Friday, March 16, 2012

Using DDOS Attacks to Boost Search Engine Rankings

 A few weeks ago we had a client attacked for the purpose of taking the site offline.  This was most likely done by a competitive company who wanted to usurp their search engine rankings.  The attack was done by computers in countries that have no laws prohibiting DDOS such as Ukraine, Vietnam, and China.   Speaking with the person who does DDOS mitigation for our ISP we learned this is actually fairly common.  Hopefully this was a one time attack, and they won't make a habit of it.


For anybody who is interested in how the whole episode unfolded - here are the details:

We had a client (beautystoredepot.com) attacked this weekend by a Distributed Denial of Service attack. The first DDOS was an asymmertric HTTP attack and went on for over 48 hours from Sunday at around 6am until Tuesday around 10am, we had it mitigated by around 11am PST on Sunday.   Then Tuesday at 2am we experienced a full blown DOS attack where they generated more than our 225mbps bandwidth cap and effectively prevented any traffic from reaching us, our upstream provider fixed this by inserting a null route for the IP address to beautystoredepot -- and they were down until the attack was over, or until we could figure out how to filter it. 

BeautyStoreDepot sells beauty supplies out of their warehouse in Texas. In this case there were no threats or ransom.  The site is not politically affiliated.  They had no irate customers. What they do have is excellent Search engine ranking -- and at this point we believe the purpose of the attack was to take them offline and hurt their search engine rankings. 

Google is very concerned with shopper experience, and it punishes sites which go offline or are slow, and takes them off the first page results. 

A bit of research (aka Google: SEO DDOS) shows that there was a 1000% increase in DDOS attacks since last year, and that according to a recent report 7% of all attacks are done by competitors.  A short conversation with our upstream provider DDOS response contact confirms that DDOS attacks against SMBs are becoming more and more common, especially during peak buying holidays. 

In this case 100% of the servers conducting the attack were out of the United States and in countries like China, Ukraine, Vietnam -- all places that have zero laws against making "excessive requests" to take down a server, especially one in the USA.  The local police in Texas had no idea and referred BeautyStoreDepot to the FBI, who merely will compile statistics and not take any action. 

In the first attack - Zoovy chose to keep our client online - by dedicating 10 servers, each capable of 250 requests per second, and employed sophisticated traffic modelling to identify the requests and return HTTP 403 (unauthorized) responses.  In the second attack (a flood of spoofed UDP packets that maxed out our pipe @ 225mbps) we took beautystoredepot.com offline and waited a few hours, then changed the DNS to point at CloudFlare.com and directed the attack at them.  At 12:25am on 2/15/12 the original asymmetric HTTP attack resumed, this time pointed at CloudFlare which replayed the attack to us. We went ahead and took the original block list we had compiled from the first attack and used CloudFlare's Threat Captcha response to filter out the likely candidates while we reconfigured our servers to work better with CloudFlare's (the site never went down), by 1:30am we had successfully mitigated the attack which continued until 8am, then stopped for 2 hours until 10am .. it's now 11am and I'm writing this blog post.

This identifies how different providers will handle this, and it's an interesting thing to re-consider in a hosting contract -- i.e.: is  traffic/bandwidth really unlimited?  Is the hosting infrastructure on a cloud that can handle that type of attack and can adapt to different kinds of attacks?  The Internet is littered with stories of this happening in the past year and they are probably going to be more and more common in the future.

This new trend is alarming because it shows that even if a company does everything right and gets #1 in the ranking -- it's much cheaper for a competitor to hire some bad guys to take a website offline than try and beat them fair and square.  The competitor may not even hire the bad guys directly, a hungry SEO company employed by a competitor needs to deliver results - by any means necessary.  It could also be a bad guy looking to move counterfeit goods, and to do that it's important to find new customers -- and the easiest way to "find" new customers is to take them from existing businesses. Criminal enterprises really sprung up on marketplaces like eBay where they could move counterfeit goods with relative anonymity.
But in the past few years Marketplaces like eBay (Paypal) and Amazon have gotten good at filtering out criminal enterprises leaving only the Google/SERPs as the only location for these criminals to peddle their wares.  The competition on the SERPs is as fierce as it's ever been, because consumers are leaving Google for the more "app" centric Internet on mobile and tablets.  ECommerce numbers are reported in aggregate - so it's hard because while the e-commerce pie itself is still growing rapidly, the portion of the pie originating from SEO and CPC is actually shrinking. These criminal enterprises need to maintain their revenue by any means necessary.

The interesting part is by poisoning the SERPs by taking legitimate businesses offline, this will only accelerate the adoption of marketplaces by consumers. Criminal enterprises still need to make payroll, their operators still have house and car payments just like everybody else. I won't say what BeautyStoreDepot.com does in sales, but lets say - that the business dynamics of stealing legitimate business --- especially if the bad guys don't actually plan to ship any product, or will ship counterfeit products in its place -- it's good, easy, cheap money. Another interesting impact of attacking well ranked SMBs is that they don't do enough in sales to warrant immediate action by law enforcement across the world. Now we've already seen counterfeit cisco router boards ending up in Cisco's own distribution channels - the idea that somebody in China could knock off Shampoo, Makeup and/or other beauty products is very real.


No comments: