The Growing Strength and Frequency of Distributed Denial of Service (DDoS) Attacks – What to Know
Once again, in recent weeks, we were reminded of the susceptibility of websites to be attacked by outside forces bent on wreaking havoc and destruction in cyberspace. These attacks happen more often than the general population knows. But, when it happens to a large brand or a large online service provider, it instantly makes the news. Typically it is a person or an entity with some agenda of revenge or publicity. These attacks are known as DDoS or "brute force" attacks.
Simply, a DDoS attack is an orchestrated technology event where there is an attempt to make a network or a website unavailable and/or unusable. This is done through an alignment of resources repeatedly hitting a website with communication requests. This can cause the receiving servers to overload and shut down. When an overload does not take place, the requests increase and keep valid requests from being able to complete their intended communication.
The Alarming Data
DDoS attacks occur at a growing rate. According to SecureList, a website run by Kaspersky Lab, the following stats show a snapshot of the growth in DDoS attack starting in the second half of 2011 -
2011 in figures
- In the second half of 2011, the maximum attack power repelled by Kaspersky DDoS Prevention went up 20% compared to the first half of the year, and amounted to 600 Mbit/sec, or 1,100,000 packets/sec (UDP flood with short packets of 64 bytes).
- The average attack prevented by Kaspersky DDoS Prevention in the second half of 2011 was 110 Mbit/sec – an increase of 57%.
- The longest DDoS attack in the second half of the year lasted for 80 days, 19 hours, 13 minutes and 5 seconds, and targeted a travel website.
- The average duration of a DDoS attack was 9 hours, 29 minutes.
- The largest number of DDoS attacks in the second half of 2011 – 384 in number – targeted a cybercriminal portal.
- DDoS attacks were launched from computers located in 201 countries around the world.
The Damage Done
In my dozen years in eCommerce, running websites large and small, I can say I have only had one major experience with a DDoS attack. It hit us fast and hard, but thankfully lasted only about two hours. Beyond that, I have spoken with colleagues about their experiences and have gone through case studies on how to identify and avoid (or deflect) the attacks. Not only is the attack a major inconvenience for the website visitor (most never knowing what is taking place), but it is a major time, resource and fiscal drain on the eCommerce business.
According to Kelly Jackson Higgins of the publication Dark Reading, "65% of IT pros say a DDoS costs their organizations ~$240,000 in lost revenue per day" or about $10,000 per hour. That is just lost revenue. Additional costs can also be involved. This includes: moving resources from primary duties, loss of customers that choose not to return, and infrastructure costs related to content serving.
I personally experienced the last point. Our site used a widely known content delivery network (CDN). Because it was not integrated into our co-located hosting, the attack was never noticed by the CDN – it kept serving images and content as though it was regular traffic. I could get into all kinds of discussions about how they should have better managed that, but instead will focus on the $223,000 bill we received. We ultimately negotiated it down, but were still responsible for the effects.
How to Sleep Better at Night
In the end, websites will never know if, or more likely when, they will get hit with a DDoS attack. Knowing that they are happening more often and that the costs of an attack are growing is enough for a head of eCommerce to take now. Know who you are working with as vendors – platform providers, system integrators, hosting solutions, CDN 's and monitoring. Know what they are doing to help you mitigate the risk of an attack and how they are providing contingencies. Discuss the terms of your agreements with knowledgeable counsel to make sure costs don't skyrocket if something happens. It is not all doom and gloom. Ultimately it highlights that when it comes to eCommerce site we all need to stay on our toes.