DDoS threats linger as peak holiday shopping begins

Dive Brief:

With the biggest online shopping weekend of the year ahead, retailers will keep a close eye on website uptime, scrutinizing whether traffic is clean or malicious. Slow or crashing websites can stem from failure to prepare, an unexpected bug or a denial-of-service attack, according to Patrick Donahue, director of product management at Cloudflare.
"Most e-commerce applications in use today were built to run on one or more servers, and had to be manually scaled. When you're expecting a lot of transactions, you have to provision more servers to keep up with it," he said. If e-commerce platforms operate in a serverless environment, preemptive scaling is not an issue.
"Before and around Black Friday and Cyber Monday," retailers will often refrain from updating website code so they don't inadvertently add bugs, Donahue said. Companies avoid touching JavaScript in particular, because it "validates input such as credit card numbers and other personal information." It could elicit security concerns, such as a Magecart-like attack.

Dive Insight:

There is no sleep for the wicked: Any time companies and security teams ready for vacation, threat actors make their moves. CISOs already live by an "always on" credo, and the all but guarantee of DDoS attacks will likely add to their responsibilities overseeing business continuity.

In 2016, Cloudflare observed and mitigated an 8.5-hour long DDoS attack the day before Thanksgiving, only for the activity to repeat on the holiday and through Cyber Monday. The U.S. was the primary target of the attack.

Successful DDoS attacks are ones that are effective in mimicking legitimate traffic, which for retailers means bots "might browse around the site and add items to a shopping cart but never checkout," Donahue said.

An estimated 86% of consumers will shop this holiday weekend, according to ICSC, and reported by Cybersecurity Dive's sister publication Retail Dive. Half of consumers will shop exclusively online.

Retailers will have individualized approaches to prepare for Black Friday and Cyber Monday internet traffic, but reserving capacity is one common strategy, Donahue said.

DDoS attack trends have been growing this year, before holiday internet traffic spikes. U.S. companies were the most targeted organizations in the world for DDoS attacks in Q2 and Q3 of 2021, according to a Cloudflare report of DDoS trends. Cloudflare calculates its DDoS trends by analyzing the percentage of attack traffic of total "clean" traffic. Cloudflare uses the metric for application- and network-layer DDoS attack trends, so biases do not creep into datasets.

Meris — a record-breaking HTTP DDoS attack of 17.2 million requests per second (rps) — dominated Q3. The botnet targeted the financial services industry, after threat actors exploited an unpatched vulnerability in the MikroTik RouterOS. The patch has been available since 2018.

In the last two years, attacks measured by bits per second have increased 138% year over year, and packets per second increased by 1,174% year over year, Cloudflare found. Cloudflare observed its largest attack earlier this month, which reached nearly 2 terabit-per-second (Tbps).

"At some point, you have a large enough network where you can absorb huge attacks, but a high rate of packets can be problematic for the operating system that has to process them," said Donahue. "And a high rate of requests can be problematic for the application that has to receive and respond to them."

Cloudflare differentiated DDoS attacks by the volume of traffic it delivers measured by bit rate or the number of packets it delivers. High bit rates overwhelm an internet link, whereas high packet rates target servers, routers or in-line hardware. The majority of attacks in Q3 measured at 50,000 packets per second and attacks are growing larger quarter over quarter.