Evernote struck down by DDoS attack for several hours

Evernote struck down by DDoS attack for several hours

Summary: Popular note taking app Evernote was unavailable for several hours after being flooded with attack traffic.

TOPICS: Security

Evernote, the popular note-taking app, was unavailable for many of its 100 million users on Tuesday afternoon PST after coming under fire from a denial-of-service attack.

The company took to Twitter on Tuesday afternoon to explain why some of its users couldn't sync their notes.

At about 2:40pm PST the company reported, "Evernote service is currently unavailable. We are working to resolve the issue. Updates to follow. Thanks for your patience."

About an hour later, the company confirmed it was trying to fend off a distributed denial of service (DDoS) attack. "We're actively working to neutralise a denial of service attack. You may experience problems accessing your Evernote while we resolve this," it said on Twitter.

The potency of DDoS attacks has dramatically increased in recent years. The main purpose of a DDoS is to make a site unavailable by slamming it with traffic from a variety of sources, which is often the work of a botnet of infected machines.

According to DDoS protection firm Arbor Networks, 2013 saw an 800 percent increase in the number of attacks that were larger than 20Gbps, with the largest attacks recorded at 309Gbps.

Earlier this year, a French website was hit by an attack that nearly reached 400Gbps.

To show the number, scale and variety of DDoS attacks that go on daily, Google and Arbor Networks released the Digital Attack Map last year, providing a near real-time status of the flow of attacks each day.

The scale of attacks has increased in large part due to the use of what's called an NTP Reflection attack, which was used against the French website in February.

As Arbor Networks explains: "An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet connected devices that reply to the requests that use IP address spoofing, where the 'source' address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin."

According to the company, NTP was used in 14 percent of DDoS attacks overall, with just over half of those recorded at over 10Gbps and 84.7 percent of events over 100Gbps. Sites in the US, France and Australia were the most common targets.

Evernote's outage is most likely the result of an attack on its own infrastructure, as opposed to a cloud service such as AWS. As the company noted in 2011, it opted to build its own server farm, which back then was handling peak traffic of 250Mbps.    

Evernote services resumed about four hours after disruption from the attack started; however, it has warned users may still experience issues over the next two days.

ZDNet has contacted Evernote for more details and will update the story if it receives a response.

Read more on Evernote

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Feedly too

    Seems Feedly refused to pay a ransom, so their site is being attacked.
    • Yup

      Yup, and Feedly sent emails about it. Here's the text of the email I received:

      ---- Start of email ----
      Denial of service attack
      by @feedly

      Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.

      We want to apologize for the inconvenience. Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is mitigated.

      We are working in parallel with other victims of the same group and with law enforcement.

      We will update this blog post as soon as we have more information.

      Thank you.

      /Edwin and Seb

      ---- end of email ----

      Which I confirmed by heading over to Feedly's mobile app, then their website. Both are currently down.

      Which kinda sucks, because I use Feedly for news, even more so than Twitter.

      "The potency of DDoS attacks has dramatically increased in recent years."

      True - although I've noticed that attacks tend to be short lived. Usually less than a day. Launching an attack is easy, but it seems as if keeping an attack alive for long periods of time is actually difficult.

      "The scale of attacks has increased in large part due to the use of what's called an NTP Reflection attack, which was used against the French website in February."

      The thing about NTP reflection is, as I recall, it could be mitigated fairly easily once you knew what was going on: It only attacked a single port. Block the port, and have your DDoS protection provider absorb the attack.

      It *could* possibly be NTP - although since everybody knows about it and has mitigation measures against it, I have my doubts. This might be a new technique.

      The nice thing about Evernote - and this is why I love hybrid models more than pure cloud models - is that the client keeps the notes. Even though it won't sync, you can still access existing notes from the client. The notes are not gone, and you can still use them. You just can't sync them until the attack is remedied.
  • Evernote is real

    I get several email from this place - never been there. Yet now I know them. Someone wrote I had several pictures there - to cklick here. With the amount of spam they created with this email I can guess what caused the problem.