What is DDoS and what should we do?

Denial of Service attacks (DoS) or Distributed Denial of Service (DDoS) attacks can come in many forms. These attacks attempt to make a computer resource such as a web service or database unavailable to its intended users.

The most common method of attack uses many computers to target a single server with sufficient traffic and requests to effectively bring the server to its knees. As the server is too busy responding to useless requests it is too slow to fulfill genuine requests making it appear to be offline.

It is almost impossible to gauge the motivation behind an attack or why a particular web site is attacked. Often attacks are political but they could be as simple as a disgruntled employee, client or competitor.

According to a recently released report by VeriSign 63% of organizations have had some sort of DDoS attack in the past 12 months and DDoS attacks are larger, stealthier, more targeted, and more sophisticated than ever.

One of our clients recently came under a DDoS attack. Initially the attack took down several web sites. When it was identified that a certain domain name was targeted we were able to isolate the attack. The targeted domain remained out of service for almost a week.

For an ecommerce site turning over £1m a year this translates to a cost of a cost of £2,700 a day or nearly £20k a week.

In a recent Forrester survey of 400 IT decision-makers in the United States and Europe, 74 percent of respondents reported experiencing one or more DDoS attacks in the past year. Thirty-one percent of these attacks resulted in service disruption. *

We learnt that the nature of DDoS attacks and the ability for the attacking system to ensure they have no signature to identify them, means that a typical IPS based prevention system fails to stop the attack. The attacker knows how these systems work and is able to write code that makes the attacking botnet look like a legitimate user.

Typically IT managers and network providers mitigate DDoS attacks by using IPS systems, black hole routing or over provisioning on bandwidth.

The often used “blocking” of IP addresses fails to work, as the attack will inevitably come from varied and spoofed IP addresses. An attack in 2009 generated nearly 70GB of traffic per second; more than most networks can cope with in terms of bandwidth.

Don’t be fooled into thinking your internet service provider has any DDoS appliances or technology in place to help you unless they specifically state this in their SLA. We have fiber lines provided by BT and Virgin Media and neither were able to provide any such facility at any cost.

Fortunately application front end hardware is available to protect against such attacks. These appliances have very intelligent software that can distinguish between regular legitimate traffic and dangerous traffic. Webnetism have invested heavily in this technology and are now able to provide a DDoS protection service that is affordable.

Our recent DDoS attack consumed 100% of the resources of a web server and a significant amount of badwidth for a very long period of time. The DDoS appliance filters the polluted traffic and allows good traffic through, in this case reducing the load on the server from 100% to less than 3%.

 

For more information on our hosting services and DDoS protection please contact us.