It started in January 2004. Organised criminal gangs, believed to be based in Russia, launched the biggest ever distributed denial of service (DDoS) attack ever seen. Their target was the online gambling industry.
“During the initial couple of attacks, we didn’t stand a chance,” says Peter Pedersen, chief technology officer of UK online gambling site Blue Square. He had experienced DDoS attacks before, but nothing on that scale.
A normal day’s traffic for Blue Square weighs in at about five megabytes, he says, because much of Blue Square’s content is cached elsewhere. The web site mainly deals with the raw transactions.
But the attackers had an awesome network of computer resources at their disposal. They were able to throw more than four gigabytes of data at Blue Square and its ISP.
As a precaution, the company had used two different ISPs for redundancy. That proved useless. No sooner had Blue Square switched than the attackers likewise shifted their attack.
The anonymous gang wanted money. If Blue Square paid up, the gang promised not to attack again for at least a year. Blue Square, says Pedersen, does not even answer such extortion demands.
After bringing the site back up, Pedersen started to devise a strategy for coping with such attacks. His approach did not involve installing any one product or service. Rather, it is a multi-faceted initiative encompassing security policy and network architecture.
Combating a determined DDoS attack is not easy. The bottom line, Pedersen believes, is that any organisation that might be targeted by DDoS extortionists simply has to have the bandwidth necessary to cope. Security policy is an all-important second step. All staff must be aware that the company they work for is a red-hot target. IT staff, for example, have a habit of discussing their technical problems online and may give too much information away, he fears, which could be exploited by a malicious hacker.
Pedersen is equally ‘paranoid’ about outside IT services organisations. “It’s so easy to develop applications that work on the web and appear to work well,” he says. “But when you take them apart, you find so many problems or flaws: Code injections that can compromise your databases, inappropriate log out policies and so on.”
After all, Blue Square is not just the target of DDoS attacks, but every kind of hacking attempt. As a result, Blue Square conducts vulnerability assessment tests every week and uses a professional team of ‘white-hat’ hackers from computer services specialists IRM.
Pedersen is confident that he is doing all he can to combat the many threats faced by Blue Square: Implementing and enforcing a strict security policy; ensuring that all staff are well trained and understand the company’s unique security challenges; conducting regular vulnerability assessments; and making sure that the company has more than enough bandwidth to withstand virtually any DDoS attack.