How to ward off Distributed Denial of Service ‘DDoS’ attack, online retailing’s natural enemy

Ever since they emerged several years ago as trouble for e-commerce sites, distributed denial of service, or DDoS, attacks have continued to evolve as threats to online retailing. Having first appeared as efforts by computer geeks to prove what they could do to stall web site operations, they morphed into attacks by criminals out to extort monetary rewards, as well as activists out to force recognition of a political cause, says Jeff Lyon, president of Black Lotus, a security technology and services firm that specializes in mitigating the effects of DDoS attacks.

Regardless of the reasons behind the attacks, many have targeted e-commerce sites more than other types of web sites, Lyon says.

The reason?

“E-commerce sites are most susceptible to DDoS attacks because the attackers know that if they take down an e-commerce site, they can take an entire business offline,” Lyon says. “If an insurance site is taken down, it hurts, but it doesn’t ruin the business.”

There are two general types of DDoS attacks: bandwidth floods, which try to overwhelm one or more web servers with enough traffic to make them crash; and application layer attacks, which try to hit particular features on a web site. The application layer attacks, which focus on one internal part of a web site, can be the most difficult to detect, Lyon says. That’s partly because they’re not noticed at the level of Internet service providers, leaving it up to an individual site to fend for itself, he adds.

Once a DDoS application layer attack breaks through a site’s firewall, it will direct a large number of traffic hits on a particular site feature—a shopping cart, for instance—where it may also cause the feature itself to make a huge number of data pulls from databases both inside and outside of the web site. As in many web sites, a single feature on a page—for instance, a shopping cart that shows images of several cross-sell products, shipping information, and product pricing—may be pulling all that information from multiple databases. The back-and-forth flow of a huge number of data requests and data uploads in an application layer DDoS attack can make that application crash, Lyon says.

Black Lotus is one of several vendors of security technology and services designed to identify and block DDoS attacks before they can do much damage. The company is growing, Lyon says, with DDoS monitoring and prevention technology that ranges in cost from about $1,000 to $4,500 or more per month. The technology includes software designed to recognize whether traffic hitting a web site—or a particular internal component of a site such as a product listing or shopping cart—is driven by legitimate activity or software bots initiating a DDoS attack. When site traffic follows a pattern highly uncommon to typical visitors—for instance, when it sends an extremely high volume of hits to a shopping cart without completing a cart transaction—Black Lotus software will block it. “Once web traffic shows such a predictable pattern, we take it off a site as an attacker,” Lyon says.

Black Lotus, which is privately held and doesn’t release revenue figures, is on pace to double its revenue this year over 2011, following steady 50% annual growth since 2007, Lyon says. The company expects long-term growth, he adds, operating in a market between larger web site protection systems from companies such as VeriSign Inc. and Akamai Technologies Inc., and companies such as CloudFlare that offer DDoS protection technology for as little as $200 per month per web site.