You can cost-effectively fight denial-of-service attacks by focusing on finding ways to serve your customers and prospects even if your site is down. Credit: Thinkstock Denial-of-service (DoS) attacks are probably the scariest online attack a business faces. Not because of the amount of damage done (data breaches are typically much more costly), but because there is so little you can do about them. Earlier this year, I surveyed my collegues to find out what they considered the number one critical security topic. DoS was the unanimous winner. A very hard problem The economics of DoS make defense a nightmare. After all, the attack simply depends on overwhelming the target site or network… and raw traffic is very, very cheap. The costs of building, buying, or renting a botnet to carry out the attack are trivial* and applification attacks can turn almost anything into an attack accomplice. Don’t solve hard problems The standard approaches to fighting DoS attacks is to identify and filter out attackers. There are several companies that offer products and services to do this. They are all pretty expensive. A business security approach Instead of fighting the attackers, why not look for ways to make the business resiliant in face of an attack? After all, your job is to make sure a business can do what it needs to do… and what a business needs to do is serve its customers and find new ones. Bingo. “Denial of service” is a terrible term. It is confusing and flat out wrong from the perspective of most businesses. When a lot of security guys talk about DoS, they mean “denial of Web site.” Not the same thing at all. Old School Resilience with Email As a “push” service, email is highly resistant to denial of service attacks. Your email service probably is pretty robust today without you doing a thing or spending a dime. For existing customers, regular emails can reduce your dependence on your web site being available at all. I do some wood working and regularly get emails from Harbor Freight. So much so that I only rarely go to their site directly (embedding a coupon in your emails virtually guarantees this). I would never know if their web site was down and, if they were being hit by a denial of service attack, they could easily redirect me to a different site and I would never know it. No perceived outage at all for many of your existing customers. Social Networks – When it doubt, delegate Facebook and LinkedIn communities, YouTube videos, Amazon, iTunes podcasts. These huge companies provide channels used by many businesses large and small. It would take a lot for them to go down and, even better for you, their business depends on being available. While there are downsides to depending on third party sites (Digital Sharecropping), they can be used to keep your business operating. Today, your web site is only one channel to reach and communicate with your customers. Site swarm – divide and don’t be conquered Servers are cheap. Hosted sites are even cheaper. Instead of having a single server or site, you could easily divide your online service into multiple sites, conceivably at multiple ISPs so that an outage would have reduced effect and you’d be more able to re-steer legitimate customers to other locations. Short Links and Smart DNS – “There is no there, there”** While hackers attack servers, you can move the target around easily and fairly cheaply using short link tools (like Bit.ly) or a smart DNS configuration. As these queries are done in real time, you can steer legitimate users where you wish. Far from perfect, but good enough? Some people really do need serious denial of service protection. But, if you look at the news, an awful lot of modest to mid-sized businesses, organizations, and governments get targeted by DoS attacks and flat out can’t afford these high-end solutions. At the end of the day, your job is to keep your business running safely enough, not engage in wars with hackers. Do you use any of these tools as part of your resilient online business strategy? What other tactics do you use to keep your online business available to your customers? Share your experiences in your comments below or send me an email. * You can rent access to a botnetfor between $50 and $200 a day, buy one for $700 or build your own for as little as $20. ** Gertrude Stein‘s quote about being unable to find the house where she was raised in Oakland, CA. It has been incorrectly turned into a rather unkind jab at the city. For the less literary and more colorful: “You’ve managed to kill just about everyone else, but like a poor marksman, you keep missing the target!” (Kirk in the Wrath of Khan) Related content opinion Bank of Personal Information: The security service you need today Data breaches are undermining your customers' confidence in your business. It is time to offer them real security. A bank of personal information could provide an essential service to businesses and consumers and be the heart of a multibillion-d By Steven B. Davis Oct 30, 2015 4 mins Data Breach Data and Information Security Security opinion Security through simplicity: The fantasy sports scandal and IoT Are the flood of exploits inevitable or can we improve security by expanding and simplifying our security architectures? By Steven B. Davis Oct 08, 2015 4 mins Cloud Security Internet opinion Shades of Greynets: The Internet of Secure Things Emerging, rich network architectures and dedicated simple security appliances can transform security for online systems. By Steven B. Davis Oct 02, 2015 4 mins Firewalls Cloud Security Security opinion Marketing plus security equals profit - Disney's anti-counterfeiting strategy The business of security is business. Disney showed how it is possible to take a counterfeit product problem into a business opportunity. It is a possibility we should all be looking for. By Steven B. Davis Sep 17, 2015 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe