We don’t often get to play the hero but when one of our clients were the victim of a malicious attack on their site 542 Digital picked up the ‘mayday’ call. Our clients know we take website and application security seriously.
Persons unknown directed a DDOS attack on the the clients website. DDOS stands for Distribute Denial of Service. It means that the criminal involved used a large amount of compromised computers/servers/entities under their control on the internet (a botnet) to direct requests at the client website’s IP address. Thus the clients website and server became overloaded and is unable to serve pages, rendering it offline.
You may have read about such attacks in the media in the past, often run for political/activist reasons such as Operation Payback. This attack was exactly the same but for criminal reasons.
What were the consequences?
For this particular client, their entire operation was run online and it was a critical time of year. What’s more their hosting company had to take the decision to redirect the traffic essentially into a black hole to counter the attack. They rightly did this to preserve their own network and the connectivity of their other customers. The hosting company contacted the client and requested that they implement some sort of DDOS protection for his domain name before they would allow the site to be put back online.
This left our client with no traffic to their website as it could no longer be reached. In addition they were running paid media campaigns at the time, so they were losing budget on advertising as well as potential income from customers.
How did you fix it?
Well first of all the traumatised client telephoned us for help. We had no maintenance or support contract in place with this client, merely having completed maintenance and upgrade work for them previously. The client relied on his hosting company for monitoring and operating system maintenance. As such we were unaware of the drama that had unfolded, but we understood his architecture and were well placed to help.
We enrolled the client with a suitable DDOS protection service that also provided a web application firewall and other security features. We requested a new IP address from the hosting company and provided this to the DDOS protection service. The client was now back online and fully functioning, with additional security in place.
After this we scanned the entire website application and filesystem for vulnerabilites and abnormalites. We also applied best practice and reset every password for every account known to us that this client had. We also advised the client to do the same for all their other online accounts.
How long did it take?
The time we picked up the call to the time the site was back online was about 1 hour.
How can I apply the same level of security to my own website or application?
There’s no quick and easy answer to this.
You can never prevent a DDOS attack from taking place, in the same way as you can’t stop someone chucking a brick at your window. But you can put extra strong glass in the window so the brick bounces off.
A quick search of google for ‘DDOS protection’ will give you a multitude of companies that offer the service. Many of these companies offer a whole suite of security and website performance features and our advice to our clients is to start using one of these straight away.
Which one entirely depends on your business needs and the features offered. And of course, cost. This is why we’re declining to mention a specific service here.
On top of this, other things to consider are as follows:
- A physical network firewall
- Using HTTPS/SSL everywhere, this already has an impact for SEO
- Not using shared server resources
- A backup and maintenance plan for your infrastructure, be it physical or cloud based, this is often provided by hosting companies
- Backups should be stored in another, secure, location and that they are encrypted and that only you can decrypt them
- A tried, tested and documented disaster recovery process from your backups
- A maintenance plan for your application software (CMS, ecommerce system), that is actively followed and reactive to security announcements related to it. There are application specific hosting companies that can provide this.
- Encrypting sensitive customer data inside your application
- A password management solution and changing passwords regularly. Knowing who has access to your passwords and ensuring they manage them correctly
- Implementing two factor authentication wherever you can, especially for mission critical systems
- Ensuring that any development team uses secure code repositories and secure code deployment methods
- Sensitive documentation is kept off the public internet and is encrypted
- Scanning your website/application for vulnerabilities regularly
- Commissioning penetration tests of your website/application
This list is long, the issues are complex, and overtime it will get longer.
The upside is that, in the past, ticking off everything in this list was only really feasible for enterprise level clients with big budgets. Online security products and services are getting cheaper and easier to use. Further, many difficult to implement aspects of online applications can now be outsourced to commercial services where security is the number one priority.
So… get in touch. We’d be happy to help.