Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
VRSN DDoS Case Study - September 2011
1. case study
Verisign DDos Protection
serVices HelPs e-retailer Mitigate
sustaineD, Multi-layer DDos attack
When a leading online retailer experienced a crippling distributed denial of
service (ddos) attack on its tWo main e-commerce Websites, it dreW on verisign ddos
protection services to mitigate the attack and quickly restore full functionality.
at the time of the call to verisign, the attack had persisted technology to identify and then mitigate the type of
for more than one week and both websites were ddos attack that was hitting its system. typical of
completely unavailable. With thousands of dollars in sales many companies, it had relied on measures that were
everyday, the websites were a primary revenue source insufficient to ward off ddos attacks of the scale and
for the retailer and an essential conduit for transactions, sophistication seen in the past few years.
interactions, and information about the company’s
products. although the company set up a redirect page For more information on best practices to protect
advising e-commerce customers that they could phone against DDos attacks, see the Verisign white paper,
in their orders, customers and wholesalers could not view Best Practices for a rapidly changing landscape.
online product descriptions and other information they in this case, a small firewall in front of the company’s
needed to make their purchase decisions. order volume Web servers quickly failed once the attack exceeded
dropped significantly, amounting to an estimated $100,000 the firewall’s traffic threshold. upon recommendation
in lost sales in one week. facing stiff competition, by a competitor who had recently experienced a similar
the company was especially sensitive to further attack, the company turned to verisign. verisign® ddos
inconveniencing its customers and giving up market share. protection services is a cloud-based ddos detection,
even though the company tried to fight off the attack mitigation, and actor attribution solution that rapidly
on its own, it did not have the in-house expertise or and selectively mitigates risk in order to maintain high
throughput rates for legitimate traffic.
2. iMMeDiate traFFic reDirection to Verisign’s Mitigation center
Working with the company’s in-house team, verisign’s this on-demand, cloud-based solution was the most
first step was to point the websites’ domain name feasible for the retailer because it could be implemented
system (dns) to verisign’s internet protocol (ip) address immediately, did not require investment in ddos monitoring
so all website traffic would be diverted to verisign’s and mitigation technology, and offered more scalability,
in-the-cloud mitigation center instead of consuming the reliability, and flexibility than an in-house, premise-based,
retailer’s bandwidth. at the mitigation center, verisign or isp-based solution. in addition, the solution was backed
then applied a series of filters to inspect and analyze data by verisign’s extensive expertise and global intelligence
packets for malicious traffic. network, which proved an advantage in anticipating the
attackers’ next moves, distinguishing between normal and
designed to handle massive ddos attacks, verisign’s
malicious traffic, and developing new filters in real time to
proprietary monitoring and mitigation platform readily
counter those moves.
absorbed attack traffic, while quickly returning legitimate
traffic to the websites so that the company could begin
accepting orders again.
“in order to pay for their purchases, the
company’s customers needed to add items
to their shopping cart and then check out.
at first the attackers flooded the company’s
internet connections, so customers’ orders
could not reach the website. imagine a
customer’s frustration at going through the
process of researching and selecting items,
and then not being able to complete his or
her purchase.”
Verisign Operations Senior Engineer
3. agile resPonse to coMPlex anD cHanging attack tactics center
the attack came in multiple waves, which verisign connect were unable to do so and multiple timeouts
engineers and technology were ready for. jammed the internet connections. in conjunction with the
http attack, the attackers were sending traffic that did
“We regularly mitigate massive, complex attacks not comply with internet rfc standards (e.g., overlapping
on our.com and .net infrastructure, which has fragments, non-compliant flags within the tcp and ip
maintained 100 percent availability for 13 plus headers, and the destination ip address populating
years,” explains the engineer. “this gives us an as the source ip address).
unmatched level of experience in identifying
and mitigating DDos attacks.” Verisign responded by limiting the rate of traffic
being sent to the Web servers. Verisign also acted
the first series of attacks were transport-layer tcp as a proxy for the websites, so the attack would
syn flood attacks in the 250 mbps range. once verisign flow to Verisign first and only complete connections
started mitigating the attack, the volume rose to 2.27 would cross to the website.
gbps in less than 30 minutes. as verisign applied
countermeasures, the attackers changed tactics and these measures helped the retailer to recover, but as the
started sending application-layer http floods. http verisign team anticipated, the attackers changed tactics
flood attacks continuously attempt to pull up a Web page one or two hours later. they went from an http flood
from a single ip address or a range of ip addresses. attack, which verisign had rendered ineffective, to an ssl
once the flood of requests exceeded the traffic threshold flood attack, which targeted encrypted, secure traffic for
for the Web page server, new clients that attempted to credit card transactions.
“ssl attacks are more complicated to
mitigate because you need to get the
customer’s private key and look inside the
payload of the ssl packet. We got the private
key and when we started decrypting packets
we saw that the attackers were making
malform requests inside the ssl payload.
We quickly updated our mitigation filters
to drop the requests.”
Senior Verisign DDoS Protection Services Engineer