If you’re self hosting your ecommerce store using WooCommerce, OpenCart, Magento, ZenCart, or perhaps your own homegrown, custom solution, and do not have a dedicated managed hosting provider or sophisticated ISP that can detect and mitigate denial of service attacks, a hacker might be able to bring down your store (and keep it down) for hours or days on end. It is important that you educate yourself on denial of service (DoS) and distributed denial of service (DDoS) attacks in order to prevent them, as well as know what to do in the event that one occurs.
Note: as a hosted SaaS solution, Bigcommerce provides DoS and DDoS protection, both from our primary service provider (SoftLayer) and a supplementary service (BlackLotus). All online stores utilizing Bigcommerce are protected.
What is a DDoS Attack?
A denial-of-service (DoS) attack is a concentrated, automated attempt to overload a target network with a large volume of requests to render it unavailable for use. It is achieved by launching a series of data packets very rapidly at a target computer system until it becomes too slow to be usable or is brought down entirely. The target system becomes slow as its central processing unit (CPU) attempts to handle the requests and serve responses. As the CPU grinds to a halt, any servers running on it –– such as a web server powering your ecommerce store –– become very latent or fully unresponsive altogether.
A DoS attack involves a single initiating source computer system. A distributed-denial-of-service (DDoS) attack is a much more serious version of DoS, however, and it involves reflecting and amplifying requests by enlisting hundreds or thousands of other source computers from across the globe to concentrate its efforts against the target.
There is only so much CPU processing power and network traffic (i.e. request and responses) a single system can produce, but when a DoS is amplified into a DDoS, the effects can, and often do, result in significant website and network outages. If a DDoS attack was aimed at your ecommerce store for example, it would make it extremely difficult for your customers to shop, if they could shop at all.
The objective from a hacker’s perspective is to frustrate the target, damage its brand equity and force the target organization to spin its wheels and burn resources trying to handle the issue. It can be done for political reasons, to achieve activist means or as part of a corporate sabotage campaign by competitors. It can also be done by a single teenage hacker from the comfort of their parent’s basement, simply for the pure amusement of it.
DDoS Attacks: Some Recent Statistics
A denial-of-service attack may be part of a larger campaign aimed at a retailer for a variety of reasons and it has a horrible way of manifesting itself at the most inopportune time, such as during a Black Friday/Cyber Monday sale or on the morning of an important new product launch. It’s important to consider what the financial impact could be to your own ecommerce store should you be hit with such an attack.
In recent news, open source infrastructure giant Github underwent a serious DDoS attack that lasted roughly 120 hours (that’s about 15 working days!) which was ultimately blamed on China.
According to a Q3 2014 Verisign report, DDoS attack sizes and frequencies are growing at an alarming rate, gaining 38% in a single quarter in 2014 alone. Most of the attacks are targeted against media and entertainment companies, exploiting well known vulnerabilities in NTP (network time protocol) by way of UDP (user datagram protocol) reflection attacks.
Note: NTP and DNS are the principal types of reflection attacks but there are many others using both UDP and in rare cases TCP.
Prolexic (part of the Akamai group of global cloud hosting providers) estimated in 2014 that 32% of all websites may be hosted on an insecure network that could be susceptible to denial of service attacks.
Types of DDoS Attacks
There are three fundamental forms of denial-of-service and distributed-denial-of-service attacks:
- Volume (i.e. Network) based: This form of attack involves large numbers of requests being sent to the target system, and the system may perceive them to be valid requests (i.e. spoofed packets) or invalid requests (i.e. malformed packets). The goal of a volume based attack is to overwhelm your network capacity. The requests can be across a range of ports on your system. One type of method hackers use are UDP amplification attacks, whereby they send a request for data to a third party server spoofing your server’s IP address as the return address. The third party server then sends massive amounts of data to your server in response. In this way a hacker need only dispatch small requests himself, but your server will ultimately get lambasted with the “amplified” data from the third party servers. There could be tens, hundreds or thousands of systems involved in this form of attack.
- Protocol based: Protocol based attacks are performed on load balancers or servers which exploit the way that systems communicate with each other. The packets can be designed to make the server wait for a non-existent response during the normal handshake protocol, e.g. an SYN flood for example.
- Application based: Hackers use known vulnerabilities in the web server software or application software to try to cause the web server to crash or hang. One common type of application based attack is to send partial requests to a server to attempt to use up (i.e. make busy) the entire database connection pool of the server which in turn blocks legitimate requests.
The first step in preparing for a potential attack is to setup a remote website monitoring service that will send out notifications when your online store becomes latent or goes down altogether. On the simple and cheap end, I use a service called BinaryCanary for many of our clients, but if you self-host with Amazon Web Services you can also set up hardware performance alarms via their CloudWatch service, which tracks various network I/O metrics and can also signal performance degradation, indicating that your store may be under a DoS or DDoS attack.
