Hardly a week passes without another major online brand suffering from cyber-attacks of one form or another, with distributed denial of service (DDoS) attacks becoming more and more common. Last Friday HSBC’s online banking services were targeted on what should have been a particularly busy day at the end of January. While they reported that they ‘successfully defended’ their systems, users of their online services were impacted for several hours.
This kind of attack is a particular risk for e-commerce businesses which depend on the internet for a large part of their revenue. It can also have a huge reputational impact (perhaps especially for financial institutions). There are of course various measures that can be taken to deter fake users such as the use of challenge-and-response mechanisms like CAPTCHAs. But these may also deter a high proportion of the real users on whom your business depends! Avoiding DDoS attacks altogether isn’t going to be easy. But what can you do to minimise their impact and ensure that you are ready to respond to them?
Don’t try to just scale your platform to cope
The first point is how not to respond – simply scaling up the hardware involved is neither cheap nor effective. And most bottlenecks are not anything to do with hardware – however far you scale you will still hit an application limit.
Don’t provide an easy target
Smarter DDoS attacks are on the rise where attackers will target pages or actions which are slower and have a heavier impact on key components. Inefficiencies that may not matter when only hit by a small number of users suddenly become catastrophic when flooded with malicious traffic. Optimising your site through good performance engineering practices removes these hotspots that could be targeted. Building quality sites makes life much harder for the hackers – don’t make things easy for them! Capacitas’ Performance Engineering service is focused on ensuring performance and efficiency is built into your code throughout the development lifecycle.
Remove single points of failure
Having a good system design for resilient performance goes a long way towards reducing the risk posed by DDoS attacks. HSBC were able to keep operating other parts of their business as the attacks only impacted their online services. Where there is shared infrastructure (for networks, SANs, etc.) deploy prioritisation mechanisms to limit the impact on other business systems. In addition ensure that your system is designed to cope with poor performance and outages from 3rd parties. If your payment provider or another 3rd party is attacked and struggling make sure your site is going to stay up!
Know your limits
As mentioned before, your bottlenecks are unlikely to be due to hardware resources. Integrated load testing of different scenarios is needed to identify where the bottlenecks are, what causes them and what can be done to mitigate them. Load testing in production can help you identify the very limits the attackers will try to exploit. Then put together a plan for how you’ll respond when those limits are hit. Are there things you can turn off, reroute, offload elsewhere?
Know what’s happening
Having effective people, processes and tooling in place to monitor your capacity and performance will ensure you can detect attacks quickly and respond immediately to threats. But this is also crucial to making sure that your system is ready to meet the threat. By detecting early warning signs of underlying problems you can eliminate existing risks which would only become manifest when under attack. We use our Operational Analytics service and proprietary analysis software to identify and help remove dormant system issues for our customers.
DDoS attacks are a big threat to e-commerce businesses or to anyone with a significant online presence. However Capacitas’s services can support you in building and maintaining a site with resilient capacity and performance, reducing vulnerability to this type of attack. For more information on our services see here.
If you would like to learn more about our Modelling and Performance testing solutions, please click below, to see our latest webinar.
