Two consulting firms issued reports last month warning retailers and other web site operators of the growing threat from denial of service attacks that try to overwhelm web sites with traffic, making the sites unavailable to legitimate consumers.
“Gartner estimates that serious distributed denial of service (DDoS) attacks grew more than 30% in 2010 compared to 2009, and that this trend has continued into 2011,” write John Pescatore and Lawrence Orans of Gartner in a report entitled “Enterprise Strategies for Mitigating Denial-of-Service Attacks.”
The scale and frequency of denial of service attacks have increased in the last two years, writes Yankee Group analyst Brian Partridge in his report “The Business Case for Managed DDoS Protection,” which was sponsored by Neustar, a provider of technology to defend against denial of service attacks. Extortion is often the motive, Partridge says. “Historically, such attacks were primarily targeted at online gambling sites, but more recently retailers have become targets as well,” the report says. “In either case, the attacker launches a sample attack prior to a major sporting event or holiday, and then demands protection money to ensure it doesn’t happen again.”
Akamai Technologies Inc., a content delivery network that this year launched a service aimed at absorbing denial of service attacks, says five of its large online retailer clients were attacked around the Thanksgiving holiday last year, an example of attackers choosing crucial shopping periods to launch assaults. By all accounts, denial of service attacks are ongoing. In an attack last month the attacker demanded $3,500 per day to stop flooding the victim’s site, says Neal Quinn, vice president of operations at Prolexic Technologies, another provider of technology to mitigate DDoS attacks. The web site operator did not pay, Quinn says, adding that security experts advise web site operators not to engage in any dialogue with attackers.
Politically motivated denial of service attacks are the ones most often publicized, as the attackers are seeking publicity for their cause. A prime example is the series of denial of services attacks in late 2010 against web properties of Amazon.com Inc., the PayPal unit of eBay Inc. and payment networks Visa Inc. and MasterCard Worldwide, by supporters of WikiLeaks. Those organizations had stopped providing services to WikiLeaks after the site released confidential U.S. government documents.
But financially motivated attacks often go unreported, because neither attacker nor victim wants the incident made public. Among the attacks against online retailers that have been disclosed is an assault on the Internet address routing system of Neustar on Dec. 23, 2009, led to Amazon.com and some other e-commerce sites being unavailable to some California consumers for a short time; cosmetics retailer Sephora.com was forced offline for a couple of days from a DDoS attack about three years ago; and Burlington Coat Factory’s e-commerce site was shut down for nearly two days in May as a result of an attack. Amazon.com is No. 1 in the Internet Retailer Top 500 Guide and Sephora USA No. 116. Burlington Coat Factory is No. 539 in the Internet Retailer Second 500 Guide.
Another attack in October 2010 disrupted access to BatteriesPlus.com, the e-commerce site of retail chain Batteries Plus LLC that is No. 476 in the Top 500 Guide. A large volume of traffic to the site from computers in the Ukraine slowed down the site, says chief information officer Michael Lehman. The site cut off traffic from the Ukraine, and performance returned to normal. But the attack resumed a few hours later, this time with traffic from Thailand. Lehman says the retailer cut off traffic from Thailand, and the attacker moved to other geographic regions.
Once BatteriesPlus.com shut off traffic from all regions other than the United States, the attack continued from PCs the attacker controlled in the U.S. That’s not surprising, because the United States is the leading source of computers that criminals have taken control of and tied together into botnets that can launch denial of service attacks, according to online security provider Symantec, which says the U.S.in 2010 accounted for 14% of the world’s “bots”—infected computers controlled by botnets.
BatteriesPlus.com quickly contacted a provider of a traffic filter that could identify and block malicious traffic, and implementing that technology restored the site to normal performance within a couple of days, Lehman says. He says the DDoS attack continued until Wednesday, then stopped, exactly four days after it started.
The retailer made no estimate of lost sales, Lehman says, because customers that may have had trouble accessing the site could have come back later to buy. He estimates Batteries Plus spent $40,000 to block the attack, mostly on consulting fees, but also on employee overtime and for the initial implementation of the traffic-filtering system from a vendor he declines to name. He says the ongoing cost of that filtering service is a few thousand dollars per month. No customer data was compromised in the attack, Lehman says.
The retailer also contacted the FBI and provided FBI investigators with traffic logs that helped the agency identify a Russian man as the organizer of the attack. The FBI told Lehman to look for a ransom e-mail, but he never received one. A web site has posted a portion of what purports to be an FBI affidavit identifying the Russian individual. The document also says other retail sites were attacked at the same time as BatteriesPlus.com, including batteries4less.com, leading to speculation that the attack could have been initiated by a competitor. Batteries4less.com and the FBI declined to comment.
Lehman says he learned from last fall’s attack that it’s not just high-profile web sites that come under attack. “If you’re on the Internet,” he says, “you need to have protection.”