Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VRSN DDoS Case Study - September 2011


Published on

Published in: Technology, Business
  • Be the first to comment

VRSN DDoS Case Study - September 2011

  1. 1. case studyVerisign DDos ProtectionserVices HelPs e-retailer MitigatesustaineD, Multi-layer DDos attackWhen a leading online retailer experienced a crippling distributed denial ofservice (ddos) attack on its tWo main e-commerce Websites, it dreW on verisign ddosprotection services to mitigate the attack and quickly restore full functionality. at the time of the call to verisign, the attack had persisted technology to identify and then mitigate the type of for more than one week and both websites were ddos attack that was hitting its system. typical of completely unavailable. With thousands of dollars in sales many companies, it had relied on measures that were everyday, the websites were a primary revenue source insufficient to ward off ddos attacks of the scale and for the retailer and an essential conduit for transactions, sophistication seen in the past few years. interactions, and information about the company’s products. although the company set up a redirect page For more information on best practices to protect advising e-commerce customers that they could phone against DDos attacks, see the Verisign white paper, in their orders, customers and wholesalers could not view Best Practices for a rapidly changing landscape. online product descriptions and other information they in this case, a small firewall in front of the company’s needed to make their purchase decisions. order volume Web servers quickly failed once the attack exceeded dropped significantly, amounting to an estimated $100,000 the firewall’s traffic threshold. upon recommendation in lost sales in one week. facing stiff competition, by a competitor who had recently experienced a similar the company was especially sensitive to further attack, the company turned to verisign. verisign® ddos inconveniencing its customers and giving up market share. protection services is a cloud-based ddos detection, even though the company tried to fight off the attack mitigation, and actor attribution solution that rapidly on its own, it did not have the in-house expertise or and selectively mitigates risk in order to maintain high throughput rates for legitimate traffic.
  2. 2. iMMeDiate traFFic reDirection to Verisign’s Mitigation centerWorking with the company’s in-house team, verisign’s this on-demand, cloud-based solution was the mostfirst step was to point the websites’ domain name feasible for the retailer because it could be implementedsystem (dns) to verisign’s internet protocol (ip) address immediately, did not require investment in ddos monitoringso all website traffic would be diverted to verisign’s and mitigation technology, and offered more scalability,in-the-cloud mitigation center instead of consuming the reliability, and flexibility than an in-house, premise-based,retailer’s bandwidth. at the mitigation center, verisign or isp-based solution. in addition, the solution was backedthen applied a series of filters to inspect and analyze data by verisign’s extensive expertise and global intelligencepackets for malicious traffic. network, which proved an advantage in anticipating the attackers’ next moves, distinguishing between normal anddesigned to handle massive ddos attacks, verisign’s malicious traffic, and developing new filters in real time toproprietary monitoring and mitigation platform readily counter those moves.absorbed attack traffic, while quickly returning legitimatetraffic to the websites so that the company could beginaccepting orders again. “in order to pay for their purchases, the company’s customers needed to add items to their shopping cart and then check out. at first the attackers flooded the company’s internet connections, so customers’ orders could not reach the website. imagine a customer’s frustration at going through the process of researching and selecting items, and then not being able to complete his or her purchase.” Verisign Operations Senior Engineer
  3. 3. agile resPonse to coMPlex anD cHanging attack tactics centerthe attack came in multiple waves, which verisign connect were unable to do so and multiple timeoutsengineers and technology were ready for. jammed the internet connections. in conjunction with the http attack, the attackers were sending traffic that did“We regularly mitigate massive, complex attacks not comply with internet rfc standards (e.g., overlappingon and .net infrastructure, which has fragments, non-compliant flags within the tcp and ipmaintained 100 percent availability for 13 plus headers, and the destination ip address populatingyears,” explains the engineer. “this gives us an as the source ip address).unmatched level of experience in identifyingand mitigating DDos attacks.” Verisign responded by limiting the rate of traffic being sent to the Web servers. Verisign also actedthe first series of attacks were transport-layer tcp as a proxy for the websites, so the attack wouldsyn flood attacks in the 250 mbps range. once verisign flow to Verisign first and only complete connectionsstarted mitigating the attack, the volume rose to 2.27 would cross to the website.gbps in less than 30 minutes. as verisign appliedcountermeasures, the attackers changed tactics and these measures helped the retailer to recover, but as thestarted sending application-layer http floods. http verisign team anticipated, the attackers changed tacticsflood attacks continuously attempt to pull up a Web page one or two hours later. they went from an http floodfrom a single ip address or a range of ip addresses. attack, which verisign had rendered ineffective, to an sslonce the flood of requests exceeded the traffic threshold flood attack, which targeted encrypted, secure traffic forfor the Web page server, new clients that attempted to credit card transactions. “ssl attacks are more complicated to mitigate because you need to get the customer’s private key and look inside the payload of the ssl packet. We got the private key and when we started decrypting packets we saw that the attackers were making malform requests inside the ssl payload. We quickly updated our mitigation filters to drop the requests.” Senior Verisign DDoS Protection Services Engineer
  4. 4. “With a smaller, less-experienced solution provider, the company’s hard-earned leadership position could have dwindled away as customers became frustrated and concerned about the websites’ unavailability. thanks to Verisign’s technology and our team’s ability to respond rapidly anD appropriately to this complex attack, the company was able to get back to business without suffering long-term consequences.” Senior Verisign DDoS Protection Services Engineer Functionality—anD online For More inForMation orDer leVels—restoreD for more information about verisign ddos protection the first ddos attack was analyzed and mitigated services, please contact a verisign representative within 30 minutes of the company’s call to verisign, at 1-866-200-1979 or 1-703-376-6905, or email and orders for merchandise quickly started flowing again through the company’s e-commerce websites. even though the attack lasted another week, it no longer impacted the company’s websites because aBout Verisign all traffic was being diverted to verisign’s ddos verisign is the trusted provider of internet infrastructure monitoring and mitigation platform. after that time, services for the digital world. billions of times each order levels returned to pre-attack levels. day, companies and consumers rely on our internet infrastructure to communicate and conduct commerce with© 2011 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc.and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.