Summary and Impact to Customers
From Friday 9th June to Monday 12th June 2017, SYNAQ Cloud Mail experienced a DDoS attack which affected all Client on the Cloud Mail platform.
The resultant impact of the event was the inability of Clients to authenticate via the Webmail User Interface and POP3.
Root cause and Solution
The root cause of this event was due a DDoS attack, whereby an overwhelming amount of concurrent international servers attempted to brute force a very large number of users on our Cloud Mail environment. As a result, the Cloud Mail authentication management system became degraded and could no longer accept any authentication and mail processing requests.
In order to resolve this incident, SYNAQ Engineers initially blocked a large number of offending IP’s on an individual basis throughout Friday and continued to block newly identified offending IP’s throughout the weekend. However, on Monday morning, the attacks became more widespread and aggressive and as such, SYNAQ Engineers identified the primary geographic locations from where the DDoS originated and applied a Geographic IP block on those countries, thus preventing any offending IP traffic from entering the environment.
Remediation Actions
A new authentication proxy layer is being engineered and implemented in order to dynamically detect and prevent brute force DDoS attacks in the future.