Chad Ghosn joins the online furniture retailer from Expedia.
E-retailers face denial of service attacks from criminals seeking protection payoffs.
Traffic to BatteriesPlus.com is pretty predictable. Thus, when activity spiked on Saturday morning, Oct. 23, 2010, slowing site performance significantly, the site's managers quickly recognized that a denial of service attack was underway.
Such attacks seek to overwhelm web sites with more requests than they can handle, blocking access by legitimate consumers. At BatteriesPlus.com, most of the traffic was coming from the Ukraine, so the retailer blocked Ukraine IP addresses. The site began responding normally for a few hours, until a new wave of requests from Thailand flooded the site.
"This went on for hours," says Michael Lehman, chief information officer of Batteries Plus LLC, the retail chain that operates the e-commerce site. "We would block a certain part of the world and site performance would return to normal. Then they'd move to PCs in a different geographic area. We'd see a slight spike and then the site would start to slow down and we'd block that geographic area. Eventually, we blocked everything except the United States."
But even that did not work, as the attackers quickly began firing requests at BatteriesPlus.com from PCs in the U.S. they had infected with malicious software, giving them control of the machines of thousands of unsuspecting consumers. "It was not a fun Saturday," Lehman recalls.
Lehman's not the first web retailer to have his day ruined by a denial of service attack, and he's not likely to be the last. Security experts say e-retailers are increasingly being targeted by denial of service attacks, especially around peak holiday shopping periods, times when they are most likely to pay to keep their web sites running.
While Lehman says he did not receive an extortion demand, which the FBI told him to expect, he says he spoke with another online retailer who was told that, if he paid up, the attack against his site would end but would continue against competitors' sites. "It was a double incentive to pay," Lehman says. The retailer in question instead implemented technology to block the attacks.
E-retailers do have a growing array of services available to them to block denial of service attacks, experts say. But retailers must recognize the problem and persuade top executives to pay for what amounts to insurance against a possible attack—sums CEOs may resist spending, thinking only high-profile targets come under attack.
A growing threat
That's not the case, say consulting firms Yankee Group Research Group Inc. and Gartner Inc., which both warned of the growing threat from denial of service attacks in recent reports.
Gartner estimates that denial of service attacks—often referred to as distributed denial of service, or DDoS attacks, because the traffic typically comes from thousands of infected computers linked together—increased by 30% worldwide in 2010 over 2009. Not only are attacks more frequent, they're also more powerful, with the highest-volume attack recorded in 2010 firing data at a rate of 100 gigabits per second, more than twice the rate of the biggest attack in 2009, according to a study by Arbor Networks Inc., which sells technology for mitigating DDoS attacks. Only the biggest e-retail sites are equipped to handle more than 1 gigabit, or 1 billion bits, of data per second, experts say.
"There is incontrovertible data that shows the volume of DDoS attacks is increasing, and the hackers are not just doing it for their own entertainment," says Jennifer Pigg, vice president and network infrastructure specialist at Yankee Group. "A certain percentage of attacks are political, and a certain percentage are based on a desire to flex their programming muscles, but a growing amount are focused on making money."
Political attacks make headlines. A prime example are the attacks last December against web properties of Amazon.com Inc., the PayPal unit of eBay Inc., and payment networks Visa Inc. and MasterCard Worldwide, after those organizations cut off services to WikiLeaks following that web site's release of confidential U.S. government documents. But attacks against e-commerce sites often go unreported, because the attacker's aim is profit, not publicity, and victims seek to avoid embarrassment.
Among the publicly disclosed attacks that hit online retailers is an assault on the Internet address routing system operated by Neustar Inc. two days before Christmas 2009 that led to Amazon.com and some other e-commerce sites being unavailable to some consumers for a short time, and an attack that took Burlington Coat Factory's e-commerce site offline for nearly two days in May.
But there are many more, security experts say. A March 2011 survey of 225 U.S. information technology executives from large and midsized companies found 63% had experienced a denial of service attack in the previous year, according to Verisign Inc., a security technology company that sponsored the survey. Among those who had been attacked, 46% said their site was down for at least five hours, and 23% said the outage lasted more than 12 hours.
Nor can e-retailers guarantee safety by blocking traffic from computers outside of the U.S., as BatteriesPlus.com did when attacked. 14% of the world's infected PCs are in the U.S., making the U.S. the world leader in that dubious statistic, according to Internet security firm Symantec Corp.
Attacks against e-retail sites pick up around the holidays, says Akamai Technologies Inc., a content delivery network that introduced its Akamai DDoS Defender service this year. Five of Akamai's e-retail clients came under attack in the week after Thanksgiving last year, in some cases receiving 10,000 times their normal traffic. "Attacks on e-commerce sites spike in the fourth quarter," says Michael Cucchi, Akamai's director of product marketing. "It's the most important time for them, which makes them most vulnerable. Last year we saw more attacks in Q4 than in the rest of 2010."