Project management website Basecamp was hit by a 20 Gbps distributed denial-of-service (DDoS) attack and blackmail attempt yesterday.
In a statement, Basecamp said that the attack targeted the network link between its servers and the internet. “This is like a bunch of people blocking the front door and not letting you into your house. The contents of your house are safe – you just can’t get in until they get out of the way,” it said.
“We’re doing everything we can with the help of our network providers to mitigate this attack and halt the interruption of service. We’re also contacting law enforcement to track down the criminals responsible. But in the mean time, it might be a rough ride, and for that we’re deeply sorry.”
Basecamp said that the attack began at 8.46am central time (1.46pm GMT), and was over around an hour later. “There is unfortunately no single, quick fix to these attacks, so we regretfully ask for your patience in advance. As said, we’re doing everything we can, and will work as quickly as possible, but it’s impossible to give a clear timeline for ultimate resolution.”
The statement said that it would never negotiate with criminals, and would not “succumb to blackmail”. Within ten minutes of the attack beginning, Basecamp said that those delivering the DDoS hit other websites last week, and it encouraged other websites to get in contact so it can compare notes on both technical defenses and the law enforcement effort to hunt them down.
Daniel Korel, security analyst at DOSarrest Internet Security, said that it is fairly easy for someone with relatively little knowledge and malicious intent to rent a botnet or exploit known vulnerabilities in public systems, generating large amounts of traffic at their target.
“With the anonymity of the internet to hide behind, it can be an attractive proposition for an attacker to attempt to extort a high-traffic websites such as Meetup and Basecamp for money,” he said.
David Heinemeier Hansson, founder & CTO at Basecamp, said that the attackers tried to extort it for money, it refused to give in and worked with its network providers to mitigate the attack.
“We’ve been in contact with multiple other victims of the same group, and unfortunately the pattern in those cases were one of on/off attacks. So while things are currently back to normal for almost everyone (a few lingering network quarantine issues remain, but should be cleared up shortly), there’s no guarantee that the attack will not resume,” he said.
Russ Spitler, VP product strategy at AlienVault, said: “DDoS is a rather unsophisticated attack and unfortunately these days, the easy access to distributed botnets or amplification techniques make large scale attacks feasible for rather insignificant attackers. I applaud the fact that Basecamp refused to negotiate with these attackers – just like kidnapping we won’t see the end of this type of exploitation disappear until we have a consistent ‘no-negotiation’ policy across the internet.
“The shame of this type of attack is small companies like Basecamp are stuck between paying for protection or paying the attackers. My guess is that our small unsophisticated attackers are picking on the businesses they know, which unfortunately will mean that tech oriented businesses will be on the frontline of this. From a technical perspective there is no real weakness that these organisations have above and beyond the typical small business.
“ Looking to the future
you really hope that ISPs start playing a bigger role in mitigating these types of attacks. We currently pay them for bandwidth, but in the future I would hope that they do more to guarantee that it is good bandwidth.”