If you have five minutes and you like stories of good guys prevailing over evil bastards, then keep reading. CodePen, whose co-founder Tim Sabat lives here in Bend, recently received an email that would unsettle any company, but especially one whose 1 million users depend on the company’s web app to, well, work. It was a threat of a DDoS attack, complete with a ransom request.
“It was supposedly sent by a party who has done things like this in the past,” Sabat said in CodePen’s new podcast on the issue. “It said that ‘we’re going to attack your site in 5 days unless you send us 10 bitcoins, which was about $4,100.”
The podcast dives more into what a DDoS attack is, but in the most basic description, the people making the threat direct so much traffic to your website that it goes down. They’re in control of the traffic and you’re at their mercy. The takeaway of the note CodePen received: If you want to stop this trouble, send the money.
The response from the co-founders: Not today. Not ever.
The trio of co-founders discussed on the podcast (btw, listening to this is a well-spent 28 minutes) how strongly they felt about not paying these criminals money. On a scale of 1 to 10 of giving a fruit, co-founder Chris Coyier said he was “10 of 10.” Sabat adds that he’d pay exponential amounts of more money not to pay the ransom. “If they’re asking for $4,100, then I’d pay $41,000 to fend off a DDoS attack,” he said.
So instead of capitulating — which the founders discussed came with its own set of risks, including letting the note-senders know you have money and can access bitcoin — CodePen got to work. They used the five days to shore up their site, following instructions from AWS, which described the key components of solid DDoS defense.
Again, tech types and probably anyone running a website that’s integral to their business, should listen to the podcast to hear the ins and outs of CodePen’s protective measures. The high points included: minimizing the surface area of their site by reducing it to two ports, employing load balancers that could absorb the traffic from an attack, and housing assets behind a Content Delivery Network.
Sabat also outlined the importance of understanding the normal behavior and traffic patterns of your site, “so that you know what trouble looks like,” he told podcast listeners. Sabat and co-founder Alex Vazquez spent a solid week on this. And on Day 5, the attack never materialized.
While no one likes to do anything under duress, the team noted that the efforts were still worth it. Not only is CodePen’s site ready in the event of any other DDoS threats, but it’s also just running faster than before. “All is well in CodePen land for the moment,” Coyier said.
The trio acknowledged that they’re slightly apprehensive that broadcasting their story might make CodePen a renewed target. But the startup regularly shares the ins and outs of its business via its podcasts, and especially in this case, the lessons learned may help others. So for at least today, the good guys win.