Business Lessons from the DDoS Attacks on Social Networking Site Meetup

Linda Musthaler
By | March 10, 2014

Posted in: Enterprise DDoS Protection

In early March, the social networking site Meetup was hit by a series of DDoS attacks. The attacks did some damage, not the least of which was knocking the site offline for hours at a time over a period of several days. However, I have to say that it appears that the Meetup management and technical team did a few things right to get through this nasty situation.

If you’ve never heard of Meetup, I’ll tell you that it’s a social networking site where people can create and join social groups and look for new members and then…meet up. There are almost 16 million members of more than 140,000 groups across 196 countries. So, a lot of people use this website everyday to enhance their social lives.

The attack started on February 27, shortly after Meetup CEO Scott Heiferman received an extortion email that read:

Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning

A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.

Then the attack began, the servers were overwhelmed with trash traffic, and the site went down. Oh, and Meetup refused to pay the ransom demand. Instead the company got busy mitigating the attack, but it took almost 24 hours to bring the service back up. Then they were hit again with another attack that took the website down for another 8 or so hours. The techies did their magic to get Meetup back online and within a day they were hit with yet another attack that took them down again. The company has since restored its service and has been OK since then.

The cost of the attacks

These attacks cost Meetup plenty. Aside from the downtime, the negative publicity of the attacks, and the loss of customer confidence, Meetup offered to give a week’s worth of payment credit to all meeting organizers. The company has not specified a dollar figure for this credit, but imagine your company losing a week’s worth of revenue. That would certainly sting.

Then there is the cost of the technical battle. Meetup had to divert management and technical resources to fighting the attacks and supporting users the best they could. The company had to pay for some sort of anti-DDoS solution or service in order to mitigate the attacks. I have not talked to them so I don’t know what solution(s) they deployed to get out from under the attacks, but a company blog post alludes to the use of different solutions over the course of a week.

You might wonder why they didn’t just pay the $300 ransom and avoid the whole bad experience. Heiferman explains:

We chose not to pay because:

1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay.  We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.
4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.

What Meetup did right

Despite the hardship of the attacks, I give Meetup management and technical professionals a tip of the hat for several things I think they did right.

First, they refused to pay the ransom for the reasons identified above. This demand was clearly a case of extortion, and it could have escalated and marked the company as an easy target for some quick money. Hoorah for Meetup for having the guts to fight the attack with technology rather than giving in to the demands of a cyber criminal.

Next, Meetup did everything they could to keep customers informed of what was happening. They Tweeted and blogged and posted information online to make sure people knew about the outage and when it might possibly end. The company acknowledged users’ frustrations, apologized for the service outage, and offered generous financial credits to compensate for the loss of service over the course of 5 days. As a result of the communications, users showed their support through online notes, retweets and likes.

And finally, the company has obviously put in place one or more technical solutions that knocked out the attacks. Of course it would have been better to have them in place before an attack could do the damage, but who knew this social networking site would be vulnerable to attack? As one supporter put it, “Who does a DDoS attack on @Meetup? Do they hate kittens, too?” (Side note: This attack shows that any business can be vulnerable. Extortion and denial-of-service are crimes that can happen to anyone.)

It’s good to see Meetup back online and serving its millions of members. Let this company’s experience serve as a lesson to every other business with a website.

You May Also Be Interested In: