This Wednesday, at around 22:30 GMT our website -- and a whole load of others -- was brought down by a DDOS attack on our server facilities in the US. In fact, at time of writing, our datacentre is still under attack
A DDOS attack is a distributed denial-of-service attack and is essentially when a large network of computers floods a server with requests for pages, eventually crippling it so that it cannot respond to normal requests from readers such as you.
You might have experienced a similar thing when trying to buy tickets for an event where all of the tickets go on sale at the same time. So many eager spectators try to access the ticketing site all at the same time that the server simply cannot cope, and you end up with thousands of disgruntled customers taking to Twitter or the Daily Mail to express their dismay at bungling ticket merchants.
This attack was a highly sophisticated one that brought down our AT&T datacentre as well as nine others across the East Coast of the United States.
Attacks such as these are increasingly common, with some of the largest companies in the world having been impacted by them in the past 12 months -- including Microsoft, Amazon, eBay, and even the FBI.
For us, this is the first time that our network has been brought down for at least 13 years, and obviously for IFSEC Global.com, having only launched two weeks ago, this is certainly the first time.
Now, obviously, the irony of being a website that covers the global security and fire industries being brought down by a cyberattack is not lost on me.
In fact, in many ways it’s been a unique insight into the pain that businesses can feel as a result of being targeted (though in this case, I understand we weren’t specifically targeted, just unlucky collateral damage).
How would your business cope? As a global media business, we have extremely capable IT experts, but they were only able to bring our websites back up almost 24 hours after they went down.
The question you should ask yourself is: If your website were brought down by a similar incident tomorrow, how would your business cope, and how much would it cost you? Every hour that your website is down could mean hundreds or even thousands of pounds in potential lost leads for you.
There are a number of steps that you need to have taken:
How long would it be until you even noticed that your website server was down? Have you set up automatic alerts for server downtime? If not, it could be hours or even days before you realise that your website is inaccessible.
Make a list of the key contacts at your host and ISP who will be able to tell you what is going on and when they think the attack might be over.
Now that you know your server is under attack, ask yourself if you’ve backed up your website recently. If you have a reasonably small website then you can get this set up with a new host relatively quickly. If you have a more complex website then you might want to follow the advice of DDOS specialist Mike Smith and create a smaller, simpler webpage that gives basic information about your business and services, and use another host to serve it.
Once the attack is over, analyse what happened and how well your response coped.
If you’re of a more technical mindset, you might want to take a look at this network DDOS incident response cheat sheet. The key steps are grouped under: preparation; analysis; mitigation; wrap-up.
As these kinds of attacks become more and more common, I sincerely hope this is the last time I write an article such as this.
Re: Responding to attacks Thanks for that Sarb. I think it's definitely important that we share any learnings we can to help others, and I'd echo your congratulations of the team that first spotted the attack and then 'stopped the bleed' as you put it.
If we ever managed to get to the bottom of who the real target was -- unlikely as burn0050 explained -- I'll be sure to let you know.
Responding to attacks What burn0050 and LawrenceB say is absolutely right, it is not so easily to establish whether the attack was the start of something else, and the DDOS was just a way to divert your resources away from the real attack.
We have seen several security media sites attacked recently, as well as investigative journalist sites like the New York Times and the the Wall Street Journal.
Although who or what the real target is, is difficult to identify quickly, what ever code is left behind (if anyone can find it) is often where the clues are going to be. So even in a DDOS attack it is important to not assume that nothing else took place.
As the phrase goes "Stop the bleeding; then work on lifestyle issues and fill out the paperwork", as this could and most likely will take a lot of time. Our experience shows that the smarter the attacker, the less code they will be leaving for you to find easily.
Lastly, well done for not only knowing that an attack was taking place and "stoping the bleeding", but also and very importantly sharing what you knew in an open way rather than pretending that nothing happened. This type of attitude of sharing can go a long way in helping others.
Re: DDOS and DOS attacks Good questions that I've thought about. We'll never know who was the real target of these attacks. The attack was targeted at an unused IP address in our service provider's block of IP's (so they weren't owned, per se, by us). This was a good target for them, because there weren't any protections on an unused IP, but it was routed to the set of data centers. This was a large sustained attack, with multi gigabyte floods coming from all of the internet pipes (like level3, at&t, etc), so all inroads were used, and there was a lot of bandwidth.
Since this took down 9 data centers, and the one where our servers resided housed many clients, we may have been the victim because we happened to have the first unused IP address they could attack to bring down the whole data center.
The data center doesn't reveal who else is in our particular data center, so unless someone claims responsibility, it will be difficult to discern who the real target was.
I also wonder if this was a trial run, someone testing their muscles for an attack on something bigger, using something that wouldn't get a lot of attention while they test their DDOS attack.
Re: DDOS and DOS attacks Some great additional tips, thank you LawrenceB. In an industry such as security in particular, as you point out, there could be any number of potential 'enemies' responsible for the attack. The bigger the business, the bigger the threat.
DDOS and DOS attacks I'd also look at content and recent activity on the site, as a lot of DDOS and DOS attacks are from groups that may have felt criticized or angry about content on your site. While I worked on Flight Global we were targeted by after publishing stories about the Israeli Air Force, which they felt was a punishable action.
Also could the attack have been from a competitor toward your site/service, awareness of this can help prevention strategies and also legal action.
Was the attack, like in this case, to another site on a shared service or to a service provider. Knowledge of where you stand and possible threats around your site is another area I'd take into consideration when looking at security.
A report from IHS suggests that investment in mass notification systems (MNS) will "soar" by 30% in the aftermath of the Boston bombing and Sandy Hook.
David Crowder presented some of the research and key findings from the Lakanal House inquest at FIREX International, concluding there was no single factor responsible.
Confusion swept across the Midlands of England on Monday after a picture of a rehearsal for a Muse gig at Coventry's Ricoh Arena was mistaken for a huge fire.
TeraStation 5000 SMB customer programme Buffalo Technology TeraStation™ range of business-class NAS devices simplify the process of managing data, backups and data sharing in a production environment, and brings a range of advanced features such as: NAS and iSCSI support; multiple levels of RAID technology; support for cloud storage; antivirus protection; and IP video surveillance integration. Read the Full White Paper
IFSEC Global is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations; earn kudos and perks. Interested? E-mail: moderators@ifsecglobal.com
To save this item to your list of favorite IFSEC Global content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
8
Tweet This
