Last weekend, the event coordination site Meetup was down. If you’ve ever seen the part in The Social Network where fictionalized Mark Zuckerberg says, “We don’t crash ever! If the servers are down for even a day, our entire reputation is irreversibly destroyed,” you know how dramatic this stuff can be. It took Meetup from Feb. 27 to March 3 to completely restore service stability. So what happened?
Meetup was hit with a distributed denial-of-service attack (DDoS), in which an attacker uses a virus to take over a number of computers, then uses those comuters to send an extremely high volume of packets to a server until its switches are too overwhelmed to process actual user traffic. DDoS attacks are a classic and common hack but have gotten much more severe in recent months. Jag Bains, the chief technology officer at the security firm DOSarrest, told Reuters, “It’s really a game of cat and mouse. I’d like to say we are ahead, but I just don’t think it’s true.”
On Thursday, Feb. 27, Meetup began experiencing a DDoS attack, and Meetup’s CEO, Scott Heiferman, received an email attempting to extort $300 from the company to stop it. Meetup was reluctant to negotiate with criminals, but the amount the hacker was asking for was also so small as to be suspcious. The team was concerned that if the company paid the money, it would be further exploited and would also send the signal that such a ransom demand could work on other companies.
“When someone steals a credit card, the first thing they do is try a four- or five-dollar charge and see if that goes through,” says Brendan McGovern, Meetup’s CFO and co-founder. “Once they’re successful there, they know that they have an open pipe, and that’s when they hit you for a few thousand dollars. So we decided early on to not engage at all, to not respond, and not pay. And, in the long term, that served us. If everyone is not paying, and these types of attacks are just not successful, then perhaps they’ll stop.”
Meetup’s CTO Gary Burns says that the most important lesson was that companies should foster close connections with their Internet service provider because the attacks can’t really be controlled without the ISP’s help. On a day-to-day basis, Meetup has been able to deal with unusual traffic by doing things like blocking IP addresses that generate heavy traffic or setting up firewalls. But in this case the amount of traffic was too overwhelming.
“The traffic that was sent to us was large enough that it started to be a problem for the ISP, the level above us,” Burns says. “So there wasn’t a lot we could do to try and mitigate the attack because it wasn’t within our control. What’s really important is the relationship you have with your ISP and the flexibility you have there.” Meetup is also ensuring that all of its systems and partners’ systems are fully upgraded and patched to reduce network vulnerabilites. But Burns warns that patching weaknesses needs to be an Internet-wide effort to truly be effective.
McGovern says that Meetup’s losses will be in the hundreds of thousands of dollars, between extending all organizer subscriptions by seven days (subscriptions are about $15 per month), losing out on new subscription sales while the site was down, and spending money to mitigate the attacks.
“It’s significant but, and I’m actually authentically being serious about this, it paled in comparison to the amount of pain that was suffered by the Meetup members and organizers in the community. We’ll take a big hit financially, but to see all the people who had a really rough four or five days while they were relying on us is a much more painful number.” Humanity emerges in times of crisis.
