Who in the world would launch a distributed denial of service (DDoS) attack against Meetup.com?
That’s beyond the pale, suggests one understandably aghast fan:
Who does a DDoS on @Meetup? Do they hate kittens, too?
— Sean McCann (@mccannst) February 27, 2014
But a DDoS is exactly what’s been plaguing the site, Scott Heiferman, Meetup.com co-founder and CEO, wrote on the company’s blog.
Heiferman says that for the first time in its 12 years, the network of local community groups is facing what he calls “a massive attack on its servers”.
Extortionist hackers are behind the attack, trying to elbow the site offline, demanding ransom that Meetup refuses to pay.
Two things happened on Thursday morning.
First, Meetup received this email, demanding $300 (£180):
Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning
A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.
Simultaneously, the attack began.
Meetup.com didn’t manage to crawl out from under the attack until Friday morning, and even then it took “many hours” for its defensive system changes to be distributed across the internet, it said.
Before some users had even managed to see Meetup.com lift its head up to gulp a breath of air, it was down again, as another wave of DDoS sent it back under on Saturday afternoon.
The site re-emerged, for the most part, by midnight on Saturday.
The third and most recent attack hit Meetup.com on Sunday evening, and the company’s since spent the past few days shoring up the site and its apps.
Meetup’s feeling pretty good about its efforts to ward off the attacks, but there’s no saying what the future holds, Heiferman said in his posting:
While we’re confident that we’re taking all the necessary steps to protect against the threat, it’s possible that we’ll face outages in the days ahead.
All this, over a measly $300?
It wouldn’t matter if the extortionists wanted $3,000,000 or $3 or three fingernail clippings: Meetup is saying stick it, we’re not paying.
The company’s rationale:
1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.
4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.
This is an attack on everyone who believes that people are powerful together. We live in a world where criminals can make extortion threats against an organization like ours and temporarily frustrate millions of people.
But we also live in a world where organizers start new Meetup Groups, members show up, people start talking, and communities form. Our platform is built around a simple idea — that if Meetup helps people to find the others, we will all be more powerful and will create the kind of world we want to live in together.
It may sound like pro-Meetup marketing touchy-feely squishiness, but cynicism be damned: he’s right.
They might think they’re too clever to be tracked down, but they’d be wrong.
They can just go ask the two Polish online gaming programmers who were recently arrested and jailed for 5 years for the DDoSing and cyber-extortion of an online casino.
Good luck to Meetup.com’s beleaguered engineering crew. We hope you continue to succeed in fending these guys off, and that somebody in law manages to track them down.Follow @NakedSecurity