As traffic to retail web sites peaked on the Friday after Thanksgiving and again on the following Monday, five retailers thwarted distributed denial of service attacks that could have cost them an estimated $15 million in aggregate, Akamai Technologies Inc. says. Distributed denial of service, or DDOS, attacks occur when perpetrators send a huge volume of traffic to web sites in an effort to overwhelm their infrastructure and prevent legitimate shoppers from accessing the sites.
Akamai, a provider of web content delivery network services, says the majority of the attack traffic against the five retailers came from IP addresses in Thailand, Mexico, the Philippines and Brazil. The traffic reached peaks of up to 14 gigabytes per second, or Gbps. Some web sites experienced up to 10,000 times their normal daily traffic, Akamai adds.
“These attacks were clearly deliberate and aimed to hit retailers when it hurts the most,” said Pedro Santos, Akamai’s chief strategist for commerce. “Additionally, it is one of the few times we have seen a coordinated attack across multiple independent retailers.”
Ted Julian, principal analyst at research and advisory firm Yankee Group, says such cyber attacks against merchants are becoming more common.
“Hackers are increasingly targeting merchants with sophisticated attacks that are often motivated by financial gain, competitive motivations, or political objectives,” he says. “The attacks are particularly detrimental for e-retailers, since every minute a site is down can mean thousands of dollars in lost revenue.”
Julian and other experts say it’s often impossible to identify the source of such attacks, which typically use botnet software that use networks of huge numbers of “zombie” computers to send traffic volume to targeted web sites. He adds, however, that the originators of such attacks can range from competitors seeking to shut down other businesses or activists seeking to stop particular practices, such as the sale of animal furs.
Akamai, which operates more than 77,000 web servers across 1,000 networks in 70 countries, says its Internet security infrastructure enabled the five attacked retailers to withstand the DDOS attacks without experiencing any site outages. Akamai declined to identify the retailers, but said they were all within the top 250 online retailers as ranked by the Internet Retailer Top 500 Guide, though outside of the top 10.
Julian notes that it can be virtually impossible for retailers to guard against DDOS attacks without help from an outside network technology partner, including major Internet service providers like AT&T and Comcast and content delivery networks, who can block malicious traffic or simply absorb it into a broad network. In Akamai’s case, he says, its global network of Internet servers enables it, in many cases, to absorb huge surges in traffic without overwhelming its clients’ sites.
Michael Cucchi, senior product marketing manager for Akamai, says the five retailers helped by Akamai experienced traffic volumes that were up to 9,000 times their normal traffic volume. But some attacks can be even much larger, he adds, in which case Akamai will use a set of network protection technology and procedures to prevent malicious traffic from reaching a client’s servers and applications.
Using data from the Akamai Net Usage Index for Retail, which is based on data compiled from more than 270 e-commerce sites, Akamai says that global retail web traffic peaked over the Thanksgiving weekend at 1.34 million page views per minute at close to noon Eastern time on Black Friday, the day after Thanksgiving, up about 74% from the Friday two weeks earlier.
On Thanksgiving Day, the index found that global page views per minute peaked at 1.16 million. And the following Monday, which is known as Cyber Monday, global per views per minute peaked at 1.33 million at about 1 p.m. Eastern time, including about 1.07 million originating from North America. Page views originating in North America sustained high levels on Cyber Monday throughout the afternoon, reaching 1.16 million by 9 p.m., Akamai says.