This Year, DDoS Attacks Are Shorter, Hit Harder And Aim At Things Like Shopping Carts
Written by Frank HayesWith the big holiday distributed denial-of-service season coming up quickly for retailers’ E-Commerce sites (“Merry SYN flood to all!”), here’s a little bit of cheery news: Brute-force DDoS attacks are getting shorter in duration than in years past—even though the actual blast during a brute-force DDoS can get as high as 65 Gbps. And although last year attackers were starting to target routers instead of Web servers, this year they’re aiming lower—and much more often going after things like the lowly shopping cart.
Unfortunately, with those so-called “low and slow” attacks—which require a lot less firepower from attackers but can still crash your site—brute-force DDoS defenses won’t work. Your E-Commerce and network security teams may need to take a lesson from associates and loss prevention in thinking about online defense.
There are still plenty of brute-force attacks. Security vendor Prolexic said in a quarterly report released on Wednesday (Oct. 17) that the total number of DDoS attacks hitting its customers was up 88 percent from a year ago, although the average attack length dropped to 19 hours, from 33 hours last year. Average attack bandwidth more than tripled, to 4.9 Gbps, but some attacks ran much hotter. And attacks that averaged 20 Gbps are no longer uncommon, Prolexic reported.
In other words, defending against those attacks requires stronger defenses against shorter attacks. That’s easy enough for most security teams to grasp. It’s just one more iteration of the firewall and security-appliance arms race.
But the new rise in low-and-slow attacks? That’s going to require rethinking your strategy.
Case in point: the “basket stuffer” attack, in which the attacker writes a script that puts as many items as possible into a shopping cart. Eventually, that’s likely to bring the shopping-cart system to its knees.
“Adversaries don’t even have to know why the attack works,” said Andy Ellis, chief security officer at Akamai. “They can guess that programmers will assume there will never be more than 20 or 30 items in the basket.” Stuffing in hundreds of items? That by itself may overrun the cart’s allotted space.
If that doesn’t do it, there’s also the processing that has to happen for each item—beginning with saving the state of the cart after each item is added. Then there are all the nice elements you’ve added to make your site more interactive. “Business rules can bite you,” Ellis adds. “Every one has to process every time.” Recommendation engines are triggered, loyalty information is collected, and all that chews up processing power. The faster items are added, the more CPU time is chewed up—and the more likely it is that processes will stumble over each other. “It’s all about causing you to use resources,” Ellis says.
One way or another, if an attacker successfully stuffs hundreds of items into a shopping cart fast enough, it will fail.
Best of all, from the attacker’s point of view: The attack is invisible.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
