Avoiding Coal in the E-tailer Stocking: Defense.Net DDoS Mitigation Pioneer Shares Top Seven Tips for Protecting E-commerce Sites Against Attacks on Cyber Monday
“Online retailers and other companies that rely on their websites for conducting business need only look back to what happened to Burlington Coat Factory two years ago when a DDoS attack shut down their website for 45 hours,” said Barrett Lyon, founder and CTO of Defense.Net, whose pursuit of hackers operating as part of the Russian mob was chronicled in the best-selling book, Fatal System Error. “As 2013 has seen an unprecedented increase in DDoS attacks, there are some simple steps online retailers can take to avoid the devastating financial loss of a DDoS attack during the critical holiday shopping season or on Cyber Monday, the busiest online shopping day of the year.”
In DDoS attacks, perpetrators assemble an army of compromised computers (a botnet) to inundate a website with a volume of requests that overwhelms and crashes the website. Recently, the ease of access to sophisticated attack tools has advanced to a level where a botnet than can do millions of dollars of damage within minutes can be rented for $7 per hour. This has proliferated a weapon that was previously in the domain of sophisticated cybercriminals to a wide audience with varying motivations for attacking a website – from business competitors to disgruntled customers or former employees to extortionists to “hacktivists” that object to merchandise being sold. According to Forrester, the estimated impact can be around $2.1 million dollars lost for every four hours a website is down and $27 million for a 24-hour outage, depending on the size of the business.
“Too many businesses today believe that a DDoS attack ‘could never happen to me,' but when I recently presented at the ‘Retail Center of Innovation' event in Silicon Valley and spoke with the top brands participating at the event, more than one-third said their brands had been DDoS attacked within the past week,” said Chris Risley, CEO of Defense.Net. “If a hacker wanted to attack an e-commerce site and achieve the largest impact, Cyber Monday would be an obvious target. It's more important than ever that retail sites prepare in advance and stay ahead of potential attacks.”
The top seven tips for retail e-commerce sites to protect themselves from a DDoS attack from Barrett Lyon of Defense.Net are:
- Assess Your Risk and Avoid the “It Could Never Happen to Me” Syndrome. Are there disgruntled customers, partners, former employees, etc. that could feel strongly enough to launch an attack against you? Do you sell items that could be considered objectionable by anyone, such as fur coats, items manufactured in actual or perceived “sweat shops,” etc.? Keep in mind that even if you believe there is no one that holds a grudge against your business, at any minute you could receive a “ransom note” from an extortionist that demands payment to prevent an imminent DDoS attack on your website.
- Listen to the Chatter. Many hackers do so for recognition, especially in the case of DDoS attacks which are frequently used punitively versus other cybercrime where the perpetrator seeks financial gain. Keep abreast of news reports, blogs and forums such as Pastebin that hackers use to brag about their exploits so you can best prepare before an attack is launched. Closely monitor your brand on social media, as you'll likely hear about an attack first on Twitter.
- Talk to Your Service Provider. Most service providers will offer DDoS mitigation services at nominal cost. However, it is important to investigate the bandwidth resources of your service provider. Note that a large DDoS attack on one of your service provider's other customers could take down that provider's capability to protect any additional customers, leaving your site vulnerable. Another consideration: as attack mitigation is expensive and ancillary to their core business, most service providers will cancel your protection if you are regularly attacked.
- Consider Additional Mitigation Resources. Research the options available for a more aggressive defense against DDoS attacks. Options range from building your own network to installing DDoS mitigation hardware to using the services of a cloud-based DDoS mitigation provider. These options vary in cost and complexity, but offer the best insurance policy against a catastrophic site outage. Note that if these systems are installed before an attack occurs, the mitigation will be significantly more effective and less expensive than bringing in mitigation once an attack has started.
- Understand the Warning Signs that Your Site is Under Attack. DDoS attacks are often misdiagnosed as higher than normal levels of legitimate traffic. Retailers are especially vulnerable to this during the holiday shopping season when increases in traffic are expected, but the amount of increase is unpredictable. By working with your service provider or developing the internal capability to review the IP Addresses of the inbound traffic to your website, you can assess the legitimacy of the visitors to your site and deploy countermeasures before an attack overwhelms your defenses.
- As a Last Resort, Know Who to Call in an Emergency. Prepare a list of the top mitigation services you can call in to get your site back up if it has been taken down by a DDoS attack. As noted above, this will be more expensive and will leave some “collateral damage” akin to the fire department that breaks windows and walls, leaves water damage, but extinguishes the fire.
- During an Attack, Be Sure to Mind the Store. Recently, DDoS attacks have been launched as diversions for cybercriminals to steal credit card information or passwords, or to commit other cybercrime beyond taking down your website. In other cases, cybercriminals look for a site under DDoS attack and opportunistically attempt to steal data when the attention of the company is focused on the DDoS attack and restoring the website. Ensure that you are equally vigilant to pile on attacks when mitigating a DDoS attack.
For more information on the current DDoS threat landscape, Defense.Net Founder and CTO Barrett Lyon developed a white paper which is available on the Defense.Net website.