Feedly’s DDoS: are we all open to extortion?

Feedly was the most recent web service brought down by cybercriminals in an extortion-based DDoS.

Last week was a difficult week for those of us who rely on RSS to keep up with what’s going on on the web. In this post-Google Reader landscape, Feedly seems to have been the big success in building a successor to that late, lamented Google product.

And for much of the tail end of the week it was down.

Was it due to scaling problems? No.

A bug in the system? No.

It was under attack by online extortionists.

Extortion by Denial

Feedly was essentially brought down by a massive Distributed Denial of Service attack. If you image the service as having a front door, the attackers sent so much traffic to the service that the door ended up blocked, and regular customers couldn’t get in.

And then they asked Feedly for money to make this go away. This is the classic extortion attempt: “nice online business you have there – be a real shame if none of your customers could access it”.

Feedly went through three waves of these attacks before the extortionists moved on. In the past, multiple services have been attacked in the same way including Basecamp, Typepad and Evernote:

All of these companies have said the same thing: that demands were made to pay up to stop the DDoS attack, and that multiple waves came in when they refused to pay.

The fact that these attacks have kept happening for months now suggests that some companies have quietly paid up to have the attacks go away, and thus never came to our notice. The more this happens, the more incentive the attackers have to carry on – and for copycats to follow their example. Multiple victims have said that they’re working with law enforcement to deal with the people at the heart of the attacks, but we’ve not seen any results of that yet.

Customer pain

You can begin to understand why this has happened (if it has) by looking at comments like this one on the Everything Typepad:

Knowing I paid good money to use you as my host over other sites with more choices… I could go on. I’m just exhausted and angry and disappointed at how you’re handling this.

Or this one on Building Feedly:

A hopeless situation made worse by the fact that I am one of ‘paying customers’. No updates for the last 8 hours! Some of us rely on your service to support their work. An update with a realistic and achievable timescale for resolution would be appreciated. If you can’t resolve the issue in a reasonable timeframe, then please say so, so that those of us who wish to can find an alternate service.

The horrible truth for web companies is that many – if not all – of their paying customer do not understand what is happening, do not understand that it is fundamentally not the service’s fault, and can only see that they are not getting what they pay for. If enough switch away to alternatives – not realising that their new service is potentially just as vulnerable – their business could take a very serious on-going hit. Some might see the extortion fee as one worth paying to prevent that.

The folks at CloudFlare have been taking point in much of the technical battle against this situation – and are even offering free protection for smaller sites against politically-motivated DDoS – and have been involved in dealing with the attacks on some of the companies named above.

But, for pretty obvious reasons, we don’t know right now how well the attempts to build widespread defences against these sorts of botnet-based attacks are going, or wether the criminal investigation is going. And until something changes, a lot of small web services will be living in fear of their service suddenly going down, and the demands arriving via e-mail…