The credit card processing company puts its multipronged security defense to work as a flood of ransom demands and DDoS attacks prompts FBI involvement.
Corey Mandell knew things werent good when he got the ransom letter. Mandell had experienced such things before, and he knew that Authorize.Net, a Bellevue, Wash., credit card processing company, would be in for a tough time. What he didnt realize until later is that it would be much worse than he had anticipated.
The DDoS (distributed denial of service) attacks began Sept. 15, and they continue to this day. "We received an extortion letter demanding a large sum of money," said Mandell, who is vice president of development and operations at Authorize.Net. "We were able to handle the attack" at first, he said, explaining that the company had tailored its response based on past attacks against it and others in the same business. But things got worse in a hurry.
"The second and third attacks were bigger than anything wed ever seen," Mandell said. He said it was clear that the attackers were using a bot network because of the wide number of IP addresses that they used.
Most of the attack was a SYN flood, in which the attacker sends a large number of TCP connection requests that soon overwhelm the servers (or the routers, depending on the design).
Once the volume of bogus requests ramped up for the new rounds of attacks, Mandell knew that additional steps were required. He quickly contacted trusted consultants and vendors and put together a plan to ward off the attacks. But he already knew that no single solution would be enough in this case.
"We installed a variety of appliances," he said, noting that because the new appliances use a mix of deterministic and heuristic methods, the multipronged defense would work. It did. In short order, while the attacks continued, his customers were reaching him without a problem.
Mandell said that when he chose the products to protect his enterprise, he didnt limit himself to just preventing SYN floods or even just DDoS attacks. He chose products that would protect against a wide variety of methods. While he declined to say what appliances and other products the company actually bought, he did say that the solution is capable of handling a much bigger business than his is now.
While the attacks no longer pose a significant threat to the operations of Authorize.Net, that doesnt mean the problem has gone away. Instead, the most important phase is now under waytracking down and arresting the people who are attacking it.
Phishers have been spoofing an FDIC site to collect debit-card information. Click here to read more.
Mandell said one of the first things the company did was call the FBIs Cyber-Crime division in Utah and get them on the case. The FBI is actively involved in hunting down the bad guys. While that agency will not discuss an active investigation, Mandell said he has some indication that theyre making progress. "Theres a pattern here," he said, and that is leading the FBI to dig even deeper.
Next Page: A pattern of extortion?
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.
He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.