ProtonMail DDoS Case Study: DDoS Prevention Techniques


The email service provider is the victim of several DDoS attacks that last more than a week Swiss based encrypted email provider ProtonMail was the target of a highly publicized attack from a new hacker group, The Armada Collective. Hoping to stop the attacks, they paid the ransom, only to the target of additional, more sophisticated attacks combining application and network vectors.

Download a Copy Now

The email service provider is the victim of several DDoS attacks that last more than a week

Swiss-based encrypted email provider ProtonMail was the target of a highly publicized attack from a new hacker group, The Armada Collective. They experienced consecutive DDoS attacks initiated with a ransom request. Hoping to stop the DDoS attacks, they paid a ransom, only to see the DDoS attacks continue with volumetric and burst attacks combining application and network vectors.

ProtonMail was created to provide privacy to activists, journalists, whistleblowers and other at-risk groups. But the company's own privacy was threatened when it became the target of a ransom attack from a new hacktivist group, The Armada Collective.

The Swiss-based encrypted email provider experienced consecutive attacks from two different sources – one seeking financial gain and the other aiming to undercut their central mission. Initiated with a ransom request to be paid through Bitcoin, they would eventually pay the ransom, only to see the ProtonMail DDoS attacks continue with volumetric and burst attacks combining application and network vectors.

The ProtonMail DDoS attack underscores the new motivations driving today's cyber-attacks. Publicity and outright vandalism are no longer primary incentives. Attacks are now focused on financial gain, protecting ideological differences, or impacting an adversary. In its 2015 – 2016 Global Application and Network Security Report, Radware found that ransoms as the primary motivator for cyber-attacks increased from 16% in 2014 to 25% in 2015.

What follows is a summary by Radware's Emergency Response Team as experienced from the front lines, and the DDoS prevention techniques to stop the ProtonMail DDoS attacks.

ProtonMail DDoS Attacks Timeline

November 4, 2015

Slightly before midnight, they received a blackmail email from The Armada Collective. Like DD4BC, they blackmail companies for Bitcoin under the guise of a DDoS attack. In keeping with its standard modus operandi, the hacktivist group followed this threat with a DDOS attack that took ProtonMail offline for approximately 15 minutes.

By 11 a.m., the next round of ProtonMail DDoS attacks struck their datacenter and the company's upstream provider began taking steps to mitigate the attack. However, within a few hours, the attacks took on an unprecedented level of sophistication.

At 2 p.m., the attackers assaulted the infrastructure of their upstream providers and the datacenter itself. The DDoS attack on the company's ISP exceeded 100Gbps targeting not only the datacenter, but also routers in Zurich, Frankfurt and other locations where the ISP had nodes. The coordinated assault on key infrastructures successfully brought down both the datacenter and the ISP, affecting not only ProtonMail but also hundreds of other companies.

Under intense third-party pressure, they grudgingly paid the ransom via Bitcoin. As  they later noted on its company blog, "This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom."

November 5-7, 2015

Over the next three days, the ProtonMail DDoS attacks continued to suffer from high-volume, complex attacks from a second, unknown source.

November 8, 2015

ProtonMail began working with Radware's Emergency Response Team and implemented its DDoS mitigation solution. Service was restored shortly thereafter.


In order to mitigate the ProtonMail DDoS attack against us, we partnered with Radware, one of the world's premier DDoS protection companies. In Radware, we found a solution that was capable of protecting ProtonMail without compromising email privacy," noted Andy Yen, CEO of ProtonMail. "Given the magnitude of the attack we faced, we knew that we would have to work with the best, and Radware's BGP redirection solution fit our requirements. During our hour of need, there were many companies who attempted to charge us exorbitant amounts, but Radware offered their services at a reasonable rate in order to get us online as soon as possible. With Radware DefensePipe, we were finally able to mitigate the attack on ProtonMail."

November 9-15, 2015

The ProtonMail DDoS attacks continued at a high volume, reaching at much as 30Gbps to 50 Gbps at peaks, but were successfully mitigated by Radware.

At 2:34 p.m. on November 15, a short 2Gbps UDP spike occurred and was successfully blocked. Minutes later, the attack resumed on UDP. Traffic reached 7Gbps but was again mitigated. By 11:01, attack volumes increased to 17 Gbps, reaching upwards of 40 Gbps. Again, ProtonMail and Radware mitigated these assaults. The attack vector then changed, with approximately 10Gpbs hitting infrastructure policy on DP2. Some is matched by DOSS signature DNS reflection, along with ICMP flood; both are successfully mitigated.

At 3:20 a.m. on November 16, a short attack, with 150Mbps of traffic, was identified and thwarted by Radware.


We are happy to announce today that after several days of intense work, we have largely mitigated the DDoS attacks against us," the company reported on its blog on November 10. "These attacks took ProtonMail offline making it impossible to access emails, but did not breach our security. At present, attacks are continuing, but they are no longer capable of knocking ProtonMail offline for extended periods of time. As our infrastructure recovers over the next several days, there may still be intermittent service interruptions, but we have now largely restored all services. Our successful recovery was only possible due to the valiant efforts of IP-Max and Radware, and we would like to sincerely thank them."

Assessing the ProtonMail DDoS Attacks

Following the ProtonMail DDoS attacks, they worked with MELANI, a division of the Swiss federal government, to exchange information with other companies also attacked. It became clear that the ProtonMail DDoS attacks occurred in two stages and was arguably two separate campaigns. The first was the volumetric attack targeting the company's IP addresses. The second was a more complex attack targeting weak points in the infrastructure of their ISPs.

As noted on their blog, "This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

Lessons Learned

While it is impossible to predict the next target of a ransom group, organizations need to proactively prepare networks and have an emergency plan in place for such an incident. If faced with a threat from a blackmail group, it is important to take the proper steps for DDoS mitigation. As ProtonMail's experiences underscore, organizations under attack should consider:

  • A security solution that can protect its infrastructure from multi-vector attacks including DDoS protection from network and application-based DDoS attacks as well as volumetric attacks that can saturate the Internet pipe.
  • A hybrid solution that includes on premise detection and mitigation with cloud-based protection for volumetric attacks. This provides quick detection, immediate mitigation and protects networks from volumetric attacks that aim to saturate the Internet pipe.
  • A cyber-security emergency response plan that includes an emergency response team and process. Identify areas where helped is needed from a third party.
  • Monitor security alerts and examine triggers carefully. Tune existing polices and protections to prevent false positives and allow identification of real threats when they occur.