Practical Ecommerce

Denial-of-Service Attack: Steps to Prevent, Defend

If you own an ecommerce website, about the last place you want to find yourself is on the receiving end of a distributed denial of service — DDoS — attack.

A DDoS attack involves a malicious person(s) flooding a computer network or web server with so much traffic that it no longer functions. If your website comes under attack it will be bombarded with so many automated requests that the traffic will overwhelm your server and legitimate users will not be able to access the site. Until you have determined how to thwart the attack, you will effectively be out of business.

A typical attack can last from several hours to many days. Other attacks can last longer. There are many different types of denial of service attacks. Sometimes attackers employ multiple methods at once.

Likely DDoS Targets

Small ecommerce businesses are not typically the direct target of such attacks. That is the good news. Unfortunately, high-profile ecommerce providers or payment processing companies can be the focus of DDoS attacks and your business can be greatly impacted if you rely on one of these services and you suddenly find that its entire service or network has come under attack.

For a small business owner, having a strong preparation and response strategy in place can be more cost-effective and practical than paying for a more permanent preventative strategy. And the sad fact is you cannot fully prevent a DDoS attack. You can only amass the resources and techniques to battle the attackers as they come up with new and creative ways to launch their missiles.

Let’s look at how you can prepare yourself for a potential attack.

Understanding your Hosting Environment

If you pay a monthly ecommerce hosting fee, but don’t think much of the environment where your site lives, it would be worth your while to talk with your provider. Here are some of the key factors to understand:

  • Shared hosting. Are you on a shared server with many other sites?

  • Other hosting customers. What kind of sites does your provider host and are they the type of sites that are the typical targets for DDoS attacks, such as political, controversial, or high profile websites?

  • Systems to monitor traffic. Other than just waiting to get reports from your customers or noticing that your site is becoming unresponsive, does your provider have any automated monitoring systems in place to notify you when the server is having issues?

Establishing a DDoS Mitigation Plan

Talk to your provider and find out if it has a mitigation plan when its entire network or your server comes under DDoS attack. Or, if you manage your own server resources, do you have an adequate plan in place? Such a plan would include processes for monitoring and analyzing traffic and procedures to carry out once an attack is determined.

Does your provider work with third party DDoS mitigation services that specialize in filtering attack traffic? A larger attack might require the help of outside specialists who have expertise in protecting against such attacks.

Effective defenses against a weaker attack can be at the server level or the firewall level. Do you or your provider have security provisions in place to harden your server in case of an attack? This could include filters for traffic coming from certain geographic areas or server add-ons that analyze request headers and the type of requests to your website and only allow certain requests into your server.

Do you know if your site is protected by a hardware firewall? A firewall is a critical element to a secure network and you want to make sure that your provider has a firewall in place between your web server and the public.

If your provider’s answers to any of your questions sound vague and unsatisfactory, you might want to assess whether you can rely on this provider in the event of an attack.

Segregating Your Environment

If you are on a shared server, you might face added exposure from attacks to other websites on that server. At the very least, understand your provider’s procedures when specific sites come under attack. Will your provider shut off the site under attack to spare its other customers?

If you have built your business to the point that several hours of site downtime would really hurt you, it could be time to consider a dedicated server or a distributed approach for serving up your site. Your monthly costs will go up, but you can greatly minimize some of the risks you currently face with having your site in a shared environment.

Responding to an Attack: 9 Steps

Once you determine, or have been notified, that your site is under attack, take action. Because there are so many types of attacks — and sometimes it takes a bit of time to diagnose the nature of the attack — there are not necessarily hard-and-fast rules to follow.

If you don’t have the technical expertise to manage your own server, there are not a lot of direct actions you can take. Standing by while your website reveals nothing more than a blank screen can be a sickening feeling. But, above all, remain calm and respectful of the technicians who are working on the issue. You might need to direct the efforts of several individuals over hours or days. Be ready to go to battle.

Here are some more specific steps you can take.

