It seems like a month doesn’t go by without a story popping up on some tech news blog regarding another major DDoS attack.Only this past few days has Moz been suffering from a DDoS attack on their site.
We are under a DDOS attack. Right now, no ETA on when we’ll be back up, but we’ll keep you posted here. — Moz (@Moz) May 17, 2014
The term “DDoS” stands for “Distributed Denial of Service” and it’s an attack that is commonly used by hackers to bring down a website temporarily. While this hack doesn’t really help anyone gain access to specific information on its own, it is a very useful tool for making a website unreachable by its intended audience. These attacks have been around for quite some time, but they were more recently popularized by those perpetrated by Anonymous against various large companies.
The Original Denial of Service
The way these attacks work is fairly simple. Websites servers are only able to provide access to a certain number of users at any given time due to bandwidth and other considerations. When too many people try to access the site on the server at once, the server cannot handle the load being placed on it and the site becomes unavailable. People use specialized software programs to access a website from many different IP addresses at once. When many people get together to target the same website at the same time, this can overload the host server and make the site impossible to reach. Some of these tools are made up of proprietary software, but some are open source to the public. For example, Anonymous has freely distributed the “Low Orbit Ion Cannon” software for free public use in DDoS attacks.
In the end, there’s a lot of argument over whether all DDoS attacks are pure vandalism or if some fall under the blanket of Hacktivism. After all, many of the most famous DDoS attacks did specifically target certain companies and organizations for very specific reasons. While that debate rages on, people will still continue to perform these attacks on websites.
The Impact to Your Website
DDoS attacks can hurt your revenues but there are of course other concerns too:
1. Brand and customer perception – inflicting potential brand damage at the same time as granting a competitive advantage to your rivals.
2. Email and contact centers – once network infrastructure and routers are targeted, DDoS attacks might bring down email and client contact centers, particularly if the call center is on a voice-over-IP (VoIP) network. During this incident, a DDoS attack can interrupt communication with customers, partners, vendors and even staff.
3. Stock price and market confidence – Some organisations hit by DDoS attacks have seen stock prices briefly fall and/or suffer volatile fluctuations because of market concerns for large brands this can be significantly expensive.
4. Search engine rankings – one negative consequence from DDoS attacks that usually gets overlooked is the potential affect it might have on rankings. We already know that if your web site isn’t accessible or crawlable, it could hurt your rankings. After all, Google needs to serve its users with quality results and websites that work. So, once your web site is down from a DDoS attack and Google sees that it’s “uncrawlable” it’s fair to assume that your rankings could take some form of impact.
It’s important to point out that the length of time your site is down plays a role in determining whether or not your rankings will be affected. According to everyone’s favourite Googler Matt Cutts, “If it [your site being down] was just for a day, you should be in pretty good shape. If your host is down for two weeks, then there’s a better indicator that the website is actually down and we don’t want to send users to a website that is actually down. So if it was only just a short period of downtime, I wouldn’t really worry about that [affecting your rankings].”
DDoS attacks are very often incorrectly associated with a service outage. In fact the biggest impact of DDoS/DoS attacks in 2013 was service degradation, which in most cases presents itself as a slow website.
A recent study by TRAC Research of 300 businesses, reported three very interesting things:
• Average revenue losses of $21k per hour of downtime.
• Average revenue losses of $4k per hour of performance slowdown.
• Website slow-downs occur up to ten times more frequently than website outages.
In other words, website slowdowns, can have a greater impact over time on your revenues as outages. While temporary outages cost more per minute, slowdowns take up significantly more time and can ultimately cost more.
And what about the impact on customer retention:
Or to put it another way: the permanent abandonment rate for a slow site is more than three times greater than the abandonment rate for a site that is temporarily down. Think about that for a minute.
Unfortunately, some black hat SEOs have already started using DDoS attacks against competitors as a tactic to damage their sales and rankings.
How to Identify a DDos Attack
Most cloud DDoS mitigation services are available on demand which means that customers will enable the service once they are the victim of a DDoS attack.
There are multiple monitoring tools you’ll be able to use to capture traffic changes, which might help confirm whether or not you’re under a DDoS attack.
#1. Internal server, network and infrastructure monitoring applications
Companies have plenty of monitoring package and applications to decide on from, however one of the morestandard pieces of software, referred to as Nagios, allows you to monitor internal infrastructure status and performance of applications, services, operational systems, network protocols, system metrics and network infrastructure.
For example, monitoring software packages will check your HTTP service to make sure that a web site or server is functioning properly, and if the service isn’t functioning, most software includes real-time notification. As a result most DDoS attacks target a web server or application server, monitoring software could show the HTTP service to be experiencing a problem with slowness, high CPU utilization or complete failure. While watching servers and infrastructure are useful, there’s no guarantee that DDoS is the issue. Abnormal spikes in traffic and usage do occur for legitimate reasons from time to time.
#2. External Performance watching Solutions within the Cloud
Companies that don’t host their own websites and use services like Amazon EC2 would get the most from third-party solutions. Network/infrastructure tools — that are sometimes put in within your network — external performance watching solutions are usually provided by a 3rd party and leverage various monitoring locations from round the world.
External watching tools will study many elements:
• Virtual browsers to check the basic web site over time and performance
• Real browsers to look for site / application performance, errors and repair degradation
• Network services like DNS, FTP and your email, among others
From a DDoS perspective, associated external third-party monitoring is the sensible answer. The aim of this kind of tool is to perpetually monitor an internet site, service or application and check for potential indicators of a DDoS attack.
That said, though a 3rd party external tool will work on capturing DDoS attacks, these solutions don’t seem to be foolproof. While external tools will point out that site performance is degrading or is failing, it cannot confirm the explanation.
Originally, the goal of third-party tools was to make sure that ISPs, hosting and servers were functioning as designed. Slow response times and outages may indicate a hosting provider or server being down.
How to Test your Sites Vulnerability
If you are a competent technical person and have a few friends you could try LOIC (Low Orbit Ion Cannon) or HOIC (High Orbit Ion Cannon) which were released to the public by Anonymous, but of course you could just spend $5 on Fiverr and get a report carried out for you to highlight the most common vulnerabilities. Regular DDOS attacks like those launched by LOIC work by overwhelming the server with complete requests. Slowloris works differently. It opens connections to the server but never actually completes them which ties up all the server’s sockets resulting in a DOS. The easiest way to mitigate this sort of attack is by denying many connections from a single client. But of course there’s a way to get around this using Tor and Pyloris a Python version of Slowloris.
hping is a command-line oriented TCP/IP packet assembler/analyzer. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks.
Of course SEO’s have made the ability to carry out a DDoS attack really easy for just about anyone. Russ Jones wrote an article that showed that free SEO tools that create XML sitemaps or crawl sites could be utilised all at the same time to cause a significant increase in bandwidth and CPU Usage.
You should do whatever you feasibly can to prevent DDoS attacks or at the very least mitigate against any attack that does hit your website. Make sure that you have systems in place to detect potential attacks and have a plan in place for responding to them as quickly and effectively as possible.