As you’ve probably read, the DDoS in “DDoS attack” stands for “distributed denial of service.” But what does that mean, really? What is a DDoS attack, and how can we prevent and protect against them? Check out this article by one of our Web Developers to get the answers to all of those question and more.
Do you remember what you were up to on June 15, 2011? Maybe you were cheering on your favorite team, getting ready for a first date, out with your good friends or, if you’re a developer like me, telling your mom that you didn’t have time for those things because a Star Trek marathon was on. Regardless, whatever you were doing, it wasn’t visiting the public-facing website of the Central Intelligence Agency, because a group of “hacktivists” (hacker activists) known as LulzSec had shut it down.
That group used an attack called a “DDoS” (pronounced like “sea sauce”, with ‘d’s instead of ‘s’s) which is a term you may have heard before if you own a website. These attacks invariably seem drawn to all the websites you love and cherish, like so many digital reenactments of Titanic and her stealth iceberg. What I’d like to do for you in this post is de-mystify DDoS by helping you understand what they are, and why Volusion merchants are at a huge advantage when it comes to defending against them.
A digital game of “Are we there yet?”
What is a “DDoS” anyway? It stands for “distributed denial-of-service,” and is much less complicated than it sounds. Allow me to clarify with a colorful analogy:
A regular, run-of-the-mill denial-of-service attack is just like a child on a car ride to the ice cream store. Ten minutes into what’s supposed to be a nice, relaxing vacation, the kid in the backseat wants to know, “Are we there yet?” No, you tell him, it’s going to be a little longer. Five minutes after that, the kid asks again, “Are we there yet?” Again, the answer is no. After an hour, he’s asking every three seconds. He may not even be waiting to put the punctuation on one request before repeating it. At some point, you the driver/parent simply stop responding. You can’t keep up, and responding isn’t doing any good anyway.
A denial-of-service attack, as it relates to a computer system, is any action or series of actions that prevents the system from reacting in the expected manner. For a webpage, the result of a successful denial-of-service attack is that the page you want becomes totally inaccessible. And the way these attacks are usually carried out is brilliantly simple: The attacker asks a server for a particular webpage so many times that it can’t respond fast enough, gets overwhelmed, and locks up.
Strength in numbers
So what’s that “Distributed” part about at the beginning? That only means that instead of just having one point of attack, there are many. A hacker might get a bunch of his malicious friends together to coordinate a denial-of-service against someone. They might write malware (malicious software) to infect a large number of innocent, but unprotected computers which are then used to magnify the size of the attack against the ultimate victim of the DDoS. This would be like the kid in the backseat getting his siblings, strangers in passing cars, everyone in your address book and the family dog to all ask, “Are we there yet?” at the same time.
A Denial-of-Service attack is an attempt to make a computer, system or resource unavailable. A Distributed Denial-of-Service (DDoS) attack is when multiple sources and techniques are used to greatly amplify this effect.
For those who learn best with their eyeballs, here is a visualization of normal server activity:
And here’s one of a server under fire from a DDoS:
Enumerating the types and particulars of the various DDoS flavors could fill a separate, equally verbose article, which Wikipedia has kindly already written, so check that out if you’ve got an appetite for more.
Volusion vs. DDoS
Even contemplating how to defend against a DDoS attack can seem frustrating and daunting, because there doesn’t seem to be an obvious way to win. Fortunately, as a Volusion customer, you can rest assured that we’ve done all we can to protect your website from these attacks.
Volusion stores are enveloped in a state-of-the-art system of DDoS defense that has every kind of protection short of a crystal ball. When incoming web traffic approaches one of our merchants, it has to get the okay from our DDoS prevention devices and firewalls before being passed along to our stores’ sites. Employing both on- and off-premises defenses helps to ensure that there’s no lone piece of hardware to be overwhelmed. Massive spikes in traffic can be automatically rerouted onto the digital equivalent of 32-lane highways to ensure that the congestion doesn’t affect our merchants. We’ve even got a database of repeat offenders, and any traffic coming from those sources is automatically blocked.
We’re also firm believers that if one is good, two is great, so much of our DDoS gear is built redundantly. That is, if part of the system is compromised, backups are available instantly. And for the cherry on top, twice a year, Volusion hires a team of security experts and professional hackers to conduct penetration tests on all the active aspects of our system.
Equipment is hardly the only answer, though. Major hardware that has taken care of the major problems leaves the talented professionals of our Network Operations Center (NOC) to add the personal touch to issues that may have otherwise slipped through the cracks. In September of 2012, Volusion’s NOC. went from being reactive to proactive. Instead of needing merchants to contact us to say something bad was happening, we can now contact them to say that an attack against their site had been prevented just five minutes ago. This is thanks to the fact that our merchant networks are chaperoned by a human being 24 hours a day, seven days a week.
2011 was a different time—we might experience a service-interrupting DDoS attack as often as once a month. Today, Volusion just rounded out another quarter of 99.98% uptime. To put that in perspective, the average Volusion merchant experienced an interruption of service for less than 1.3 seconds a month. And there are a lot of seconds in a month.
The timeless tactic
Why do some sites get DDoS-ed, and some live unscathed? And why do I feel like I never used to hear about this DDoS stuff before?
While it’s impossible to know motivations for sure, there are a few common themes: A customer upset that a site won’t honor a coupon three years expired might try to express their dissatisfaction with a digital reprimand in the form of a DDoS. Unscrupulous businesses looking to steal traffic from their competitors could launch an attack against another store. Sometimes, a site just has the bad luck to be target practice for one or more hackers-in-training looking to cut their teeth. The good news is that Volusion guards against all of it.
Also, there’s no question that DDoSes are more prevalent today than five years ago. Web technology advances at a tremendous rate every year, and one of the unfortunate side-effects of making faster, more capable equipment is that you enable larger, more destructive attacks with the same infrastructure. Moreover, owing to the fact that a DDoS is relatively unsophisticated compared to other kinds of cyber-attacks, generic DDoS programs written by someone with salient savvy can be downloaded from the internet and used by almost anyone.
The basic principles, however, of a distributed denial-of-service attack are hardly novel. Human beings enact a living “DDoS” every time unions commit to a strike. At the end of the movie Spartacus, when everyone’s claiming to be the same rebellious Roman slave, that’s a DDoS. The Thomas Crown Affair features a DDoS of people in a crowded museum during the climax of the film. The main difference between online and offline DDoS attacks is that in the real world you can’t make ten thousand copies of a single protester at the press of a button.
Before you walk away under the impression that the C.I.A. can be completely brought to its knees by a group of miscreants with “Lulz” in their title, it’s worth pointing out that DDoS attacks are really only possible against public resources, like a webpage, not the secure, disconnected machines housing sensitive data.
That said, if your website is more than an online brochure, being the victim of a distributed denial-of-service can hurt brand recognition and leave your patrons frustrated. That’s why we’ve invested a lot of time and resources to help defend your store in as many ways as possible. Because at the end of the day, our mission is to empower you to turn around and tell the kid in the backseat: yes, we’re there yet.
-Michael Speed Elder, Volusion