case studyVerisign DDos ProtectionserVices HelPs e-retailer MitigatesustaineD, Multi-layer DDos attackWhen a leading online retailer experienced a crippling distributed denial ofservice (ddos) attack on its tWo main e-commerce Websites, it dreW on verisign ddosprotection services to mitigate the attack and quickly restore full functionality. at the time of the call to verisign, the attack had persisted technology to identify and then mitigate the type of for more than one week and both websites were ddos attack that was hitting its system. typical of completely unavailable. With thousands of dollars in sales many companies, it had relied on measures that were everyday, the websites were a primary revenue source insufficient to ward off ddos attacks of the scale and for the retailer and an essential conduit for transactions, sophistication seen in the past few years. interactions, and information about the company’s products. although the company set up a redirect page For more information on best practices to protect advising e-commerce customers that they could phone against DDos attacks, see the Verisign white paper, in their orders, customers and wholesalers could not view Best Practices for a rapidly changing landscape. online product descriptions and other information they in this case, a small firewall in front of the company’s needed to make their purchase decisions. order volume Web servers quickly failed once the attack exceeded dropped significantly, amounting to an estimated $100,000 the firewall’s traffic threshold. upon recommendation in lost sales in one week. facing stiff competition, by a competitor who had recently experienced a similar the company was especially sensitive to further attack, the company turned to verisign. verisign® ddos inconveniencing its customers and giving up market share. protection services is a cloud-based ddos detection, even though the company tried to fight off the attack mitigation, and actor attribution solution that rapidly on its own, it did not have the in-house expertise or and selectively mitigates risk in order to maintain high throughput rates for legitimate traffic.
iMMeDiate traFFic reDirection to Verisign’s Mitigation centerWorking with the company’s in-house team, verisign’s this on-demand, cloud-based solution was the mostfirst step was to point the websites’ domain name feasible for the retailer because it could be implementedsystem (dns) to verisign’s internet protocol (ip) address immediately, did not require investment in ddos monitoringso all website traffic would be diverted to verisign’s and mitigation technology, and offered more scalability,in-the-cloud mitigation center instead of consuming the reliability, and flexibility than an in-house, premise-based,retailer’s bandwidth. at the mitigation center, verisign or isp-based solution. in addition, the solution was backedthen applied a series of filters to inspect and analyze data by verisign’s extensive expertise and global intelligencepackets for malicious traffic. network, which proved an advantage in anticipating the attackers’ next moves, distinguishing between normal anddesigned to handle massive ddos attacks, verisign’s malicious traffic, and developing new filters in real time toproprietary monitoring and mitigation platform readily counter those moves.absorbed attack traffic, while quickly returning legitimatetraffic to the websites so that the company could beginaccepting orders again. “in order to pay for their purchases, the company’s customers needed to add items to their shopping cart and then check out. at first the attackers flooded the company’s internet connections, so customers’ orders could not reach the website. imagine a customer’s frustration at going through the process of researching and selecting items, and then not being able to complete his or her purchase.” Verisign Operations Senior Engineer
agile resPonse to coMPlex anD cHanging attack tactics centerthe attack came in multiple waves, which verisign connect were unable to do so and multiple timeoutsengineers and technology were ready for. jammed the internet connections. in conjunction with the http attack, the attackers were sending traffic that did“We regularly mitigate massive, complex attacks not comply with internet rfc standards (e.g., overlappingon our.com and .net infrastructure, which has fragments, non-compliant flags within the tcp and ipmaintained 100 percent availability for 13 plus headers, and the destination ip address populatingyears,” explains the engineer. “this gives us an as the source ip address).unmatched level of experience in identifyingand mitigating DDos attacks.” Verisign responded by limiting the rate of traffic being sent to the Web servers. Verisign also actedthe first series of attacks were transport-layer tcp as a proxy for the websites, so the attack wouldsyn flood attacks in the 250 mbps range. once verisign flow to Verisign first and only complete connectionsstarted mitigating the attack, the volume rose to 2.27 would cross to the website.gbps in less than 30 minutes. as verisign appliedcountermeasures, the attackers changed tactics and these measures helped the retailer to recover, but as thestarted sending application-layer http floods. http verisign team anticipated, the attackers changed tacticsflood attacks continuously attempt to pull up a Web page one or two hours later. they went from an http floodfrom a single ip address or a range of ip addresses. attack, which verisign had rendered ineffective, to an sslonce the flood of requests exceeded the traffic threshold flood attack, which targeted encrypted, secure traffic forfor the Web page server, new clients that attempted to credit card transactions. “ssl attacks are more complicated to mitigate because you need to get the customer’s private key and look inside the payload of the ssl packet. We got the private key and when we started decrypting packets we saw that the attackers were making malform requests inside the ssl payload. We quickly updated our mitigation filters to drop the requests.” Senior Verisign DDoS Protection Services Engineer