law enforcement efforts with the other victims now, and are working with the same agent on the case. While tracking down these criminals is notoriously hard, we’ll do our very best to bring them to justice,” he said, and added that in most cases, the blackmail note came from an address matching the pattern email@example.com.
The attack has currently slowed down considerably, and most of the company’s services can be accessed by users.
Still, that doesn’t mean that the attackers won’t resume it. “Other victims have told us about how the attacker would take a break, and then try again later with a different method,” he shared. The initial attack reached 20Gbps, but according to earlier victims, the attackers can do even better than that.
Hansson says that 95 percent of all the customers can now access the services, but that their servers “are straining a wee bit under the massive load of pent-up demand,” so they can expect some slowdown.
“Unless the attack resumes, we’ll post a complete postmortem within 48 hours,” he concluded.