If anyone noticed Feedly was unavailable on Wednesday, that’s because the popular RSS service was being slammed by cyber attackers who demanded money to make the attack stop.
Following Tuesday's distributed denial of service attack on popular note-taking app Evernote, which left the service unreachable for several hours, Feedly came under a similar attack on Wednesday.
Feedly confirmed on Twitter at 11pm PST that it was under a denial of service attack. “We are working with our network provider to deflect it. Sorry for the inconvenience.”
Feedly was one of big winners after Google announced last year it would draw the curtains on Google Reader from July 1. By May, Feedly had picked up 12 million new users.
Edwin Khodabakchian, CEO of Feedly, on Wednesday posted a blog explaining that the attackers were demanding money in order to make it stop.
“Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can,” said Khodabakchian.
It’s not clear whether the attackers who blasted Evernote are the perpetrators behind Feedly’s attack, however Khodabakchian said it was “working other victims of the same group and with law enforcement”.
“We want to apologize for the inconvenience. Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized,” he said.
The company says it will provide further details later.
At this stage it’s not known what type of DDoS attack Evernote and Feedly contended with, however the incidents come as cyber attackers have dramatically scaled up the traffic they’re able to fire at a target.
While there are several network protocols that can be abused to launch a DDoS attacks, an increasingly popular method to amplify the attacks is by “NTP reflection”, which exploit insecure Network Time Protocol servers.
DDoS protection service CloudFlare reported this February that its client — and ultimately CloudFlare itself — faced an NTP reflection attack that reached short of 400Gbps.
Last year, the more popular way to scale an attack was to use DNS-based reflection and amplification attacks, according to CloudFlare CEO Matthew Prince.
As Prince explained earlier this year, internet-connected PCs use the UDP-based NTP protocol to set their clocks accurately. Viewing the clock settings on a Mac, for example, displays an address time.euro.apple.com, which is actually the address of an NTP server run by Apple.
The NTP protocol is useful for an attacker because it replies to packets with a spoofed source IP address and, as Prince notes, one of its built-in commands will send a long reply to a short request.
“NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack,” explained Prince.