DDoS Attacks Strike Feedly and Evernote

NEWS ANALYSIS: A pair of popular online services get knocked down due to DDoS attacks. What can and should be done?

data breach

Distributed denial-of-service (DDoS) attacks have been around since the dawn of the Internet era and are still a pestilence that infests the modern Web. This week, DDoS attacks were leveraged against online services Feedly and Evernote, once again demonstrating the vulnerability in Internet infrastructure.

In a typical DDoS attack, a large flood of data from multiple locations targets a server, which ends up disrupting and overwhelming the normal operations of the victimized site. On June 11, RSS feed reader service Feedly reported that it was under a DDoS attack.

As opposed to just a random act without purpose, the Feedly DDoS attackers had a financial incentive.

"The attacker is trying to extort us money to make it stop," Feedly stated in a blog post. "We refused to give in and are working with our network providers to mitigate the attack as best as we can."

At 3:07 p.m. PDT on June 11, Feedly reported that it had neutralized the DDoS attack, reassuring users of its 40 million RSS feeds that no data was compromised in the attack.

Unfortunately for Feedly, as of 7:26 a.m. PDT on June 12, a second DDoS attack was under way against the service.

The Evernote note-taking platform was also impacted by a DDoS attack that first began on June 10.

"We're actively working to neutralize a denial of service attack," Evernote stated in a Twitter update. "You may experience problems accessing your Evernote while we resolve this."

Within three hours of the initial tweet about the DDoS, Evernote stated that its service was up and running, though it warned of potential "hiccups."

It wasn't until 7:51 p.m. PDT on June 11 that Evernote was fully restored to all users on all of its supported platforms.

Details on how the Evernote and Feedly DDoS attacks were conducted have not yet been fully disclosed. Overall, the latest statistics on DDoS attacks indicate a trend toward increased bandwidth utilization. In a study published on June 5, VeriSign reported that for the first quarter of 2014, there was an 83 percent increase in the average DDoS attack size in comparison with the fourth quarter of 2013. There has also been a trend to leverage UDP-based protocols, including Network Time Protocol (NTP), in 2014 to amplify DDoS attack bandwidth volume.

DDoS attackers are now able to overwhelm victim sites with inbound floods of 100G bps or greater. Simply put, the vast majority of individual site owners don't have the infrastructure to possibly mitigate that type of attack volume.

There are a number of different ways that enterprises and Website owners can deal with DDoS. At the most basic level, standard network perimeter defenses including intrusion prevention system (IPS) and firewall technologies can be configured to drop packets and block inbound attacks. The challenge with NTP and other amplification attacks though is that it's not simple to block the vast number of addresses that could be involved in an attack.

The other solution is to leverage the power of a cloud-based technology platform from vendors such as VeriSign, Akamai, Incapsula and CloudFlare. All those services have the immense bandwidth required to thwart the volumetric attacks as well as the threat intelligence and expertise to take proactive measures.

The other piece of the DDoS puzzle is the network service providers. If a massive flood of data is coming across a network targeted at a single location, that should set off alarm bells in a service provider's network operations center. As a matter of network hygiene, service providers can and should be part of the solution against DDoS.

Then, of course, there are the vulnerable hosts and endpoints. DDoS attackers aren't using their own bandwidth that they have legitimately acquired. In most cases, DDoS attacks leverage vulnerable host systems through malware and botnets to take over and abuse bandwidth. In NTP amplification attacks in particular, DDoS attackers leverage a misconfiguration on NTP servers.

The challenge of dealing with modern DDoS attacks is multifaceted, but it is a challenge that can be solved.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.