Evernote hit by first major DDoS attack

News by Steve Gold

Companies that have been DDoS attacked in the past are more likely to be attacked in the future - Mark Teolis, DOSarrest

The Evernote cloud-based productivity service has been hit by a DDoS attack, causing problems when users try to synchronise their local data resources with those of Evernote's in the cloud.

In parallel with the Evernote attack, the Prolexic Security Engineering and Response Team (PLXSert) has released a threat advisory outlining new payloads from the Zeus toolkit that it has seen in the wild.

In addition to data theft and financial fraud, for which Zeus is well known, PLXSert has also discovered Zeus being used DDoS attacks.

Back at Evernote, the cloud specialist last suffered a security breach in March last year, causing the firm to advise its free and paid-for (freemium) users to move to a two-factor authentication login process.

The BBC newswire says that  the attack started around 10:25 UK time last night and SCMagazineUK.com notes how the site appears to have returned to sluggish working as of 14:00 today.

The attack also comes in the wake of the service's annual development conference last week, at which third-party developers said that Evernote now has more than 100 million-users.

Spokeswoman Ronda Scott told the BBC that Evernote is continuing to mitigate the effects of the attack, but has successfully returned Evernote to service. “As is the nature of DDoS attacks, there was no data loss, and no accounts were compromised," she explained.

Steve Armstrong, a director at security specialist Logcally Secure, said that these types of security problems are classed as grieving attacks, as they are invariably carried out by someone with a grievance against the organisation concerned.

Because Evernote has so many users, the service will undoubtedly be split across multiple servers globally, meaning that it is relatively easy to stage a DDoS attack on one or more elements of the network, even if the overall available bandwidth is quite high.

"It's very difficult to solve these types of DDoS attacks, as cloud remediation costs real money; with so many free users you have to ask where the money is going to come from," he explained.

Armstrong, who is a SANS Institute instructor and an experienced pen tester, went on to say that cloud hosting companies also have a fair usage policy, meaning that under a DDoS attack they will likely start complaining to the victim of the attack.

"I know of one client who pays between £10,000 and £15,000 a month for DDoS remediation services, so yes, they are quite expensive," he said.

Mark Teolis, general manager of DOSarrest, said that companies that have been DDoS attacked in the past are more likely to be attacked in the future.

"Evernote should take this one day outage as a huge warning and make changes to its infrastructure to avoid a repeat event. Customers have come to expect virtually uninterrupted service. Given Evernote's service, if a customer was unable to access their files stored on their system, it could lead them to look at alternative options," he explained.

Lucas Zaichkowsky, enterprise defence architect with AccessData, meanwhile, said that - whilst the motives of the attacker are a mystery at this time - typically they include hacktivists making a statement, as well as criminals seeking to extort money in exchange for ceasing the attack.

Other drivers, he added, include hackers keeping security teams busy while they break in and steal sensitive information, as well as competitors trying to upset the users and to steal business away.

"I would speculate that the motive is most likely extortion or a cover-up for hacking activity since there aren't any hacktivists taking credit for the disruption from what I can see," he said.

Tony Kenyon, EMEA technical director with A10 Networks, said that the scale and duration of these attacks is simply beyond the scope of many online organisations to deal with locally.

"To date DDoS detection and mitigation has been an area where IT spend has lagged, it's seen as a 'nice-to-have'. What we are now seeing is that DDoS attacks are becoming more regular and more pervasive; any organisation can be hit at any time. The main difference with these sustained volumetric attacks is that any organisation that is unprepared can be effectively 'switched off the Internet' - at will," he explained.

Kenyon concluded that these attacks are fundamentally about business continuity - being prepared means having appropriate bandwidth at the point of ingress, looking at both the upstream service provision and downstream services, and having a recovery plan that assumes an attack will happen.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews