The popular Ancestry.com genealogy Website was impacted by a distributed denial-of-service (DDoS) attack that started at 2:30 p.m. PT on June 16 and was resolved by 4:15 p.m. PT on June 17. While the motives behind the DDoS incident are not yet publicly known, the attack once again shines the spotlight on the increasing prevalence of DDoS in 2014.
In an email to eWEEK, an Ancestry.com spokesperson noted that services are now largely up and running, though the site is currently working to stabilize all of its sites and fully recover from the attack. Ancestry.com provides paid membership services to its users, though the site is not likely to reimburse users for the time the site was unavailable.
"We currently don't have any plans to offer rebates for lost time," the spokesperson stated.
The full details on the particulars of the attack are also not yet known, and the spokesperson stated that the company is not disclosing any additional information around the DDoS attack outside of a blog post first published on Tuesday.
"We take these situations very seriously and have put systems in place to help protect our Websites from attacks like this in the future," the spokesperson stated.
So what is a DDoS anyways, and why attack Ancestry.com?
Simply put, in a DDoS attack, an attacker marshals many endpoints and servers together to flood a target Website with traffic that overwhelms the target, hindering its ability to operate normally. In 2014 in particular, there has been a dramatic uptick in DDoS attack volumes, with hackers leveraging new techniques to amplify bandwidth to take down sites. VeriSign's recent first-quarter DDoS trends report found that the largest DDoS attacks it has seen so far this year had a peak of 160G bps of traffic.
Just to provide some context, in an enterprise data center today, the most common Internet connection speed for servers is only 10G bps. So for a single server that may only have a 10G-bps inbound pipe to the Internet, to be impacted by 100G bps or more of traffic is a nontrivial issue.
In the case of Ancestry.com, while the site is currently not providing much detail about the attack, publicly available resources that scan Internet service availability do provide some interesting insight.
The Netcraft site reports for Ancestry.com indicate that since at least October of 2010, the site has been running on a Microsoft Internet Information Server (IIS) complemented by F5-BIG IP technology. F5 is a leading vendor in what is known as the Application Delivery Controller (ADC) market, and is sometimes referred to as a load balancer technology. With an ADC, traffic is balanced across multiple server resources to provide service to users. In recent years, F5 has been updating its technology to have a strong security focus, and it includes the ability to serve as a firewall.
F5 declined to comment specifically to eWEEK about the security of any of its customers. As such, it's not known exactly how and where the F5 technology is in place. That said, the F5 technology is an on-premises based approach and, while it can be a significant part of an organization's DDoS defenses, other parts are still needed, especially when it comes to bandwidth.
That's where the next piece of the Netcraft data yields some very interesting insight. For reverse DNS, Netcraft reports that Ancestry.com is now using Prolexic. Prolexic is interesting because it is a DDoS technology vendor that was recently acquired by Akamai, which is a Content Delivery Network (CDN). The two technologies now can work together to provide robust security against large DDoS attacks.