by Mike Vogel
Updated 2 yearss ago
Last August, most likely in a forgettable dwelling in a nondescript burg in a former Soviet republic, a young man sat down to his computer in the late afternoon to wreak a little mayhem.
We can only guess, but he might have learned his computer skills at a university; he might be a self-taught teen. Collaborating with fellow hackers in Kazakhstan, Belarus, Peru and the United Arab Emirates, he began typing in code, marshalling an army of personal computers all over the globe that the hackers had infected with viruses. Unknown to the owners of those computers, their machines had become zombies serving in a hacker-controlled squadron called a botnet.
The viruses enable the hacker to command the entire botnet to send a torrent of data — multiple hits on a web page or e-mails, for example — in order to overload a targeted website and knock out its web server or e-mail network. Such attacks are called DDoS — distributed denial of service.
With his forces in place, the hacker entered a final command, and the assault began.
The bull’s-eye last August was SpaFinder, a $60-million revenue company based in New York that sells gift certificates to 20,000 spas around the world.
The SpaFinder attack was two-pronged: The first was a Layer 4 attack, which essentially attempted to overwhelm SpaFinder with more electronic knocks on the door than it could possibly answer. In brick-and-mortar terms, it’s like a mob descending on a store, making nonsensical requests that tie up the clerks while real customers are stuck outside. Once, it took some real tech savvy to mount such an attack. Now there are downloadable “DDoS in a box” kits online.
The second attack was a more sophisticated Layer 7, meant to go deep into SpaFinder’s website and ask for files or make requests that tie up lots of computing power and space.
The DDoS hacker’s motive is unknown — he may only have been seeking bragging rights for taking down a company’s site. Some DDoS hackers have a grudge. A few use the DDoS attack as a smokescreen to sneak deeper into the site to steal customer passwords, money or credit card data. Some DDoS attacks come with ransom demands to lift the attack, though payoffs are rare.
Famously, the self-styled activist group Anonymous uses DDoS — even inviting people to join and providing how-to help — for its agenda. In June 2011, Anonymous launched DDoS attacks on a privately owned Orlando visitors guide website, Mayor Buddy Dyer’s re-election campaign site and other Orlando organizations over a dispute about feeding the homeless in a park.
SpaFinder CEO Pete Ellis
With his web-hosting service unable to provide a fix quickly enough, Ellis recalled another business that had been attacked a few weeks before. He called for advice and was directed to south Florida-based Prolexic, the world’s largest company solely dedicated to defending DDoS attacks, and one of a cluster of Florida companies carving a niche in cyber-security.
Prolexic’s clients include 10 of the world’s largest banks along with other businesses and groups that hire the firm on an annual basis. The company, which doesn’t disclose its fees, also accepts emergency business; after the distress call from SpaFinder, Prolexic engineers went to work.
In a windowless room at the company’s special operations center in Hollywood, the engineers sit at rows of tables, scanning web traffic. Each scrutinizes five monitors, looking for anomalies in eyestrain-inducing lines of data and graphs. “To you and me, it looks like lines,” says Prolexic’s president, Stuart Scholly, but the engineers “know what the signatures look like, the different types of attacks, the order in which attacks are launched.”
The engineers, some of whom work four, 10-hour shifts per week, are a mixed bunch. Most are men with college degrees, though a few ended their formal education with a high school diploma and real-world computer skills. Many have worked for major telecom companies, software developers and other IT businesses. “You’ve got just brilliant people here,” says Prolexic CEO Scott Hammack. “They’re expensive people. But then our revenue per employee is very high as well.”
The first step in restoring SpaFinder’s website was figuratively to throw a switch and route all the traffic hitting SpaFinder’s site to Prolexic. DDoS attacks typically depend on volume; throw 60 gigabits per second of traffic at a company that’s set up to handle 1 gigabit and down goes its website. Rare, large-scale attacks can top 200 gigabits per second; Prolexic’s network can handle 500 gigabits per second.
The engineers blunted the SpaFinder blitz, essentially by absorbing it and spreading it across Prolexic data centers around the world and filtering malicious traffic.
As they sifted out the chaff, Prolexic engineers began letting legitimate traffic flow through to SpaFinder’s site. Some operations were back up the first day, and everything worked within 24 hours, Ellis says. “If it had come in the fourth quarter, I would have been killed,” says Ellis.
Florida Trend exclusive:
Stay tuned to upcoming chats by checking back to
Executives at several Florida security firms say businesses should worry less about DDoS attacks and more about other issues such as viruses and malware with their potential for data breach and theft. But DDoS is a growing problem, particularly for e-commerce companies. Gartner Research has seen DDoS attacks in the past two years become more targeted, powerful and frequent, says Gartner security analyst John Pescatore.
There’s certainly no shortage of hackers willing to try. On an ongoing basis, Prolexic tracks more than 4,000 botnet controllers — that is, the servers they use — and has more than 10 million bots in its database. At its “scrubbing” centers, Prolexic quickly cuts off traffic from those bots to its clients’ sites. If the controller of an attack changes the identifiable characteristics of his attacking bots, or changes the type of attack, Prolexic adjusts to the new tactics.
“It can be pretty slick. It becomes ‘us versus them.’ We’ve had to do things where we change the signatures 20, 30, 40 times in an hour,” says the company’s director of security operations, who prefers not to be named for security reasons. “It’s definitely exciting. You name it; we’ve been through it. And then we worry about stuff we might not have been through.”
These days, “us versus them” has become a 24-hour proposition, with the company handling as many as 80 attacks in a day. As one shift of engineers punches out, another takes their seats.
“It’s becoming each day a bigger and bigger problem out there,” Hammack says. “From a timing standpoint, we’re at the right place at the right time.”
» Facebook: Spammers and distributors of malware love it. They provide false information about a free offer or inviting image — a girl in a bikini — to lure users to click on the link and get infected. Sometimes the malware posts the same image or information on the infected person’s “wall,” luring friends into making the same mistake.
Sources of attacks on Facebook
» New Facebook app — 19%
» Celebrity or current event — 18%
» Free stuff — 26%
Source: Commtouch.com, Internet Threats Trend report, January 2012
» Leading Origins of Spam
5. South Korea
Source: AppRiver Threat and Spamscape Report
» Dark Motives
• Spammers used the Japanese earthquake, Bin-Laden’s death and the fall of Gaddafi to attempt to distribute spam e-mails, malware or viruses with enticements for users to click on links to “exclusive video” or (faked) news stories.
— AppRiver Threat and Spamscape Report
“There’s a human capital crisis in cyber-security,” says Richard Ford, director of the Harris Institute for Assured Information at Florida Tech in Melbourne. “That means if you’re good at cyber-security, you can get a job anywhere and you can earn whatever you want.”
“Most of the people end up being hired almost immediately into federal jobs,” Ackerman says.