LONDON – It wasn’t a great day when a major Australian domain name server went down to a DDoS attack recently, rendering up to half a million websites inaccessible for upwards of 90 minutes. Not only does this illustrate that DDoS attacks are a global issue, but it also shows that big targets like DNS providers are not adequately protected, and hundreds of thousands of websites are set to suffer the consequences.
The good news is there are a few important lessons to be learned from this attack.
Attack background
A DDoS or distributed denial of service attack is one that targets a website or online service with a tremendous amount of traffic or with a massive number of malicious requests. It does so with the considerable resources of a botnet, which is a grouping of internet-connected devices that have been infected and are being controlled remotely by an attacker. With botnets now weighing in with hundreds of thousands, even millions of devices thanks to the weakly secured Internet of Things, it’s no wonder the result of a successful attack is the website or service being taken offline or slowed down so much that it’s beyond the point of usability.
These attacks are bad enough when they target one website, negatively affecting that site or business by causing immense frustration and eroding trust and loyalty amongst users, but they’re infinitely worse when they hit a target like a domain name server and cause those negative effects for all the target’s clients.
The Melbourne IT travesty
The attack on Melbourne IT began around 10 in the morning on April 13th, disrupting its email platforms, customer administration panel and – worst of all – web hosting. All told, this distributed denial of service attack affected up to 500,000 websites for somewhere between 60 and 90 minutes. In response to the attack, the company stated that they implemented their DDoS mitigation services, calling it standard operating procedure, in addition to blocking all international traffic, as the attack originated from botnet devices located outside of Australia. Further details on the attack are scarce.
Lesson #1: you can’t run and you can’t hide. Given how much media coverage certain attacks tend to get, no one can be blamed for thinking DDoS is a disproportionately US problem, with British businesses on the receiving end of the attacks that don’t make it all the way to the States. This is flagrantly untrue.
Lesson #2: preparation. Without confirmation from the company, it isn’t possible to say whether Melbourne IT has its own in-house distributed denial of service protection, or if it has some form of professional protection, or if it has a combination of the two. What is possible to say is that whatever they’re using, it isn’t good enough. A service like a DNS provider needs massively scalable protection that keeps attack traffic from ever reaching its network and impacting clients. This includes keeping legitimate traffic from being slowed down, bottlenecked or blocked while mitigation efforts are ongoing.
This lesson isn’t limited to DNS providers, of course. Websites and online services require protection that keeps their users fully protected from the effects of a DDoS attempts.
Lesson #3: response. This doesn’t have anything to do with Melbourne IT’s DDoS response (although that obviously left a lot to be desired), rather this point centers on the company’s response to clients. Melbourne IT clients were only fully informed as to what had gone on six hours after the attack began, and four and a half hours after the incident was over, despite many clients reaching out to the company on social media looking for an explanation for the outage.
Things got worse when clients began to threaten to take their business elsewhere and Melbourne IT’s Chief Technology Officer Brett Fenton told the media that he was happy to take it on the chin for internal problems but that DDoS attacks are an external challenge, and that the 99.9 percent uptime guaranteed by Melbourne IT is “often misunderstood.”
This is a valuable example of what not to do, and then what not to keep doing. If an online service does not have adequate DDoS protection and finds themselves down due to an attack, it is imperative that the company reach out to clients immediately to explain the situation and keep them informed as to mitigation efforts and estimated timelines. Apologizing for the inconvenience and outlining the steps that will be taken to prevent such incidents in the future instead of calling an uptime guarantee misunderstood is also a good idea.
Damage control matters
It’s become imperative for nearly every website and online service on the internet to have adequate distributed denial of service protection, no matter where in the world a site or service is hosted. It’s especially essential for services responsible for keeping clients online. If such a service fails to guard against a DDoS attack – and make no mistake, this is a failure – the company needs to immediately own up and begin communicating with clients. If a company can’t reduce the effects of an attack, it can at least try to reduce the fallout. Half a million website owners may have been hugely inconvenienced by the attack on Melbourne IT, but at least we all learned these important lessons.
