Evernote struck down by DDoS attack for several hours

Popular note taking app Evernote was unavailable for several hours after being flooded with attack traffic.
Written by Liam Tung, Contributing Writer

Evernote, the popular note-taking app, was unavailable for many of its 100 million users on Tuesday afternoon PST after coming under fire from a denial-of-service attack.

The company took to Twitter on Tuesday afternoon to explain why some of its users couldn't sync their notes.

At about 2:40pm PST the company reported, "Evernote service is currently unavailable. We are working to resolve the issue. Updates to follow. Thanks for your patience."

About an hour later, the company confirmed it was trying to fend off a distributed denial of service (DDoS) attack. "We're actively working to neutralise a denial of service attack. You may experience problems accessing your Evernote while we resolve this," it said on Twitter.

The potency of DDoS attacks has dramatically increased in recent years. The main purpose of a DDoS is to make a site unavailable by slamming it with traffic from a variety of sources, which is often the work of a botnet of infected machines.

According to DDoS protection firm Arbor Networks, 2013 saw an 800 percent increase in the number of attacks that were larger than 20Gbps, with the largest attacks recorded at 309Gbps.

Earlier this year, a French website was hit by an attack that nearly reached 400Gbps.

To show the number, scale and variety of DDoS attacks that go on daily, Google and Arbor Networks released the Digital Attack Map last year, providing a near real-time status of the flow of attacks each day.

The scale of attacks has increased in large part due to the use of what's called an NTP Reflection attack, which was used against the French website in February.

As Arbor Networks explains: "An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet connected devices that reply to the requests that use IP address spoofing, where the 'source' address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin."

According to the company, NTP was used in 14 percent of DDoS attacks overall, with just over half of those recorded at over 10Gbps and 84.7 percent of events over 100Gbps. Sites in the US, France and Australia were the most common targets.

Evernote's outage is most likely the result of an attack on its own infrastructure, as opposed to a cloud service such as AWS. As the company noted in 2011, it opted to build its own server farm, which back then was handling peak traffic of 250Mbps.    

Evernote services resumed about four hours after disruption from the attack started; however, it has warned users may still experience issues over the next two days.

ZDNet has contacted Evernote for more details and will update the story if it receives a response.

Read more on Evernote

Editorial standards