Consider setting up an external logging service, as well. If your store comes under attack its web server logs may still be accessible from another source.
Another good practice is to point your DNS nameservers to a DDoS mitigation service such as CloudFlare. This can be useful later in making it harder for hackers to determine the actual location (i.e. IP addresses) of your servers. It acts as a proxy in front of your real systems and can be very useful as a front line of defense for large scale attacks that frankly most SMBs are utterly ill equipped to combat.
How to Know You’re Under Attack
Even if you’re alerted to what might be a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of it, but there are some telltale signs for which to keep an eye out.
- The website becomes extremely slow or totally unresponsive, for long periods of time and may or may not show signs of intermittent relief throughout the day.
- You contact your IT department, technical provider or Internet Service Provider (ISP) to restart your webserver (or you attempt to do so yourself) and after doing so the problem persists.
- You additionally discover that your server logs are overrun with massive amounts of activity, from one or many more IP addresses, but you can sometimes identify sets of the same IP addresses appearing in the logs very frequently.
Note that what can be interpreted as denial-of-service can also just be a badly configured or corrupt web server, with overrun hard drive storage or database performance issues.
How to Mitigate the Attack
DDoS attacks are sophisticated and often involve vulnerabilities in low-level operating system or web server application software. WordPress (WP) for example had a recent XML-RPC reflection vulnerability that made it easy for hackers attempting a DDoS against a WordPress site or WP backed store. They can be very hard to mitigate without specialized knowledge. If you self host your own on-premise web server, you’re going to have to call in a third party that specializes in DDoS to help. Incapsula is one such provider.
To mitigate an attack, you can either attempt to; absorb the attack or block the attack.
Absorbing the Attack
This may involve spinning up new servers, or provisioning new computers and a load balancer. This can quickly become very expensive, assuming your hosting environment is in the cloud to begin with. Provisioning an n-tier on-premise architecture, deploying more physical web servers, configuring and optimizing the application stack, adding a load balancer, etc. are all equipment used to bring high traffic websites to scale. Attempting to do this to absorb the attack (and organizations often attempt this, I’ve attempted it myself as well) to mitigate a DDoS is not only extremely time consuming and technically involved but it’s also often a futile effort, as the DDoS amplifies it vastly outscales your ability to defend against it.
Blocking the Attack
This is a better approach than absorbing the attack, but here’s where you’ll need that third party service to profile the traffic so that you can effectively create a mitigation plan. You may get lucky and find a small number of IP addresses that are causing the problem. That would be the best case scenario, in which you could create firewall rules to block the address and be on your way. For a more serious internal DDoS mitigation environment if you’re self hosting your own store, consider purchasing caching software and servers, picking up advanced hardware firewalls, a load balancer, etc. or other supporting network devices.
DNS level DDoS attacks can be mitigated by setting low TTLs (time-to-live) and employing multiple DNS providers to be able to fail over. Sometimes your DNS will be attacked not because of you specifically, but because of someone else on the same DNS provider.
What to do During an Attack
One of the most important things during a DDoS attack (or any other kind of public incident affecting your online store) is to communicate transparently with your customers and stakeholders. Ensure that you’re ready within short notice of coming under attack by doing the following:
- Employ an escalation profile (a list of people to contact in priority sequence to let them know what is happening),
- Have a backup static TEMPORARILY UNAVAILABLE website setup on an alternate reputable host provider that ensures they will provide DDoS mitigation services.
- Redirect your store DNS to the temporary site and work with your staff, partners and stakeholders to determine how best to deal with the servers that are vulnerable. In this way at least your customers won’t find your website under duress and think it’s just badly designed and poor performing.
In all, the best defense is a pre-emptive defense. It’s much easier to deal with a DDoS attack if you’ve taken steps to prepare for it ahead of time. In a future article I’ll detail the contents of an effective overall Disaster Recovery Plan (DRP) of which an entire section is typically dedicated to DDoS event mitigation.
I disagree with your assessment. There is a way to stop all of the versions of DDoS. The problems is threshold only based solutions are not going to work. By using Real Time Intelligence of All 7 OSI layers and a couple of other processes and it can be done automatically. We have done it and have a patent on it.
It’s never that easy to deal with and does take time.
Actually looking at this article over three years later I have come to a different conclusion. I am a new man. Three years can do a lot to a man. RIP Loraine. But seriously, Josh you have a talent for writing such heartwarming articles. The part about the baby seal being saved by that tourist really tugged on my heartstrings. Thanks Josh.