Pagers start buzzing, Tweets start flooding the screen, phones start ringing and every other incoming information sensor starts blinking – that’s how Mark Jeftovic knows his Toronto-based domain name server service is being hit by another distributed denial of service attack (DDoS). And much to his chagrin, it’s a matter of course for EasyDNS Technologies Inc.
“Suddenly all hell breaks loose,” he says. “We’re probably always under some sort of low-level DDoS attack. It would probably knock down a low-level business. But you get so used to it that you have a certain level of battle readiness.”
Since the end of October, EasyDNS has been fighting back a sizeable DDoS attack against two of its nameservers. Some of its customers may have experience service loss as a result, and the company’s blog encouraged legacy customers to move to a new platform that offered better protection against such attacks.
That’s not to say it’s easy for Jeftovic to handle the attacks, which involve a coordinated effort to overload Web servers with a high volume of junk traffic. Often DDoS attacks are coordinated by hackers that control botnets – a network of PCs infected with malware that allows them to be controlled by a central command point. Every DDoS attack is different, Jeftovic says.
“Some send you the same garbage packet over and over again, so you just filter it out. But if they do so much of it, your mitigation might be working, but the volume is so high you need more action to defeat it,” he says. “It just clogs the pipes.”
EasyDNS provides the Web layer of service that turns a cryptic IP address into an understandable URL address (like www.ITBusiness.ca instead of 18.104.22.168) and sees these attacks because of the nature of its business. But Jeftovic says it’s actually more common for individual Web sites to be targeted by DDoS attacks. Although a Symantec Corp. survey conducted by Applied Research in September shows more than half of Canadian SMBs are aware of DDoS attacks, they don’t consider themselves a likely target.
Canadians are more aware of DDoS threats (59 per cent) compared to the global average (55 per cent), according to Symantec. Yet they were also the most complacent about the need to defend against such attacks. Sixty-one per cent of Canadian firms said they were somewhat or completely protected against computer threats, higher than the 58 per cent of global respondents.
There were 500 Canadian respondents to Symantec’s survey.
Many hacker groups, such as Anonymous, have used DDoS attacks to raise awareness about a cause, says Kevin Haley, director of Symantec’s security technology and response team. “The goal of the attackers was to get their names in the paper. Those have been highly successful.”
Small businesses could be knocked offline by such an attack, he adds, and hackers could try and hold ransom against a firm in exchange for not doing so. Though businesses should be prepared for such an incident, a DDoS attack isn’t the most likely cyber threat they’ll face.
Unless their business happens to be an online gambling site Ponzi scheme, Jeftovic says. Those are the EasyDNS customers that got targeted by DDoS attacks in the past. Discovering his company had such unsavoury customers not only made Jeftovic “feel like taking a shower”, but it made him implement more rigorous barriers to entry for use of his nameservers.
The customer targeted for the most recent attack on EasyDNS was a gambling site that was violating its terms of service. The site had filled out fake contact data for its contact information, and that made it easy for Jeftovic to cut them off from service.
“We’re not in business to protect the online gambling industry,” he said. “If you want to be in that business, you should be prepared to spend a large amount of money to defend against those attacks.”
Two years ago, EasyDNS spent about $30,000 to defend against a DDoS attack targeting a high-yield investment program. “Some guy got scammed out of $1,500 and he was pissed,” Jeftovic says. “They turned out to be on our systems.”
Now EasyDNS actively pre-screens all domains before allowing them to use its system. By analyzing key words that are being used to register new domains, or doing an analysis of an existing Web site requesting a transfer, it has been successful in filtering out the highly-targeted clients that attract DDoS attacks.
Most legitimate SMBs rarely suffer DDoS attacks, says David Senf, director of infrastructure solutions at IDC Canada. Businesses are more likely to be the targets of malware, cross-site scripting, or phishing attacks. But it’s possible to suffer similar effects due to a legitimate sudden spike in Web traffic.
“You’d need enough notoriety for a small business to be targeted in that manner,” he says. In most cases, businesses should focus less on what attacks they need to defend against, and be more proactive about putting in place strict security controls. He points to a list of 20 steps to follow from the SANS Institute.
For firms that do find themselves the target of a DDoS attack, Jeftovic has some more specific advice – “redundancy, redundancy, redundancy.” Have an ability to quickly move to another server location and ramp up more server capacity on demand. “You don’t just sit still, you flip your DNS and you’re suddenly on some other server, or you have a bunch of servers and you’re able to spread out and diffuse the attack.”
Third-party services like Prolexic and Black Lotus can also respond rapidly to a request for help, and will react 24/7 to put your server behind a secured perimeter until the attack ends. But if you are providing Web services to a customer that is being attacked, don’t hesitate to cut them off in order to protect the rest of your users.
“Segregate them and make them understand you’ll serve them on a best effort basis,” Jeftovic advises. “Then move them away from the rest of your customers.”
And if you were a customer of EasyDNS and you’re running an online gambling site, don’t count on moving back any time soon. It’s just not worth the stress, or the expense.