Meetup was hit with a distributed denial-of-service attack (DDoS), in which an attacker uses a virus to take over a number of computers, then uses those comuters to send an extremely high volume of packets to a server until its switches are too overwhelmed to process actual user traffic. DDoS attacks are a classic and common hack but have gotten much more severe in recent months. Jag Bains, the chief technology officer at the security firm DOSarrest, told Reuters, "It's really a game of cat and mouse. I'd like to say we are ahead, but I just don't think it's true."
On Thursday, Feb. 27, Meetup began experiencing a DDoS attack, and Meetup's CEO, Scott Heiferman, received an email attempting to extort $300 from the company to stop it. Meetup was reluctant to negotiate with criminals, but the amount the hacker was asking for was also so small as to be suspicious. The team was concerned that if the company paid the money, it would be further exploited and would also send the signal that such a ransom demand could work on other companies.
"When someone steals a credit card, the first thing they do is try a four- or five-dollar charge and see if that goes through," says Brendan McGovern, Meetup's CFO and co-founder. "Once they're successful there, they know that they have an open pipe, and that's when they hit you for a few thousand dollars. So we decided early on to not engage at all, to not respond, and not pay. And, in the long term, that served us. If everyone is not paying, and these types of attacks are just not successful, then perhaps they'll stop."
Meetup's CTO Gary Burns says that the most important lesson was that companies should foster close connections with their Internet service provider because the attacks can't really be controlled without the ISP's help. On a day-to-day basis, Meetup has been able to deal with unusual traffic by doing things like blocking IP addresses that generate heavy traffic or setting up firewalls. But in this case the amount of traffic was too overwhelming.
McGovern says that Meetup's losses will be in the hundreds of thousands of dollars, between extending all organizer subscriptions by seven days (subscriptions are about $15 per month), losing out on new subscription sales while the site was down, and spending money to mitigate the attacks.
Newman is lead blogger for Future Tense, a partnership of Slate, New America and Arizona State University.
