Some retailers launched online deals well in advance of Thanksgiving, Black Friday and Cyber Monday.
Retailers find that defensive measures must keep pace.
For a big online retailer like Overstock.com Inc., now branded O.co, Internet security is a way of life.
“O.co, as with any major Internet site, is constantly being attacked,” says Sam Peterson, the e-retailer’s senior vice president of technology, web site and merchandising. “We’re constantly working to beef up our security. We’re focused on it every single day.”
Like many web site operators, Peterson prefers not to go into detail about the security methods O.co employs, lest he tip off criminals on ways to attack Overstock.com, which is No. 27 in the Internet Retailer Top 500 Guide. But he does say O.co has invested heavily in security technology that has kept the site running despite the continual probes and attacks.
Peterson adds that those attacks are becoming more sophisticated—and that security technology vendors are responding by offering better defense mechanisms.
It’s a challenge for any web retailer to keep up with the attack methods, because they are continually evolving. While many web site operators know about distributed denial of service attacks in which criminals take control of many consumers’ computers and flood web sites with traffic, it’s not only the volume of traffic that can take down web sites, says Michael Cucchi, director of product marketing at Akamai Technologies Inc., a content delivery network that earlier this year introduced Akamai DDoS Defender, a service designed to protect web sites from distributed denial of service assaults.
Attackers have learned how to maximize the strain on back-end servers and databases with each request. For example, they will hit a web site with a large number of search queries that require the site’s servers to assemble a page on the fly, such as showing a sweater in a particular color, while also looking up and displaying the inventory in a particular store.
“That search request consists of a small amount of traffic, but it has high processing requirements,” Cucchi says. “We had one DDoS attack that was people triggering changes in the language on the web page, switching the language from English to Spanish 50 times a second.” When thousands of machines make the same request, it can overwhelm web infrastructure and prevent legitimate traffic from access the web site.
One way Akamai repels attacks is by looking within each request coming to a web site in order to distinguish legitimate requests from those coming from botnets, the networks of computers, usually PCs of unsuspecting consumers that criminals have seized with malicious software.
Identifying the location of the requesting machine is one way to filter requests, Cucchi says. If a site rarely sees traffic from Russia and suddenly, during a spike in volume, most of the traffic comes from, Akamai can block requests from Russia. And there are more sophisticated filters, such as looking at which browser is being used to make the request and whether the browser supports Java—legitimate browsers usually do, but sometimes criminal attackers do not—to differentiate good requests from bad ones.
“We can get very intelligent about which ones you trust and which ones you don’t,” Cucchi says.
Another technique that can be employed during an attack is to require the requesting machine to respond in a way that only a human can, such as by typing in fuzzy characters, known as a “captcha,” a task a machine could not complete.
Cucchi advises retailers to make a plan for what to do in case they come under attack, which is particularly likely during the holidays when criminals know retailers are most likely to accede to extortion demands to keep their sites running smoothly. “Without a doubt, attacks on commerce sites spike in Q4,” Cucchi says. “Last year we saw more attacks in Q4 than in the rest of 2010.”
He advises retailers to decide in advance what steps they will take if a site comes under attack and who will be responsible for approving those steps. It’s also important to think about outside companies that may be delivering services to a web site, such as customer ratings and reviews or site search technology, and make them aware of their responsibilities if an attack occurs.
Finally, Cucchi says, it’s also important to realize that a denial of service attack may be a diversion intended to provide cover for an intrusion aimed at stealing customer data or other confidential information. “They know a DDoS attack causes confusion and panic,” Cucchi says of attackers, “and that’s when they’ll try a sneaky attempt to pull out data.”
Peterson of O.co says he sees both the attacks and the security technology changing rapidly. “This is an arms race,” he says. “You have the good guys continuing to improve their security and the bad guys constantly working to see where they can find vulnerabilities.” He says just as criminals collaborate in sharing attack methods, “We need to be doing more as retailers and Internet sites, even though we’re competitors, to keep the Internet safe.”