How to fight denial of service – choose your battles, save your dollars

Denial-of-service (DoS) attacks are probably the scariest online attack a business faces. Not because of the amount of damage done (data breaches are typically much more costly), but because there is so little you can do about them. Earlier this year, I surveyed my collegues to find out what they considered the number one critical security topic.

DoS was the unanimous winner.

A very hard problem

The economics of DoS make defense a nightmare. After all, the attack simply depends on overwhelming the target site or network… and raw traffic is very, very cheap.

The costs of building, buying, or renting a botnet to carry out the attack are trivial* and applification attacks can turn almost anything into an attack accomplice.

Don’t solve hard problems

The standard approaches to fighting DoS attacks is to identify and filter out attackers. There are several companies that offer products and services to do this.

They are all pretty expensive.

A business security approach

Instead of fighting the attackers, why not look for ways to make the business resiliant in face of an attack?

After all, your job is to make sure a business can do what it needs to do… and what a business needs to do is serve its customers and find new ones.

Bingo.

“Denial of service” is a terrible term. It is confusing and flat out wrong from the perspective of most businesses. When a lot of security guys talk about DoS, they mean “denial of Web site.”

Not the same thing at all.

Old School Resilience with Email

As a “push” service, email is highly resistant to denial of service attacks. Your email service probably is pretty robust today without you doing a thing or spending a dime.

For existing customers, regular emails can reduce your dependence on your web site being available at all. I do some wood working and regularly get emails from Harbor Freight. So much so that I only rarely go to their site directly (embedding a coupon in your emails virtually guarantees this). I would never know if their web site was down and, if they were being hit by a denial of service attack, they could easily redirect me to a different site and I would never know it.

No perceived outage at all for many of your existing customers.

Social Networks – When it doubt, delegate

Facebook and LinkedIn communities, YouTube videos, Amazon, iTunes podcasts. These huge companies provide channels used by many businesses large and small. It would take a lot for them to go down and, even better for you, their business depends on being available. While there are downsides to depending on third party sites (Digital Sharecropping), they can be used to keep your business operating. Today, your web site is only one channel to reach and communicate with your customers.

Site swarm – divide and don’t be conquered

Servers are cheap. Hosted sites are even cheaper. Instead of having a single server or site, you could easily divide your online service into multiple sites, conceivably at multiple ISPs so that an outage would have reduced effect and you’d be more able to re-steer legitimate customers to other locations.

Short Links and Smart DNS – “There is no there, there”**

While hackers attack servers, you can move the target around easily and fairly cheaply using short link tools (like Bit.ly) or a smart DNS configuration. As these queries are done in real time, you can steer legitimate users where you wish.

Far from perfect, but good enough?

Some people really do need serious denial of service protection. But, if you look at the news, an awful lot of modest to mid-sized businesses, organizations, and governments get targeted by DoS attacks and flat out can’t afford these high-end solutions.

At the end of the day, your job is to keep your business running safely enough, not engage in wars with hackers.

Do you use any of these tools as part of your resilient online business strategy?

What other tactics do you use to keep your online business available to your customers?

 Share your experiences in your comments below or send me an email.

* You can rent access to a botnetfor between $50 and $200 a day, buy one for $700 or build your own for as little as $20.

** Gertrude Stein‘s quote about being unable to find the house where she was raised in Oakland, CA. It has been incorrectly turned into a rather unkind jab at the city.  For the less literary and more colorful: “You’ve managed to kill just about everyone else, but like a poor marksman, you keep missing the target!” (Kirk in the Wrath of Khan)