Basecamp Online After DDoS Attack, Extortion Attempt

Basecamp is back online Tuesday after the service was taken down by a distributed denial-of-service attack Monday.

The project management console Basecamp is back online and its developers are in the process of restoring customers’ network access Tuesday after the service was taken down by a distributed denial-of-service (DDoS) attack Monday.

The attack started at 8:46 a.m. CST yesterday and flooded the site with 20 gigabits of data per second, and took it and all of its services offline for a few hours according to a David Heinemeier Hansson, a partner at Basecamp.

Hansson, the Danish programmer who also created the Ruby on Rails development framework, described the attack in a Github gist Monday.

“We’re doing everything we can with the help of our network providers to mitigate this attack and halt the interruption of service. We’re also contacting law enforcement to track down the criminals responsible. But in the meantime, it might be a rough ride, and for that we’re deeply sorry,” Hansson wrote at the time.

According to a subsequent note on Signal v. Noise, no data was compromised in the attack, but Hansson lamented that users weren’t able to get to their data when they needed, calling it unacceptable.

As with any DDoS attack, the attackers flooded their services with requests, the attack shares some similarities with an a DDoS that affected social networking site just over two weeks ago.

Like the Meetup incident, the attack against Basecamp was launched following a blackmail attempt wherein Basecamp could have paid to mitigate the attack. According to Hansson the blackmail came from someone who “hit others just last week” and came from an email matching the following address: “dari***”

It’s unclear if Hansson is referring to as the “others” hit last week, as the attack took place three weeks ago.

The attackers behind’s DDoS demanded $300 to keep the site online. In a blog post the site’s CEO and co-founder Scott Heiferman claimed the company refused to honor it as to avoid setting a nasty precedent, yet was still hit with a series of attacks that kept their site offline nearly the entire weekend.

Like Meetup, Basecamp acknowledged it would never give in to blackmail.

“The only thing we’re certain of is that, like Meetup, we will never negotiate by criminals, and we will not succumb to blackmail. That would only set us up as an easy target for future attacks,” Hansson said.

While the attack appears to have stopped for now Basecamp claims “there’s no guarantee” it won’t resume and that it’s “remaining on the highest alert for now.” At last update Basecamp developers were able to restore service for about 95 percent of its customers yesterday morning but were still dealing with a variety of extenuating network issues.

While the group is still investigating the attack with law enforcement, it does plan on posting a technical postmortem of the attack within 48 hours, barring it isn’t attacked again.

Largely headquartered in Chicago, Basecamp is a web-based project management infrastructure that lets developers outline to-do lists, share files and message colleagues back and forth.

Suggested articles