E-Commerce, Retail Websites Alert for DDoS Attacks this Holiday Season

Online shoppers aren't the only ones that may overwhelm e-commerce Websites and crash them this holiday season. Cyber-attackers may be waiting in the wings with a DDoS attack.

With the holiday season ramping up, it's not just online shoppers that have to be vigilant for cyber-threats. Enterprises and retailers have to be alert for scammers, cyber-criminals and hackers.

High-profile distributed-denial-of-service attacks made headlines in 2011, and security vendors warned retailers could face similar attacks during the holiday shopping season. Online sales last year exceeded $36 billion during the holiday shopping season, according to numbers released by MasterCard. Retailers anticipate this year's online sales to exceed last year's figures, with industry estimates of $1.2 billion in sales on Cyber Monday alone.

Worries about "denial-of-service outages are the name of the game for online retail organizations during the heavy holiday shopping season," Adam Powers, CTO of Lancope, told eWEEK.

Some can be inadvertent, driven by high demand from shoppers. Powers described Target's launch of the Missoni clothing line earlier this year as a "poster child for a legitimate oversubscription DoS," noting that high demand for Missoni merchandise "brought" Target "to its knees."

Organizations should check their infrastructure to make sure they can handle increased network traffic and capacity, according to Check Point Software Technologies. They can implement flexible hosting sites or cloud sites to add capacity and prevent the site from crashing. The existing security gateway will also need to be able to handle the increased traffic volume and keep scanning and protecting the network, Check Point said.

Others can be malicious, especially to an online retailer with a strong brand, according to Powers. Cyber-criminals can take advantage of events such as Black Friday to launch an attack, and hacktivists may also take advantage of intense media attention to make a point, he said.

E-commerce is exceptionally vulnerable to distributed-denial-of-service attacks, as unscrupulous players could also decide to sabotage competitor Websites to steal customers, according to Corero Network Security. If the site is not available, frustrated customers are more likely to just move to a competitor's site.

"The bottom line is that retailers and other blue-chip corporations need to improve their defensive posture against DDoS attacks, as criminals and hacktivists have significantly increased the frequency and sophistication of DDoS attacks they employ," said Mike Paquette, chief strategy officer of Corero Network Security.

Cyber-attackers use network flooding techniques and application-layer attacks such as ApacheKiller to bring targeted Websites to a crawl or crash, rendering them inaccessible to customers.

DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said.

E-commerce businesses aren't the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said. A significant percentage of yearly revenues are made in the fourth quarter from holiday shoppers and a serious DDoS attack can be financially devastating, according to Prolexic.

Retailers don't have to just worry about making sure their sites are up and capable of handling the "influx of shoppers," but that the payment data being collected remain secure, Mandeep Khera, CMO of LogLogic, told eWEEK. Merchants who collect credit card information have to ensure that their databases are secure so that attackers who try to break in don't waltz off with payment information. Ensuring they are following all 12 PCI requirements would help retailers protect customer credit card data, according to Khera.