‘Let me tell you the difference between Facebook and everyone else, we don’t crash EVER! If those servers are down for even a day, our entire reputation is irreversibly destroyed! Users are fickle, Friendster has proved that. Even a few people leaving would reverberate through the entire user base. The users are interconnected, that is the whole point. College kids are online because their friends are online and if one domino goes, the other dominos go, don’t you get that?’
In the 2010s critically acclaimed movie ‘The Social Network’, Zuckerberg’s character was quoted in stating something extremely practical about social networks. When you think about it, it’s equally relevant to every digital business. Either you stay online or users find someplace else. It’s that simple.
Artur Bergman, Founder & CEO of Fastly says ‘Most employees react to a DDoS attack as an operational problem. They try hard to prove that it’s not their fault and completely overlook the emotional aspects that a company and its customers face.’
He believes that it is important to look into the emotional dimension of such attacks to overcome them, a fact that he learned after a recent attack.
Isn’t that thought-provoking? A company cannot hold anyone responsible for application DDoS debacles. After all, they are fighting humans with malicious intents and the attack being perpetrated is not exercising the application in a non-standard way. It’s not as if there is a particularly known vulnerability that is being exploited.
In fact, most businesses in the digital age with exponentially growing traffic and customers don’t have slightest of an idea how to deal with the situation. Of course, they can read about it, train their developers on best practices with regards to secure coding, issue advisories, or even prepare a plan for it. But what does it feel to be under such an attack, what are the usual responses, and what not to do?
There is rarely a DDoS attack that does not give out warning signals beforehand. A little spike in the traffic, requests originating from unfamiliar locations, or pings from IPs with a questionable background. It is all there for us to see. However, most companies aren’t equipped to identify the red flags and consequently neglect the signs.
In one recent attack targeting a large financial institution, the Director of Information Security received an automatic notification that their application server was suddenly running on 30% maximum load. Nobody suspected that sudden load, which then led to 50% maximum load and then to a total app blackout.
Looking at the server logs today, they see it as a problem that could have been avoided with proper monitoring and mitigation. If only there was someone who had handled such situations.
As the application layer 7 DDoS attack matures, services go down. It usually starts with the domain under attack but then expands to all other business processes.
Take this example of an e-commerce website that recently took a DDoS hit. There were a series of incoming calls to their call center with customers complaining inaccessibility to their shopping accounts and transaction history. Other than the IT staff, no one had the slightest of a clue on what was going on. Therefore, they kept on stalling them with the usual pitches.
This situation was the opposite in their Order Processing department. Employees sat idle without any orders to act on. In just a few hours, they lost hundreds of orders that day.
A massive percentage of application layer DDoS attacks are launched by competitors or disgruntled employees who seek nothing but damage. However, a large number of hackers are increasingly throwing attacks followed by ransom notes to take back the attack and allow resuming services.
According to the Information Security Media Group, banks lose up to $100,000 per hour under a DDoS attack. Though there is no report to correlate the data for e-commerce and other digitally driven verticals, DDoS costs can’t be drastically low for them.
That is why many companies agree to pay 10-20 Bitcoins, which is roughly a ransom of $7K – $14K rather than losing direct revenue and brand reputation among their customers.
An application layer DDoS attack is everyone’s problem from the boardroom down to the front line.
So which way would you choose? Going down or giving a ransom and staying online for a temporary period of time? Keep in mind, one or two payments won’t eliminate the threat; just simply postpone another extortion attempt in the near term.
There is another way. You can have a security expert to identify zombie traffic before it affects your application’s performance or allows unauthorized access to sensitive data. The cost of manning a team of security experts can be untenable for many organizations. PayScale estimates that a salary for a CISO starts at $145k, a figure that is quite conservative given the dearth of talent in the market. When you add a team of 3-4 for web application security analysts under the CISO, your investment in human capital to support your security initiatives will be over $600,000 per year. For most growing companies, that is a sizeable information security investment.
Indusface AppTrana provides you with an application security team with expertise in analyzing traffic, identifying DDoS attempts, creating custom rules to stop attacks instantly, and monitoring your applications 24×7.
But, application security is not simply just a layer 7 DDoS protection. AppTrana DDoS Protection is a fully managed application SaaS solution that provides detection, protection, and monitoring of all domains by offering automated web application scanning, on-demand pen testing, remediation, web application firewall, application DDoS mitigation and reporting within one web-based console.
Need help protecting your business from layer 7 DDoS attacks?
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.