The holiday shopping season is underway—let the frenzy begin! This is the time of year when retailers make as much as one-third to one-half of their annual profits. If your company conducts sales over the Internet, it’s critically important to keep the website up and operating at maximum efficiency. If consumers coming to your site experience online frustrations, it’s too easy for them to jump to another e-retailer’s website and do business there instead.
After the well-publicized distributed denial-of-service (DDoS) attacks against the country’s largest banks this past fall, you must consider the possibility that your company, too, could be the victim of an attack. A denial of service attack that knocks your website offline for even a day could cause a serious loss of revenue. That said, I’ve gathered some tips from anti-DDoS experts to help you plan for preventing or mitigating a DDoS attack if it should happen to you.
Don’t count on a firewall to prevent or stop a DDoS attack.
The first step is to recognize that your firewall is insufficient protection against many types of DDoS attacks that are increasingly common today. Even a next generation firewall that claims to have DDoS protection built-in cannot deal with all types of attacks. The fact is, firewalls just aren’t designed to handle volumetric attacks, low-and-slow application attacks, and other kinds of hybrid attacks. At best your firewall may overload or freeze up and shut off all inbound traffic—including good customer traffic along with the bad attack traffic. At worst your firewall will go into bypass mode and allow all traffic, good and bad, to flow. This puts the rest of your IT infrastructure as well as your data at risk.
The best protection against DDoS attacks is a purpose-built device or service that scrutinizes inbound traffic before it can hit your firewall or other components of the IT infrastructure. This type of solution has one mission: to prevent excessive or malicious traffic from making your web-based applications inaccessible to legitimate customers or users.
Bake DDoS into your business continuity and disaster recovery plan.
Although DDoS attacks have been happening for years, they are relatively new on the radar screen for IT security experts. It’s really only been two or three years since this type of cyber crime has started grabbing headlines. For example, the hacktivist group Anonymous has made DDoS a favorite tactic to protest other peoples’ politics.
Most companies have a business continuity/disaster recovery (BC/DR) plan that outlines what to do in the event of some sort of business interruption or outage. Your company needs to include procedures for DDoS mitigation in the broader plan. This will help to minimize any delay in responding to an attack and help assure that your company executives will commit the necessary resources for prevention and mitigation.
Know the signs of an active attack.
During this holiday shopping season, you can expect your inbound traffic to go up. Hopefully you have a lot more (good) traffic visiting your website than is typical at other times of the year. However, you need to be able to distinguish what is considered normal peak traffic from attack traffic that overwhelm or disable your network resources.
Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the United States Computer Emergency Readiness Team (US-CERT) advises that the following symptoms could indicate a DDoS attack:
- Unusually slow network performance (opening files or accessing web sites)
- Unavailability of a particular website
- Inability to access any website
- A dramatic increase in the number of spam emails received
If you observe or your customers report any of these problems, contact your IT administrators right away to have them investigate the probable cause.
Know your customers and lock out unexpected transactions.
Unless your company is a global retailer, you probably have a limited geography for where you do business—even if that geography is the entire country. The point is, you wouldn’t expect people from Eastern Europe or China to be placing orders via your website, so the presence of inbound traffic from those geolocations may indicate trouble. If your anti-DDoS solution has the feature, restrict transactions that originate in locations where you don’t typically do business.
Measure the financial impact of being offline for a period of time.
How much would it cost your company if no web transactions could take place for 4 hours? 8 hours? A full day? At this time of year, the loss of revenue could be considerable. Calculate what the financial impact would be so that you have leverage if you need to justify to executives the expense of DDoS mitigation services.
If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity.
Many people believe that the only damage from a DDoS attack is that web resources are unavailable during an attack. Now security experts believe that DDoS attacks may be smokescreens to hide other cyber crimes, including data breaches or financial fraud. Payloads in the attack traffic could be dropping malware on your servers. If your company does experience a DDoS attack, do a very thorough inspection of all system logs to determine if other malicious activities took place during the attack period. Be especially mindful of your PCI/credit processing environment. Be sure to deploy defenses at the perimeter of your card holder data environment as required by PCI-DSS.
Know who to call to stop an attack.
If you choose to roll the dice and not put an anti-DDoS solution in place before an attack can occur, then at least know who to contact immediately if you suspect your company is under attack. Forget about calling your ISP; that company can’t solve the problem without shutting out the good traffic with the bad. No, you need to explore the dedicated anti-DDoS solutions on the market and decide which vendor/solution provider to call if the need arises. It’s like choosing your doctor before you get sick so you don’t waste valuable time figuring out what to do in dire circumstances.