A brief update regarding ongoing DDoS incidents

As few weeks back, we sent a notice to the ProtonMail community regarding the DDoS attacks that we have been facing. Today we would like to provide a brief update of the situation.

  • Starting on June 27th, ProtonMail started to be hit by sustained DDoS attacks.
  • The attack campaign continues to this day, but there has been little to no user impact.
  • Thus far the attacks have included:
    • Rapidly morphing DDoS attacks with the combination of SYN floods, TCP handshake violations (first packets are not SYNs), IPv4 TCP SYN floods, TCP Zero Sequence, ACK Floods, NTP nonstandard port floods, and reflection attacks on SSDP, NTP, Chargen, LDAP and Memcache protocols.
    • Pulsed/Burst DDoS attacks, with multiple attack vectors and rapid changes within minutes.
    • Attacks up to 25Gbs in volume. This attack was largely challenging to handle because of its complexity, not the size/volume. No unknown attack vectors were used, but they were rapidly changing, and hence the complexity.

Since November 2015, ProtonMail has been protected by Radware’s Cloud DDoS Protection Services, and in this instance, Radware was able to successfully mitigate nearly all of these attacks. However, due to the nature of the ferocity and attack ingenuity, some of the attacks were only partially mitigated and briefly resulted in some service outages at the outset of the campaign.

In order to improve mitigation performance, Radware immediately upgraded their scrubbing centers and processes to provide better protection against rapidly changing attacks. As a result, attack mitigation through the upgraded Radware scrubbing center has been successful in the past couple weeks.

After the upgrade, we have found that Radware’s technology actually works well against rapidly evolving attacks, and the automatic mitigation capabilities are essential for reducing the response times when coming under attack frequently. We also deeply appreciate the support that we have received from the team at Radware, and the fact that they made defending ProtonMail a priority. Going forward, we plan to utilize a multi-layered DDoS defense strategy and will continue to partner with Radware on the first line of defense.

We appreciate your patience through these attacks and look forward continuing to provide you with secure and private email services.

Best Regards,
The ProtonMail Team

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

Comments are closed.

15 comments on “A brief update regarding ongoing DDoS incidents

  • What I miss in this whole story is any information about who is behind these attacks and why?
    I really don’t know what to think of it. Is it because ProtonMail is becoming too success full and some countries (Russia, US, UK, China?) are getting worried? Is it all done on purpose to tighten the bonds between ProtonMail and Radware? Radware that is partnered with Cisco and we all know what deal Cisco had with the NSA since the Snowdon leaks. And is there for ProtonMail nothing more than a honeypot for the US/Israel? I really don’t know what to think of it. And now I will put on my Tinfoil hat again…

  • Attacks are likely from DDoS protection service providers like Cloudflare.
    (Half-serious, as this can’t be proven)

  • I can sympathize with being attacked like this and know how violating and stressful this is. However you guys run an increasingly important email service that more and more people rely on for business and other important matters. It’s absolutely critical that ProtonMail continues to work on stability and speed. I’m impacted almost every day in some way by these attacks. Almost every day emails/polling times out, is unavailable for a while, etc. I have missed several fairly important emails from business partners because of this. When you are expected to reply to an email and can’t do that because the email service you’ve put your trust in – and which you’ve been evangelizing to all your business partners – is down, that’s just not good.
    I run my own domains through ProtonMail as well, so my internal company email was affected, too. It wasn’t much, but enough to make me worry.
    Thank you

  • Admin,

    Please file this post under “Security.” Currently, it’s filed under “Uncategorized.”


  • Since this seams to be of quite a substantial capability, I just wonder if you have any idea/indication where the attack is coming from?

  • About the

    “we plan to utilize a multi-layered DDoS defense strategy and will continue to partner with Radware on the first line of defense”

    why on the following link ProtonMail Team indicate that “F5 as the primary DDoS mitigator” ?

    This particular attack is very challenging to deal with because it is a new type of DDoS from a previously unknown botnet. As a result, we have also brought in F5 Networks to assist with the mitigation.
    Services started to be restored about 20 minutes ago when we switched to F5 as the primary DDoS mitigator


  • Just driven nuts (again) by Google changing Chrome behind the scenes and this time not able to revert to an older bookmarks interface. My move away from Google and gMail specifically will not be instant but moving to Protonmail is a start.

    Thanks you guys !

  • Thank you so much for your effort at improving privacy protection for our communications.

    You are meeting a global challenge and thereby improving overall infrastructure, it is a pity, that some conservative forces are trying to hold you back and may be targeting your project as an act of offensive cyberwar. Nonetheless, i cherish what you are doing very much and try to “spread the work”.

    Thank you!