No one likes being awakened in the middle of the night. It’s never good news. And it wasn’t good news shortly after midnight on July 21, 2011, when Yola president and chief operating officer Trevor Harries-Jones was yanked from sleep by the phone ringing in his San Francisco bedroom.
Yola is a global, do-it-yourself website-building-and-hosting service with more than 6 million mainly small business customers depending upon the company to keep their sites, Facebook pages, e-mail systems, and online stores up and running. The call that woke Harries-Jones came from his head of engineering, based in Cape Town, South Africa.
“She said we were down,” he recalls. “It was a massive distributed denial of service (DDoS) attack.”
The engineer told him she was doing all she could. Harries-Jones grabbed a few more hours of sleep and then went to the office, where he spent most of the day updating customers, trying to assure them that Yola was doing all it could to get their sites back up, and talking to Yola’s third-party hosting provider, which was trying — unsuccessfully — to get Yola back online.
This wasn’t the first time Yola had experienced a DDoS, but it was the worst. For eight hours, Yola-hosted customer sites were inoperable. Mission-critical operations were disrupted. E-commerce sites couldn’t do business. Revenue was lost. Professional sites were inaccessible. Potential clients went elsewhere. All of Yola’s customers across all time zones and geographies were affected. Yola itself was isolated, its customer-support forum down.
Why was Yola attacked?
“You look across the Internet,” Harries-Jones says, “and it’s happening all the time. Does it come from our competition? Is somebody unhappy with us because we haven’t allowed them on our platform? We manage the content of websites we host, and sometimes we have to take them down.”
Rarely does one ever find out why one is attacked. “We didn’t receive a ransom note,” says Harries-Jones.
“Attacks have become more and more sophisticated over time,” he explains. The majority of incidents Yola had experienced prior to last summer were simple denial of service (DoS) attacks, which means they came from a single point.
That, says Harries-Jones, made them “easier to isolate and cut out of the stream.” And they were something Yola, or its providers, could deal with internally. DDoS attacks, however, come from everywhere and use thousands of computers, all sending requests to Yola’s servers at the same time, making it impossible to determine legitimate from ill-intentioned traffic, and eventually overwhelming the network and crashing it.
“You’re seeing more and more of these [DDoS-type] attacks,” says Harries-Jones, “and they’re becoming more frequent.” (Just this week, Nasdaq suffered a DoS attack that, while not affecting trades, blocked access to the exchange’s corporate website.)
Yola couldn’t deal with last summer’s attack by itself. And, as Harries-Jones says, “This was a driver to get us professional help, to outsource.” He got the name of a security firm from one of his Internet Service Providers (ISPs). He made the call. “Our site is down,” he said. “Can you help us?”
Why Anyone Can Take You Down
According to data collected by Panda Security, 50% of all computers scanned around the globe last January were infected with malware — malicious software code designed to steal data, gain access to computer systems, or take control of machines without the computers’ owners knowing it, turning them into “zombies” or “bots.” Once a computer becomes a zombie, it can be used as a platform for launching DDoS attacks.
Anyone can do it.
“It’s easy to obtain tools, scripts, products for hacker or breach activity,” says Gary Loveland, a principal in PricewaterhouseCoopers’s security practice. Anyone can go on the Internet and rent a botnet, a network of infected computers that can be remotely controlled.
“You pay by the number of bots you want,” says Paul Sop, chief technology officer at Prolexic, a security company dedicated to combating DDoS attacks and the firm Yola’s Harries-Jones called for help last summer. “You can get 50 or you can get 50,000. Or more.” Prolexic, Sop says, has fought up to half-a-million computers at one time.
Once all those zombies are connected to a command-and-control server, you’re ready to launch your own DDoS attack. Must you worry about getting caught?
“And anyone can install the Onion Router (TOR) that will shield your identity,” Sop says, explaining how TOR will bounce a request — say to Google — from your computer to someplace in Africa and then to somewhere in Asia and then to a third, fourth, or fifth node before it gets to Google, thereby making it almost impossible to trace the IP address of your machine. “Whoever is launching the attack,” says Sop, “it’s the infected bots doing the attacking. They’re controlled by the command-and-control server. And behind that, there may be someone further hidden, the puppet master, talking to the command-and-control server.”
No one, Sop asserts, can handle a DDoS by himself. Loveland agrees. “DDoS requires cooperation,” he says. “That means the Internet service providers, the telecommunications providers, the federal government. DDoS requires a coordinated response.”
Answering a Call for Help
When Prolexic got the call from Yola, it was, in Prolexic’s terminology, “a hot call” for immediate assistance. And because Yola was not a client, there was an emergency fee. “First,” says Sop, “we get the paperwork right. We don’t do this for free. Our pricing, a monthly fee, is determined by your bandwidth and your risk. We have to know who we’re protecting, a giant global media company or a smaller business. Then we hit the ground running.
“We work with the customer’s team to change its network configurations, to route its traffic to us. All the traffic, good and bad, comes through us. Our job is to pass through the good, filter out the bad. It takes software and hardware and people who take care of the event. All the software in the world won’t help if you don’t have people with the right skills.”
DDoS, Sop hastens to emphasize, is not like spam. “There’s an adversary out there,” he says. “A human mind with a desire to punish. People often don’t understand that the attack is a campaign. The nature of attack vectors changes. People underestimate the variations of the attack. It starts with something that perhaps the ISP can handle. The next day, it’s entirely changed and then it changes again.”
The situation “is asymmetric warfare. The attacker has so much more capacity than the attackee. We level the field. It’s like playing chess. We play until we win or it’s a stalemate, meaning they give up.”
“Be sure your hosting provider has a DDoS mitigation strategy,” suggests Yola’s Harries-Jones, who says that although Yola has been the target of similar attacks since signing on with Prolexic, his company suffered no service interruptions. For Yola, uptime is the critical business risk that needs to be managed.
CFO Decision Points
PwC’s Loveland believes CFOs “need to understand the current state of their security, understand the problem. It’s a level of risk. What level of risk are you willing to accept? Once you determine that level, if you’re not there, you need to figure out how you’re going to get there.”
It won’t be easy. As Internet security firm Trusteer vice president of Marketing Yishay Yovel points out, the proliferation of devices, the increasingly mobile nature of the workforce, the cloud and software-as-a-service computing model, and the increasingly organized nature of cybercrime, combine to create an environment that raises the risk of doing business.
Many organizations, Loveland says, believe that because they are Sarbanes-Oxley or HIPAA compliant, they’re secure. But compliance, he says, does not equal security. “Certain applications have to pass SOX testing, but hackers won’t use those. Locking the front and back doors is important, but it’s no good locking them and leaving the windows open. Compliance focuses on a few doors and IT focuses on what compliance requires.” CFOs, Loveland believes, must think beyond that.