It lead to us, and our service providers, researching and investing in new solutions to minimise the impact of these malicious events.
In 2015 service providers knew about Distributed Denial of Service (DDoS) attacks, however in general normal protocols at the firewalls could halt and control these attacks, and most providers were confident that their hardware and redundancies could manage the excess load.
While that attack didn’t successfully break any of our systems, our customers experienced long load times for their sites (in some cases the sites seemed completely inaccessible) for hours over several days, and our whole team had several sleepless nights instead of a relaxing weekend working with our upstream providers to mitigate the attack.
Once the dust settled we, and our providers, had learned a lot along the way and we were lucky that our customers were very patient and understanding.
Broadly, DDoS attacks are where traffic is maliciously pushed into a network in excess of the volumes that network is designed to handle often with a purpose of holding a business or website to ransom or doing irreparable damage to a business’s reputation by taking them offline when their customers need them.
A good analogy for internet traffic is looking at traffic flows on your highways and roads. Some roads are built to handle a higher volume of traffic than others so we can see a hierarchy of roads; interstate highways (e.g. M1), highways (e.g. M4 / Pacific Highway), main roads, suburban roads and so on.
In Sydney, we have seen incidents occur that restrict traffic on the M1 (being the main Brisbane to Sydney to Melbourne highway). What occurs is that traffic that would normally flow fine with 3 lanes to use grinds to a standstill when funnelled down to a smaller space or forced to share with unexpected additional traffic (i.e. holiday periods). This issue then gets compounded when more traffic continues to try to enter the highway than can exit. This can cause traffic jams that can last hours and even days as with this example in January 2017.
Each highway is built to handle a maximum volume of traffic and there is a cool interactive viewer available from the NSW Roads and Maritime Service.
The same is true of the internet which uses a hierarchy of network services that carry the traffic over the internet between service providers from websites and eventually to consumers sitting at a browser.
Highways on the web are measured in gigabits per second (Gbps) of bandwidth; and the cars are the packages of data which can be kilobytes or megabytes. A typical website may send a few kilobytes (KB) or maybe a megabyte (MB) of data from a server to a visitor’s browser, so loading one page of a website is just a tiny part of the overall capacity available or like 1 car on a national highway.
For example, the premium service advertised by the NBN boast speeds up to 100Mpbs, so should in theory be able to handle around 15 large page views every second (though that is somewhat simplified and rarely the case in reality).
Networks that support the internet are also built to handle specific volumes of data traffic. If you flood the network with traffic then we see the same result as with our highways and that means reductions in service and potentially closure of the network. There are many devices like firewalls and routers within a network and each is able to handle a maximum traffic volume (like intersections in road systems) when the volume exceeds the maximum then traffic jams occur.
At the very basic level this is what occurs with a DDoS attack. These attacks are getting more frequent and more aggressive as is discussed in this blog post by CloudFlare one of the world’s leading Content Delivery Network (CDN) providers. CloudFlare have seem attacks that are up to 400 Gbps (400,000 times the maximum speed on our NBN example earlier). Imagine the chaos if someone increased traffic flow on to the M1 into Sydney by 1,000's of times the normal peak hour traffic!
Firstly, let’s dispel one common myth, DDoS attacks are not generally instigated by a 14 year old teen geek in their bedroom who is bored.
The vast majority of the world’s DDoS attacks are instigated by organised crime syndicates and criminals commonly and erroneously referred to as “Hackers”. The purpose is to disrupt business and it may be associated with a ransom or request for money. It also may be used to find a weakness in specific target systems that can occur when those systems are overloaded.
Large DDoS attacks are also not cheap to execute and can cost $10,000’s or even $100,000’s to stage.
Like many of the ransomware attacks that have recently been in the news (like WannaCry and Petya), the criminals need client computers on the internet infected with a “bot” or program that can be controlled remotely. These “bots” are often delivered in innocuous emails to users who stupidly click on a link offering a “a tax refund” or “nude pics”. Often nothing seems to happen when the email is opened, so no action is taken, but the damage is already done.
DDoS attacks rely on 1,000’s of these infected computers worldwide in order to stage an attack.
These computers, particularly in large corporations or institutions, will often be left on all the time and run old version of operating systems and anti-virus software. The attacker has a signal that activates the “bot” in infected computers and they start transmitting traffic to a network, an IP Address (internet address) or a website. These attacks are generally well planned and evolve quickly, so that blocking an address or website will just mean that the attack moves to a nearby address and continues.
These virtual cars clogging up the internet highway look and feel just like the real thing, but of cause they are not, meaning that security software and firewall rules generally can’t differentiate between the attacking traffic and genuine visitors to the network.
Eventually most attacks stop on their own, either because they run out of money or infected computers get blocked or shutdown. However, attacks can go on for a long time and, because on the internet even micro-seconds are valuable, even a short attack can cost businesses millions of dollars.
Recently services have started being offered that can block, or mitigate, DDoS attacks. Many of these services use a scrubbing technique that can identify a DDoS signature and then re-route that malicious traffic to a dead end in the internet highway. How these services work is generally kept under wraps and different services have different proprietary methods.
eCorner works with our upstream providers, Macquarie Telecom and Vocus, to enable a DDoS mitigation service, these services act to protect the network and our customers from the impact of DDoS attacks. They do not stop DDoS attackers from trying to maliciously interrupt businesses but the attack does not achieve what was intended. At the same time it enables the service providers to learn more about the types of attacks and in doing so improve the service.
If you have a website that is available on the internet then you have a service provider hosting your website. Website hosting is very often misunderstood by small to medium sized businesses, sometimes even by enterprises, and so can be a point of failure for any website. Website hosting costs range from a few dollars a month to thousand's of dollars. Typically the differentiators are (apart bandwidth, computing speed and storage capacity):
eCorner provides hosting to our customers and generally it is just part of the package that you have chosen with us. Every website that we host shares the same logical security infrastructure. That includes PCI DSS compliance and always on DDoS protection monitoring incoming traffic to your website.
Largely it comes down to common sense. Tell everyone that you know to be careful with email they open and websites that they visit. Both have the potential of downloading malicious bots and viruses that can corrupt your systems or enable attackers to enter more easily.
There are a few simple rules:
For more information on being safe and sensible online, check out – www.staysmartonline.gov.au.