Black Friday is almost here, and ‘DDoS Season’ has arrived.
DDoS attacks occur year-round, of course. But for online retailers especially, this is the worst time of the year for these incidents.
We’re already seeing holiday-related DDoS events against Reblaze customers. And along with the usual volumetric assaults, we’re seeing some interesting variations in the tactics that attackers are using.
You might have found this article because you’re currently under attack. If so, we can help— before reading further, contact Reblaze first.
Otherwise, read on. In this article, we’ll discuss:
- Why this time of year has become so dangerous, especially for ecommerce sites and applications
- An interesting attack variation that we’re observing this year
- How to prepare and ensure that you have effective protection.
The end-of-year holiday season is by far the most important time for ecommerce. With so much potential revenue in a brief period of time, retailers are vulnerable to anything that could disrupt their web applications. Even brief outages in service can be very costly.
Cybercriminals know this, of course. That’s why DDoS is rampant this time of year. Attackers issue extortion demands that are simple and clear: ‘if you don’t pay us, we’ll take your site down’. Targets who do not pay will often become DDoS victims.
DDoS attacks have been around since the mid-1990s. Today, there is a mature industry surrounding them, including DDoS services for hire. But hackers continue to find new ways to wage them, and this holiday season is no exception. In fact, holiday-related DDoS incidents have already begun, and in some cases, there’s a new tactic being used.
A New Approach to DDoS Extortion
DDoS extortion usually begins with a message from the attacker, threatening an attack unless payment is made. However, from the attacker’s perspective, there are several drawbacks to this.
- The recipient doesn’t know if the attacker is serious, or merely sending empty threats with no intention of following through.
- The recipient doesn’t know if the attack, if it did occur, would be large enough to overwhelm their defenses.
- Pre-attack messages also include some administrative overhead. The hackers must use some version of CRM; they must keep track of messages sent, responses received, demands that were paid or refused, etc., while organizing and timing everything properly. Sometimes this process breaks down. (We recently saw an incident where the “warning” didn’t arrive until after the attack occurred.)
This attack contained a creative way to solve all three of these problems, by building the message into the attack itself.
This incident was a respectable size, with a peak slightly above three million requests per minute. Over a twenty minute period, 42 million requests were received.
The Reblaze platform provides full traffic transparency, with the ability to drill down into individual requests. Doing so for this attack revealed something interesting.
“Whitelist yourselves for Black Friday”
Private customer info and the attacker’s bitcoin account are redacted
The attacker was sending GET requests to a (non-existent) URL on the target’s site:
<target domain>/whitelist_yourselves_for_black_friday_1_bitcoin_<attacker’s bitcoin address>_revil_Rzt.
So, this attack was designed to:
- Knock the target’s site offline for a brief period in order to demonstrate the attacker’s abilities.
- Threaten a much more severe attack (a DDoS during Black Friday) during the victim’s postmortem analysis.
- And include the extortion demand and payment details in the attack itself. Supposedly, by paying the attackers one bitcoin, the target could “whitelist” their organization, i.e. become exempt from a Black Friday attack.
If the attack had succeeded, this approach would have been a tidy way for the attackers to solve the problems mentioned earlier. Unfortunately for them, despite their creative approach, their attack was a failure.
(Reblaze automatically blocked the attack traffic before it reached our customer’s servers. In fact, our customer didn’t even realize that the attack had occurred. Our SOC team noticed it in the logs, and mentioned it to them later.)
Sending messages to the target as part of the attack itself is one of the more imaginative tactics we’ve seen recently. However, it’s not the only new gambit that we’ve observed this season. We’ll discuss some more in upcoming articles.
How to Prepare for DDoS Season
As holiday shopping season approaches, it’s vital (for all organizations, but especially online retailers) to ensure that they have robust defenses against DDoS.
Presumably, your organization already has DDoS protection as part of your overall web security. The pre-holiday season is a great time to revisit your current solution and see if it still meets your needs.
In the current threat environment, here is what a solution should have.
Traffic filtering that occurs upstream from the ISP. Some organizations still use on-prem solutions, but these can only filter traffic after it has passed through your incoming Internet pipe. However, modern DDoS attacks can be large enough to overwhelm your ISP, forcing them to blackhole your site(s) and take your organization offline. This makes your DDoS solution irrelevant.
Sophisticated rate limiting. Many solutions have simplistic rate-limiting capabilities, based on a few characteristics such as IP addresses. However, many attackers have the ability to mount complicated assaults that rotate IPs and use other strategies to bypass detection. A robust solution will have the ability to track traffic sources despite these tactics.
Autoscaling of bandwidth and other resources. During the stress of an attack, your defenses should respond automatically, and they should be able to access sufficient resources to counter the attack. Again, on-prem solutions can fall short here.
Sophisticated bot detection abilities. DDoS traffic must, by its nature, be automated. An important part of DDoS mitigation is the identification and blocking of advanced bots which can evade traditional detection methods. If your solution still relies on obsolete techniques like reCAPTCHA or hCAPTCHA, you should seek an alternative. (For more information, see our article on finding a reCAPTCHA alternative.)
A single-tenant solution. Most web security solutions are multi-tenant, so they perform traffic filtering in external PoPs outside the customers’ environments. Along with the performance issues (such as added latency) that this introduces, this also means that their customers must share resources, and could potentially be affected by DDoS attacks aimed at others. For robust protection, your organization should have a dedicated web security solution, running inside your environment.
To learn more about effective DDoS protection in the contemporary threat environment, see our previous articles on the subject:
- Hardening Your Cloud Environment Against DDoS
- AWS Shield: How to Set Up and Use Amazon’s DDoS Protection Service
- DDoS: How to mitigate the most dramatic cyberattack
- Black Friday & Cyber Monday – A hacker’s heaven
- Five Questions You Should Be Asking Your Web Security Provider
Ecommerce organizations are also encouraged to read our recent article, “5 Tips to Ensure a Safe Holiday Shopping Season.”