The popular Ancestry.com genealogy Website was impacted by a distributed denial-of-service (DDoS) attack that started at 2:30 p.m. PT on June 16 and was resolved by 4:15 p.m. PT on June 17. While the motives behind the DDoS incident are not yet publicly known, the attack once again shines the spotlight on the increasing prevalence of DDoS in 2014.
In an email to eWEEK, an Ancestry.com spokesperson noted that services are now largely up and running, though the site is currently working to stabilize all of its sites and fully recover from the attack. Ancestry.com provides paid membership services to its users, though the site is not likely to reimburse users for the time the site was unavailable.
“We currently don’t have any plans to offer rebates for lost time,” the spokesperson stated.
The full details on the particulars of the attack are also not yet known, and the spokesperson stated that the company is not disclosing any additional information around the DDoS attack outside of a blog post first published on Tuesday.
“We take these situations very seriously and have put systems in place to help protect our Websites from attacks like this in the future,” the spokesperson stated.
So what is a DDoS anyways, and why attack Ancestry.com?
Simply put, in a DDoS attack, an attacker marshals many endpoints and servers together to flood a target Website with traffic that overwhelms the target, hindering its ability to operate normally. In 2014 in particular, there has been a dramatic uptick in DDoS attack volumes, with hackers leveraging new techniques to amplify bandwidth to take down sites. VeriSign’s recent first-quarter DDoS trends report found that the largest DDoS attacks it has seen so far this year had a peak of 160G bps of traffic.
Just to provide some context, in an enterprise data center today, the most common Internet connection speed for servers is only 10G bps. So for a single server that may only have a 10G-bps inbound pipe to the Internet, to be impacted by 100G bps or more of traffic is a nontrivial issue.
In the case of Ancestry.com, while the site is currently not providing much detail about the attack, publicly available resources that scan Internet service availability do provide some interesting insight.
The Netcraft site reports for Ancestry.com indicate that since at least October of 2010, the site has been running on a Microsoft Internet Information Server (IIS) complemented by F5-BIG IP technology. F5 is a leading vendor in what is known as the Application Delivery Controller (ADC) market, and is sometimes referred to as a load balancer technology. With an ADC, traffic is balanced across multiple server resources to provide service to users. In recent years, F5 has been updating its technology to have a strong security focus, and it includes the ability to serve as a firewall.
F5 declined to comment specifically to eWEEK about the security of any of its customers. As such, it’s not known exactly how and where the F5 technology is in place. That said, the F5 technology is an on-premises based approach and, while it can be a significant part of an organization’s DDoS defenses, other parts are still needed, especially when it comes to bandwidth.
That’s where the next piece of the Netcraft data yields some very interesting insight. For reverse DNS, Netcraft reports that Ancestry.com is now using Prolexic. Prolexic is interesting because it is a DDoS technology vendor that was recently acquired by Akamai, which is a Content Delivery Network (CDN). The two technologies now can work together to provide robust security against large DDoS attacks.
Ancestry.com Is Latest Victim of DDoS Attack: Who’s Next?
Although I’m not 100 percent certain (and Akamai declined to comment to eWEEK on any specific customers it may have), I suspect that the Akamai/Prolexic technology is now in place as a key part of the technology that is protecting Ancestry.com for any ongoing DDoS attacks.
In modern DDoS attacks, the biggest challenge is bandwidth and massive attack volume that no single Website can typically handle on its own. What a provider like Akamai delivers is massive bandwidth and the ability to absorb and mitigate the massive traffic floods.
Motivation
The other piece of the puzzle in the Ancestry.com attack is motivation. Why would anyone bother to attack the site in the first place?
On June 11, feed reading service Feedly was hit by a DDoS attack that was motivated by a specific purpose—money. In the Feedly incident, the hackers specifically were trying to extort money from the site in order to stop the DDoS. At this point in the Ancestry.com DDoS, there is no indication that any attempt to extort money is involved.
Another typical motivation for DDoS is to use the attack as a cover for a data breach attack that aims to gain access to financial and user information. In a blog post, Ancestry.com CTO Scott Sorensen specifically noted that user data was not compromised by the attack.
Then again, sometimes attackers execute DDoS just because they can.
For end users, there is little they can do when a DDoS attack impacts a site, other than wait while the site turns up the bandwidth and partner with a security vendor, as likely occurred in the case of Ancestry.com. The other thing end users should always be doing is staying vigilant with regard to their personal and financial information. Although there is no indication that any data was lost or compromised as a result of the Ancestry.com attack, there is no harm in resetting passwords as a good best practice.
Unfortunately, the scourge that is DDoS is not going away and likely will only intensify in 2014. Thankfully though, there are technology solutions and vendors in the market that can help those under attack and at risk respond and repel attacks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.