The attack load was off the charts, said Protonmail co-founder Andy Yen. At its peak the attack swamped his company with a massive and sustained wave of junk data. The massive denial of service (DDoS) attack threatened to sink the tiny CERN-backed email encryption service.
"We were feeling incredibly down," said Yen. "Here we were, a 15 person startup whose only desire is to do good things in the world fighting a terrifying enemy that had managed to even cripple an ISP. And there in that room was the team that was supposed to somehow fight off the biggest cyberattack to ever hit Switzerland, with not a single networking expert among us."
"After an attack [clients] often feel angry and violated," said Matthew Prince, CEO and co-founder of Cloudflare about the damage a DDoS attack can cause. "A DDoS attack is not a sophisticated attack. It's the functional equivalent of a caveman with a club. But a caveman with a club can do a lot of damage."
Like Yen's company, most startups and small businesses have small teams and sparse resources to fend off a DDoS attack. As its name implies, a DDoS prevents users from accessing a site and services by throwing a massive amount of data against the company's hosting and web services. Some attacks can exceed 1 TB per second, said Prince. "That's 100,000 times a typical home bandwidth connection," he said, "directed at one target."
How common are denial of service attacks? Data from the ATLAS threat report, a collaborative project between Google Ideas and Arbor Networks, observed over 2,000 denial of service attacks per day. According to a study performed by Incapsula in 2014, denial of service attacks cost business between $5,000 and $40,000 per hour in lost revenue. The report states that nearly half of all attacks last between 6 and 24 hours, and can result in over a half million dollars in damage per incident.
Attackers can be extortionists, competitors, hactivists, or spurious vandalists. How should businesses and organizations that aren't staffed with professional network experts or a large cash reserve respond to threats of cyber-blackmail and massive denial of service attacks respond? Here are four things you can do.
1. Be prepared
All small and mid-size business should be prepared for a denial of service attack and have a disaster response plan ready, said Tod Beardsley, Security Research Manager at Rapid7. Best practices involve identifying key team members who are tasked with response. Establish team roles, tasks, and needs. Then, said Beardsley, "drill on it routinely before the emergency so everyone involved knows what to do when the inevitable happens."
Companies and organizations should work with their internal IT and PR teams, hosting providers, and ISP to identify vulnerable points of failure, technical holes and escape routes, and how you'll communicate damage and service loss to clients and the press.
2. Understand the attack
Is your network being hammered by a professional outfit or amateur bedroom hacker? Well-vetted services like Akamai, Imperva Incapsula, and Cloudflare all offer various types of DDoS prevention software. Most of these tools run sophisticated algorithms that identify different types of traffic. The DDoS tool attempts to sniff out, detect, and filter various types of malicious and benign bots, and permit legitimate and human traffic.
It is often difficult to tell from a single instance if the attack is "a professional, a script kiddie, or even just an angry student who rented DDoS services," said Tim Matthews, vice president of marketing at Imperva Incapsula. It is fair to assume, he noted, that network assaults exceeding 50 Gbps or more are most likely professional.
Often proliferated under the euphemistic banner of 'network security tools,' some of the most common attack utensils are known as booters and stressors. As the names imply, these tools amplify and focus the DDoS payload: a flood of web robots and inorganic network traffic.
"We do keep track of known botnets, so we would know the weapon used, if not the criminal mounting the attack," said Matthews. "Think of Botnet operators as arms dealers. They will sell to all comers with money or a shared world view. So they are criminals, but not the orchestrators of a given attack."
3. Respond and stick to your guns
As with all disaster response, don't panic. Keep calm, and carry on. Make sure your services are running, and your clients are briefed. If you've properly prepared, your team will be ready to respond, emphasized Beardsley.
Matthews said he advises clients to establish a mini war-room where team members can coordinate and optimize response tactics. Once your tech team has mitigated the attack, make sure that the communication team is prepared to provide specific details to the media, and the legal team is ready to handle potential regulatory and compliance issues.
If you're offered a ransom, don't pay the hijackers. "There is no guarantee that the criminal will honor the agreement," said Matthews. "Paying will only identify you or your organization as a mark, and they may come back and ask for more. And once identified as an organization that will pay, others may catch wind and come your way."
4. Learn and adapt
When the siege subsides, take time to catch your breath. It's important to learn from the attack, said Beardsley. "Create a robust post-mortem analysis of what went right and what went sideways."
Make sure your IT and legal teams gather needed forensic data, and log the germain details. Establish a communication protocol for dealing with internal team questions, the media, and your customers.
Learn from the attack, said Price, about how you were hit. "Find out where the network bottlenecks are and choose an infrastructure chain that is inherently resilient."
After a week sustained server-hammering, with the help of Swiss-based network management company IP-Max, Protonmail was able to fend off the attack. "At the end of the day, we weren't the ones who saved ProtonMail, it was IP-Max," said Andy Yen. "These guys were so good at networks they could make miracles happen."
Beardsley emphasised that analysis and communication will help with preparation for the next attack, and boost team morale.
"Emergency work is pretty standard in IT, but routine levels of emergency without reflection is a recipe for burnout," said Beardsley. "The last thing you want is to lose the people who have the organizational intelligence and historical perspective during and after a crisis."
- Interview with a DDoS troll: Meet 'the Gods of the Internet' (CNET)
- New DDoS attack uses smartphone browsers to flood site with 4.5bn requests (ZDNet)
- The anatomy of a DDoS extortion attempt (TechRepublic)
- Chinese government linked to largest DDoS attack in GitHub history (TechRepublic)
- 10 Swiss startups you need to watch (TechRepublic)