(Page 2 of 2)
Attackers know web site operators are most likely to pay to keep their sites operating at peak times. An attacker often will launch a sample assault against an online gambling site before a big sporting event or target a retailer ahead of a peak holiday period "and then demands protection money to ensure it doesn't happen again," says the Yankee Group report "The Business Case for Managed DDoS Protection" by analyst Brian Partridge.
How much do they ask for? "They start small, and then ask for more," says Rakesh Shah, director of product marketing and strategy at Arbor Networks. He has seen demands in the range of 50,000-100,000 euros (about US$68,000-136,000). Many criminal hackers based in Eastern Europe prefer the euro over the dollar. In August, one demand was for $3,500 a day for an unspecified period, says Neal Quinn, vice president of operations for Prolexic Technologies, which specializes in services that block DDoS attacks.
In another sign that denial of service has become a business, there are now Internet chat rooms where attackers can rent botnets—captive computers are called "bots" and the linked networks of bots "botnets." A Verisign study last year of 25 botnets for hire found the going rate for an attack was $67.20 per day, with some offering hourly service at an average price of $8.94. Arbor Networks tracks 4,500 active botnets globally and observes 400 attacks a day.
Adding to the prevalence of attacks has been the wide online circulation of a web site stress-testing application called Low Orbit Ion Cannon, which the hacking group Anonymous has used to recruit volunteers to participate in denial of service attacks. The software lets any web user enter a URL to add his computer to a DDoS attack. "My 70-year-old mother would have enough technical proficiency to join that attack," says Akamai's Cucchi.
While attacks are growing in frequency and power, "There is no such thing as an unstoppable denial of service attack," write Gartner analysts John Pescatore and Lawrence Orans in a recent report, "Enterprise Strategies for Mitigating Denial-of-Service Attacks." It's just a question of how much an organization is willing to spend.
For many web site operators, the Gartner analysts say, the most cost-effective option is to rely on the site's provider of Internet connectivity to block attacks. Those providers typically charge a 10-15% premium over their normal bandwidth charges to guarantee that a site will not be overwhelmed by traffic, the Gartner analysts say.
Another strategy is to engage a company that specializes in blocking denial of service attacks—the Gartner report mentions Prolexic and Verisign as examples. BatteriesPlus.com engaged such a service provider, though Lehman declines to say which one. SpaFinder Inc., whose web site sells vouchers and gift certificates for spas and fitness classes, engaged ProLexic in August when a denial of service attack took down SpaFinder.com for about a day.
Those vendors filter a retailer's traffic to screen out malicious traffic, and their technology can do more than identify the geographic source of an attack. That's important, because attacks are increasingly sophisticated, often making requests carefully crafted to eat up the processing power of web servers and databases.
For example, an attacker may launch thousands of requests for a product page offering a book, says Sean Leach, vice president of strategy for the Verisign Network Intelligence and Availability Group. "The page might show not only the book, but related books, products other people bought, current inventory status—lots of computation goes into that page," Leach says. Such pages are assembled on the fly, and 10,000 such page requests per second can overwhelm a web site, making it unavailable to legitimate consumers.
SpaFinder.com was attacked in two ways, targeting two of the seven layers of the Internet protocol that enables computers to connect with web sites. One part of the attack came through Layer 4, as attackers made repeated requests to connect, akin to dialing a phone number repeatedly but not connecting; the other, through the application layer, or Layer 7, asked repeatedly for the site's home page.
"I never would have thought we needed DDoS protection," says SpaFinder chairman and CEO Pete Ellis. "But we do 20% of our business online, with 50% of that revenue coming in the fourth quarter. If there were any interruption to business at that time it would cost us millions of dollars."
Filtering systems can spot illegitimate requests in several ways, such as by measuring the size of the attack query and blocking requests of that size. Or they can detect IP addresses firing off 50 queries a second, which no human could do, and block those addresses. "It's pretty easy, once you start looking at the data to identify what's extremely likely to be malicious, nonlegitimate traffic," says Lehman of Batteries Plus.
As for the cost of protection, Lehman says anti-DDoS services are available for "a few thousand dollars a month" to protect a site of the scale of BatteriesPlus.com, whose 2010 web sales were $13.65 million by Internet Retailer's estimate. Larger e-retailers can expect to spend more, as fees are often based on site traffic.
During the four-day attack it experienced in October 2010, BatteriesPlus.com spent about $40,000 on defensive measures, including consulting fees, employee overtime and the initial cost of filtering technology, Lehman says.
Lehman wishes in retrospect he had argued for DDoS protection before the attack, although he recognizes senior management may have balked. "It's a tough sell when you're a smaller entity; it's an insurance program," he says. "But if you're on the Internet, no matter how big or small, you're visible and you need protection."