  1. Determine the type of attack. Analyze log files to determine that an attack is occurring and what is its nature.

  2. Prepare to change domain-name servers. Go into the domain settings for your domain and set the TTL (“time to live”) for your domain down to 300 seconds or less. This is a key preparatory step in the event you determine you need to move your site or re-route your traffic through a third party proxy server. A TTL of 300 seconds means that servers around the world would refresh your site’s content every 300 seconds, which is very fast.

  3. Solicit help. Get specialists from your server hosting company involved as quickly as possible to help analyze and protect against the attack.

  4. Determine if your site is the target. If you are in a shared server environment, hopefully your provider has a good communication system to keep you informed. If the attack is network-wide, there is not much you can do. Do what you can to understand the attack and assess your options of moving forward. Find out if the attack is targeted toward your site or some other network resource.

  5. Establish firewall settings. If the attack is in the thousands of connections per hour, you might be able to combat it at the server level or firewall level. Installing some server modules or adding some firewall rules could be enough to keep your site hobbling along throughout the attack.

  6. Use professionals for large attacks. If the attack is more at the level of hundreds of thousands or millions of connections per hour, you likely need to consider a third-party service. A Google search for “DDoS mitigation” will present you with several options. Most of these solutions take the form of a proxy server that filters all traffic before it reaches your server. One of these services can often be configured within an hour. DDoS mitigation services can run in the thousands of dollars per incident. But they are typically quite effective at thwarting high-volume attacks.

  7. Monitor closely. Once you have a protection in place, monitor the traffic and attack for changes. A protective layer in front of the website does not stop the attack from occurring; it just shields your site from the damaging traffic. In many cases the attack will subside in hours or days and you can eventually restore your server to its normal state of operation.

  8. Remember you customers. Consider how to best communicate with your customers. Following up immediately with an explanation of the outage and a special “attack coupon special” — or some other creative offering — can be a good way to restore customer faith.

  9. Review afterwards. A DDoS attack can be traumatic. Once you have recovered technologically and emotionally, and while the attack is still fresh in your mind, review how the attack was carried out, how you and your support team responded, and what steps you would do differently in the event of another attack.

Summary

Hopefully, you will never experience a DDoS attack. But with a little preparation, you can minimize the pain and loss that such an attack can produce.

Michael Stearns

Michael Stearns

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 2 )

  1. LexiConn April 6, 2011 Reply

    Great article Michael. Here are a few key points from my perspective as a web host:

    1. Who you host with matters – This is a big one. If you’re at a budget host that packs their servers full of any type of customer; you’re risking your site’s uptime and availability because of the Britney Spears fan site that resides on the same server. Make sure your host caters to ecommerce clients.

    2. We’ve had 3 small ecommerce clients come under DDOS attacks in the past 6 months. We managed to limit the attack by moving them to a dedicated server, and using firewall rules to filter the bad traffic. This can work even if the attack is up to 50,000 zombie computers. But your host has to have a plan and experience with this. Especially when these attacks can last a week or more.

    3. Trying to find the source of the attack and report it to the proper authorities is not the priority. In fact, many times it’s not even possible. Instead, focus on mitigating the attack, letting your customers know what’s happening, and getting back to normal.

    4. Many attacks involve compromised computers all hitting your homepage. A simple 10 byte index.html page combined with a meta redirect can often save the day in terms of bandwidth used and the ability for a server to stay up and running under such heavy traffic.

    Just a few things we’ve learned over the years in keeping our ecommerce clients online during these "small scale" DDOS attacks.

  2. Michael Stearns April 6, 2011 Reply

    @Lexiconn,

    Those are four excellent points.

    There are avenues for reporting attacks, but the odds of catching the "bad guy" are low. If you are under attack, you do really want to focus on mitigation and damage control rather than figuring out how to get the bad guy. Once the attack subsides, you should look at reporting the attack. Also, some insurance companies could provide coverage for business loss related to attacks.

    Your idea #4 is a great one for certain types of attacks.

    Thanks!