Meetup has been up and down a lot over the last few days. It was up when this report was started, but down before it was complete. It is fighting a prolonged DDoS attack, supposedly instigated by a competitor. The company was offered a 'protection' fee of $300, but refused to pay – and the modern day gangsters moved in with their baseball bats.
Throughout this attack Meetup has maintained a running commentary. It seems to have started last Thursday. "On Thursday morning, Meetup suffered a distributed denial of service (DDoS) attack, which resulted in a service outage for our website and our apps. Organizer and member data is secure, including credit card information. No data has been accessed or stolen."
This running commentary documents Meetup's attempts and temporary successes in restoring service to its customers, ending with the latest entry (yesterday), "We hate to say it, but Meetup is down again as of 8:09 pm EST." In a separate blog, co-founder and CEO Scott Heiferman, has described the events. He received an email on Thursday with the subject 'DDoS attack, warning.' "A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer."
"Simultaneously," writes Heiferman, "the attack began, our servers were overwhelmed with traffic, and our services went down."
Little is yet known about the attack or the attacker. The attacker said it was instigated by a competitor – and while such attacks certainly do happen, there is no proof that it is true in this instance. The blackmail fee of $300 seems remarkably low; but as Heiferman suggests, this could have been just the entree: "We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more."
Sean Sullivan, a researcher with F-Secure, believes that this doesn't really acknowledge the extent to which 'DDoS as a service' has been commoditized. "The $300 dollar extortion is probably equal to the fee the alleged competitor is currently paying to DDoS Meetup," he told Infosecurity. "It’s simply business for the attacker, probably not a vast conspiracy designed to see if they’ll pay more. Perhaps the guy was hoping that Meetup would pay, and offer to pay for the information on which competitor hired him."
Meetup is, in fact, following official law enforcement advice: never pay extortionists because they will simply keep coming back for more. But while Heifermen is keeping everyone in the loop about events, and is staying in touch with his users via Twitter and Facebook, he is giving nothing away about his attempts to mitigate the attacks. He says that "We spend millions of dollars every year keeping the Meetup website and apps secure, stable, and reliable."
With such a budget it would be reasonable to assume that the cost of a third party DDoS mitigation service could be included – but in that case it would also be reasonable to assume that the attack could have been mitigated before now. Of course, the longer the attack continues, the greater the likelihood for law enforcement to actually track and catch the attacker.