Patrick Lambert looks at some of the ways you can protect your website from DDoS extortion threats.
It's a scene out of a movie script. You own a small business on a quiet street, and happily serve your customers day after day. But then one day, a couple of thugs walk in and stand in the doorway, arms crossed, while their boss approaches you at the counter. He demands to be paid protection money so that your business doesn't suffer an unwanted incident, and so you can keep serving your customers. This is a scary scenario for any business owner, and perhaps if you live in Russia, it may be something you would have to contend with. But no western business expects this scene to unfold in a quiet American town - certainly not without a quick call to the local police station. Unfortunately, the digital equivalent is all too real for businesses all over the world, and there's little that law enforcement can do to stop it when the trouble starts. Fortunately, there are things you can do to protect yourself, and make sure your online shop isn't affected.
Most of us know what a Distributed Denial of Service (DDoS) is, basically, a large flood of traffic that comes from thousands of hijacked computers, all directed at your website or server in order to crash it or make it so busy that normal users can't access it. What isn't as well known is the frequency of these attacks. In 2011, Trustwave released a report showing DDoS attacks were up 32% over the previous year. 2012 will likely be worse. This is mostly because attack tools have become so cheap and so widely available. Any virtual thug can rent access to a botnet comprised of hundred of thousands of computers for pennies per hour. The damage they can do with that is impressive. More importantly, it's also big money for them. Whereas floods used to be the attack tool of kids wanting to vent their anger, now it's the main way that extortion gets done online, and it happens a lot.
The way it works is fairly simple. The criminals, usually based in eastern countries, far removed from U.S. or even European law enforcement, will pick a juicy target. This could be a gambling site just before a big game, or a shopping site just before the holidays.
The point is to target sites that make money online, and rely on customers being able to reach their web presence. So one morning, the flood starts. After a few minutes, an email is sent with the demands. Usually, it's not a small sum that's being requested for this attack to stop. These DDoS attacks are initiated by criminal gangs, and the demands typically scale with the size of your business. You can easily see protection rackets asking for over several thousands of dollars. Meanwhile, until you agree to pay up, all you can see on your end is the incredible network bandwidth that your site has to cope with.
The sad reality is that many businesses don't have a website that's protected from DDoS attacks. Worse, if you're hosting your website on a normal hosting provider, chances are they won't be happy to see you come under attack like that. There are a lot of examples of businesses who contacted their hosting providers for help, only to be kicked off as a customer. That's because not all hosts can handle large floods, and by being targeted, you're impacting all of their other customers as well. So instead, many people end up actually paying to get out of this situation. They pay the criminals, and the problem goes away. Usually they also don't publicize it, so it's hard to know how many companies paid up. But unfortunately, once you give in to extortion, you're placed on a list of easy targets, and you can expect to have to pay even more in the future. This is why DDoS protection starts at the very moment you decide to go online. Selecting your hosting provider is key in making sure you're ready to defend yourself. Modern day DDoS attacks can reach 50Gbps or more. This is a lot of traffic, and the most straightforward way to protect yourself is to make sure your server is behind large pipes.
The damage from such an attack can happen on many levels. If the flood is simply a large amount of traffic, then it may fill up your network pipes and prevent real users from accessing your site. Some hosts have options where you can get a higher bandwidth for a short period of time should you need it. But it could also be malformed packets, like a SYN flood, which attempts to connect to your site and then leaves half-opened connections. The way to protect against that is to have good network firewalls that can detect this type of traffic and drop it. But against a really large DDoS attack, all of these measures may not be enough. Even if you pay a lot of money to a large hosting provider, a single datacenter may not be able to protect you against a botnet of 100,000 computers or more. This is why large websites use content delivery networks, or CDNs. There are several popular CDNs out there, including Amazon Cloudfront, RackSpace, and Akamai. The basic idea is that your site is not really one server, but instead dozens or even hundreds of cache servers, spread all over the world. That way, when someone tries to connect to your URL, they are redirected to a nearby datacenter. This speeds up your site, and also grants you DDoS protection, since the attack would be spread around many different locations.
CDNs used to be reserved for large businesses, but in recent years, they have become much cheaper. If you're already using AWS for example, it doesn't cost a lot more to switch to CloudFront. Another interesting service is CloudFlare. Even if your site is hosted on a single server, CloudFlare can cache the static resources of your site, and spread it on their datacenters around the world, providing a protection layer in front of your actual server. Without having to pay anything, you can easily enable that cloud layer, and gain very quick and efficient DDoS protection. The company recently reported how they dealt with a 65Gbps attack. The takeaway is that protecting yourself against this type of attack used to be very hard and costly, but now it's fairly easy, if you take the time to do it now, before you become the target of an attack, so you don't have to scramble when the day comes and you're not prepared. Remember that these attacks can come against any site, and giving into terror is the last thing you should do.