After the unprecedented challenges retailers have navigated over the past 12 months, margins are tight and few can afford any kind of sales disruption. This is especially true for the small- and mid-size retailers that have shifted to ecommerce platforms to capture sales lost during the pandemic. Unfortunately, many of these new online channels have not implemented proper safeguards, and cybercriminals are changing their attack methods to capitalize.
Distributed Denial of Service (DDoS) extortion campaigns, also called DDoS ransom attacks or RDDoS attacks, are one of the tactics that cyber researchers have seen spike recently. Criminals threaten to use volume-based attacks to paralyze an organization’s digital assets, including websites and services, unless the victim pays a significant ransom. Given their vulnerability, online merchants are increasingly finding themselves the target of these schemes. The number and pace of attacks has been significant enough to prompt a flash warning from the FBI.
The right practices and security protocols can protect retailers from DDoS extortion. With sufficient preparation, losses can be avoided and volume-based attacks can be mitigated. Here’s what retailers should keep in mind.
DDoS Prevention is Easier Than a Cure
Organizations shouldn’t wait until they receive an RDDoS ransom note to put defenses in place. If there isn’t an explicit DDoS mitigation strategy, now is the time to develop one. Here are some steps to consider.
Advertisement
1. Identify online assets that are at risk in the event of a DDoS attack.
List out what you need to protect to ensure the organization can continue to provide services to customers.
2. Decide on solutions to defend critical assets.
There are multiple ways to protect online channels against a DDoS attack. The optimal approach depends on each organization’s needs.
- DDoS protection through an ISP or cloud service provider is typically simple to implement since there is already a business relationship with the provider. It’s appropriate if an organization’s assets are not extensive and don’t require a high level of protection, expertise and customizability.
- A DDoS mitigation service is a better choice if your enterprise has a larger network — particularly if it spans multiple ISPs or cloud providers — or if you have a low tolerance for downtime. These are generally off-the-shelf solutions, however, so they can’t accommodate every network configuration.
- A fully managed cloud DDoS platform is a better fit for more complex and extensive infrastructure or digital assets, limited in-house IT expertise and resources to monitor traffic and manage any required mitigations, or if the team is simply stretched a little thin.
3. Consider mitigation strategies and requirements.
What specific capabilities will best match your network configuration and operational needs? Many questions will need to be answered. BGP swing or DNS swing to divert traffic? Always-on or on-demand service?Each approach has strengths that may better fit an organization’s needs.
4. Monitor and communicate.
Know your ‘peacetime’ traffic and make sure to share that information with the DDoS protection provider. Be prepared to provide:
- Total inbound traffic under normal circumstances.
- Any predictable cyclic variations in traffic volume — daily, weekly, monthly.
- Scope of your IP address space.
- Ports, protocols, and applications running in each subnet.
- A run book for each of your critical assets, detailing the required protection and allowable downtime, if any.
This information will help your DDoS partner do a better job in providing the protection you need — and making sure it’s there when you need it.
Responding to an RDDoS Attack Threat
If your organization receives an email threatening a DDoS attack unless a ransom is paid, don’t panic — and don’t pay! Attackers are often not who they claim to be. In many instances, no attack ever materializes. Many of these threats are coming from copycat actors without the capability to threaten your organization. Our experts have seen notes threatening attacks of up to 2 Tb/sec, only for the observed attacks to end up considerably smaller, ranging from 20 to 300 Gb/sec. It is also worth noting that paying the ransom is likely to land you on a list of companies that capitulate. This will only attract future threats.
That said, many threats result in actual DDoS attacks that utilize multiple vectors and significantly disrupt online retail operations. Here’s what you should do if you receive a threat.
1, Report the attack.
The FBI suggests contacting their nearest field office if your organization is threatened. The information can help law enforcement to hold the attackers accountable and prevent future attacks.
2. Coordinate defenses.
Contact your organization’s DDoS mitigation provider and share the details of the received threat. Since they live and breathe DDoS attacks, they should be familiar with the threat you received and can help your organization weather the attack.
3. Stay vigilant before and after ‘Attack Day.’
Most DDoS extortion notes threaten an attack if an organization fails to respond by a particular day. It’s a good idea to place assets under pre-emptive mitigation before that date and open an active bridge with a DDoS provider day-of to streamline access and ensure effective communications. But even if the appointed day passes without an attack, it’s important to remain vigilant for a few days afterwards. Attackers are on their own schedule.
DDoS extortion campaigns represent a serious threat to unprepared online retailers. But with a mitigation strategy in place and a cooperative relationship with a top-tier DDoS partner, it doesn’t have to paralyze your assets or your organization.
Matt Wilson is Senior Director of Product Management for network and application security at Neustar.
