Doxy.me under Denial Of Service Attack
Incident Report for Doxy.me LLC
Postmortem

Over the past two weeks, Doxy.me was under a sophisticated Denial of Service attack (DOS). This attack was partially successful at peak times in preventing our legitimate customers and their patients' access to the website. We have undergone some significant infrastructure improvements to better detect, respond, and defend against such attacks in the future. We have no evidence to suggest this attack was trying to steal data from Doxy.me customers or their patients and was most likely a plot to harm the Doxy.me reputation. Continue reading for a detailed breakdown of the events and enhancements.

Timeline

DOS attacks are the most common type of attack that online companies and services encounter. Doxy.me has seen similar instances in the past, but none have been successful until October 2nd, 2019. When this attack first started, it presented differently as it appeared to some extent as legitimate traffic and made the Doxy.me technical team believe it was an internal problem with the Doxy.me system, and not some actions from an external party.

As time went by, and the Doxy.me team began digging into system improvements, another attack occurred on October 8th, 2019. Again, the attack presented as legitimate traffic and led the technical side within Doxy.me to believe it was a problem with the Doxy.me system. The team took quick action to "repair" and make changes to our infrastructure to prevent a similar "problem" in the future.

On October 10th, 2019, when another attack started ramping up, it was clear that this was not a problem within the Doxy.me system but an attack from an outside actor. The technical team within Doxy.me was then able to identify the assault and its methods and put temporary but effective measures in place to stop the attack.

Improvements

Over the past few days, the Doxy.me team has made several substantial changes to our infrastructure and network to detect and prevent similar problems in the future. The improvements include improved web application firewalls to automatically detect and block application-layer vulnerabilities at the network level; rate limiting to protect crucial resources by providing fine-grained control to prevent or qualify visitors with suspicious request rates; enhanced servers and internal resources; as well as some policy and procedure changes.

While we believe these changes to be material, there is more work to be done. And we'll be keeping an eye on our traffic over the coming week to see how our changes can fend off this attack and others like it.

Disclosure/Breach notification

At this time, we have no evidence to suggest this person or group was trying to "hack" or steal data from the Doxy.me system. It appears to be a targeted and sophisticated attempt to harm our customers' businesses and the Doxy.me reputation. This DOS attack was most likely orchestrated by a competitor or someone who plans to announce a similar service soon and would like to try to entice customers away from our "unreliable" system and onto theirs. This tactic is an unfortunate reality of online services, as 12% of businesses are confident that their competition initiated a DoS attack.

We appreciate your continued support and patronage and look forward to bringing more security enhancements and innovations to the Doxy.me platform over the next few months.

Posted Oct 13, 2019 - 21:39 EDT

Resolved
We've implemented several large infrastructure changes and enhancements in order to better identify and block DDOS attacks now, and in the future. And full post mortem will be written up with further details of this event and previous events the past two weeks. We greatly appreciate your continued support and patience while we dealt with this issue. Thank you.
Posted Oct 12, 2019 - 12:29 EDT
Monitoring
A fix has been implemented and we are monitoring the results.
Posted Oct 11, 2019 - 12:28 EDT
Identified
We have identified the issue as a DDOS attack and are actively fighting it off.
Posted Oct 11, 2019 - 12:15 EDT
This incident affected: Doxy.me API.