Attack of the zombies and other cyber-battles

Mike Vogel | 6/11/2012

SpaFinder CEO Pete Ellis

The first at SpaFinder to sense something amiss was CEO Pete Ellis. At 7 a.m., he happened to check his site and couldn’t get access. Within an hour, Ellis’ staff told him the SpaFinder website was besieged. Ellis told himself, “We’re not the kind of company someone would go after.” But he came to realize that “it doesn’t matter how big you are. It just matters that someone out there can get brownie points by showing they can take down a site.”

With his web-hosting service unable to provide a fix quickly enough, Ellis recalled another business that had been attacked a few weeks before. He called for advice and was directed to south Florida-based Prolexic, the world’s largest company solely dedicated to defending DDoS attacks, and one of a cluster of Florida companies carving a niche in cyber-security.
[“Guardians”]

Prolexic’s clients include 10 of the world’s largest banks along with other businesses and groups that hire the firm on an annual basis. The company, which doesn’t disclose its fees, also accepts emergency business; after the distress call from SpaFinder, Prolexic engineers went to work.

In a windowless room at the company’s special operations center in Hollywood, the engineers sit at rows of tables, scanning web traffic. Each scrutinizes five monitors, looking for anomalies in eyestrain-inducing lines of data and graphs. “To you and me, it looks like lines,” says Prolexic’s president, Stuart Scholly, but the engineers “know what the signatures look like, the different types of attacks, the order in which attacks are launched.”

The engineers, some of whom work four, 10-hour shifts per week, are a mixed bunch. Most are men with college degrees, though a few ended their formal education with a high school diploma and real-world computer skills. Many have worked for major telecom companies, software developers and other IT businesses. “You’ve got just brilliant people here,” says Prolexic CEO Scott Hammack. “They’re expensive people. But then our revenue per employee is very high as well.”

The first step in restoring SpaFinder’s website was figuratively to throw a switch and route all the traffic hitting SpaFinder’s site to Prolexic. DDoS attacks typically depend on volume; throw 60 gigabits per second of traffic at a company that’s set up to handle 1 gigabit and down goes its website. Rare, large-scale attacks can top 200 gigabits per second; Prolexic’s network can handle 500 gigabits per second.

The engineers blunted the SpaFinder blitz, essentially by absorbing it and spreading it across Prolexic data centers around the world and filtering malicious traffic.

As they sifted out the chaff, Prolexic engineers began letting legitimate traffic flow through to SpaFinder’s site. Some operations were back up the first day, and everything worked within 24 hours, Ellis says. “If it had come in the fourth quarter, I would have been killed,” says Ellis.

Florida Trend exclusive: Internet security in Florida On Tuesday, June 12 we had a live chat on internet security in Florida. Hosting was South Florida Editor Mike Vogel and AppRiver Senior Security Analyst Fred Touchette. Read the transcript of the chat here. Stay tuned to upcoming chats by checking back to FloridaTrend.com/chats

Prolexic executives say targets usually don’t reflect any discernible pattern. Wellness firms like SpaFinder got targeted in 2011, Scholly says. A couple years ago, cosmetics companies got hit. “Couple years before that, it was chocolates.”

Executives at several Florida security firms say businesses should worry less about DDoS attacks and more about other issues such as viruses and malware with their potential for data breach and theft. But DDoS is a growing problem, particularly for e-commerce companies. Gartner Research has seen DDoS attacks in the past two years become more targeted, powerful and frequent, says Gartner security analyst John Pescatore.

There’s certainly no shortage of hackers willing to try. On an ongoing basis, Prolexic tracks more than 4,000 botnet controllers — that is, the servers they use — and has more than 10 million bots in its database. At its “scrubbing” centers, Prolexic quickly cuts off traffic from those bots to its clients’ sites. If the controller of an attack changes the identifiable characteristics of his attacking bots, or changes the type of attack, Prolexic adjusts to the new tactics.

“It can be pretty slick. It becomes ‘us versus them.’ We’ve had to do things where we change the signatures 20, 30, 40 times in an hour,” says the company’s director of security operations, who prefers not to be named for security reasons. “It’s definitely exciting. You name it; we’ve been through it. And then we worry about stuff we might not have been through.”

These days, “us versus them” has become a 24-hour proposition, with the company handling as many as 80 attacks in a day. As one shift of engineers punches out, another takes their seats.

“It’s becoming each day a bigger and bigger problem out there,” Hammack says. “From a timing standpoint, we’re at the right place at the right time.”