MeetUp and Basecamp are the most recent targets of the productivity-blocking Distributed Denial of Service (DDoS) attacks, rendering users unable to use the services.
The good news? All data remained secure and some people ended up with an unexpected day off, due to lack of access. The bad news? Many businesses experienced a severe set back in productivity.
MeetUp, who battled through the clog last weekend, was able to successfully maneuver out of the line of fire, but the attackers shifted their aim to Basecamp.
As of press time, both Basecamp and MeetUp have thwarted the attacks and are back to business as usual. Basecamp stated that they are working with law enforcement to investigate the attacks.
Both attacks are blackmail-motivated, and both MeetUp and Basecamp have refused to engage.
“The only thing we’re certain of of is that, like MeetUp, we will never negotiate by criminals, and we will not succumb to blackmail. That would only set us up as an easy target for future attacks,” wrote Basecamp in their update to Github on March 24.
Basecamp issued constant updates regarding the attack on their status blog, Twitter, and on GitHub, stating their refusal to negotiate with terrorists and offering a succinct and colloquial explanation of just what, exactly, is going on:
Note that this attack targets the network link between our servers and the internet. All the data is safe and sound, but nobody is able to get to it as long as the attack is being successfully executed. This is like a bunch of people blocking the front door and not letting you into your house. The contents of your house are safe — you just can’t get in until they get out of the way.
Meetup also provided an explanation as to how they prepared for, dealt with, and will continue to secure their network against DDoS attacks.
Meetup issued a debriefing on their blog about why they chose not to exchange money for relief with their attackers:
We chose not to pay because:
1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.
4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.
While it’s great that these services that so many people depend on aren’t giving in to the bullies, a lot of people are left wondering why, exactly, they were targeted for the attacks.
Both MeetUp and Basecamp offer services to businesses and startups to help manage workflow, meetings, and bring people together in a more cohesive manner. Not a lot of money or sensitive information (or, at least the blackmail-worthy kind) is being exchanged via these services.
Aside from creating a mass unavailability of these services for the users, the DDoS attacks appear to simply be a malicious event in which a person or group of persons tests the water for future and more destructive intrusions.
Since MeetUp and Basecamp both chose to not engage with the blackmailers, it will be interesting to see whether future attacks are both less likely to occur and less likely to be effective against the services’ constantly-improving securities.