It’s 11am, you’ve just arrived at the annual Christmas family gathering, and suddenly you notice your pocket furiously vibrating. “What the?”, you think as you pull out your phone to see 5 simultaneously missed calls from all of your clients. “Why are they bothering me on Christmas??!” As you investigate deeper, you realize all of your client’s sites are down. Ouch. Off to the data center you go. Christmas ruined. This might have been you, or maybe it was the owner of the small hosting company you hired to host dedicated servers for your startup, or maybe it was one of many owners of small hosting companies around the world. This is a scenario likely to occur more and more frequently as the unsavory element of the internet gets better and better at initiating chaos via DDOS attacks.
Bigger and Badder
One of the more famous DDOS attacks happened in March of 2013, when the spam-fighting Spamhaus was attacked at a record breaking (at the time) 300 Gb/s. This attack lasted for over a week, causing slowdowns for many internet users. The story of this attack is that it was caused by a dispute between Spamhaus and Cyberbunker. Spamhaus blacklisted Cyberbunker, a hosting company, as a home for spammers, and paid the price. Of course, there is no proof who actually initiated the DDOS attacks, but this sort of digital vengeance isn’t as uncommon as most of us would like it to be.
Every time we hear about a record breaking DDOS attack, it’s always bigger than the last record breaker. In January, a group that calls itself New World Hacking, claimed to have initiated a 602Gb/s DDOS attack on the BBC and on Donald Trump’s campaign website. If true, this is the biggest DDOS to date, and probably won’t hold the record for long. The one-upmanship between attackers grows, meanwhile, hosting companies are left with a mess to cleanup once the attacks are over. For example, take Linode’s case. Their Atlanta facility was attacked early this year and caused a storm of client disatisfaction. You can read the Reddit thread here. The comments range from criticism of Linode’s handling of the situation, to rattling off stats about how much money they lost due to the attacks, all the way to what cloud provider they were migrating their servers to because they’d had enough. No one tolerates any amount of downtime anymore, and when it happens back to back in a 36 hour window, customers get emotional, and rightfully so. Many businesses are at risk during an outage. Money is lost. Potential customer acquisition is lost. It’s a mess. This was a learning experience for Linode…an expensive one.
Linode is by no means a small hosting company, but in the wake of the DDOS, even with their loyal following, customers reconsidering their hosting options affects Linode’s reputation and their bottom line. The sad part is, Linode is not alone in this. Many hosting companies are vulnerable to DDOS attacks, and those attacks are damaging. The destruction is amplified when they are aimed at smaller hosting companies. If a company as large as Linode faced client churn during a DDOS attack, imagine what would happen to a company with only a handful of clients. A company whose clientele are their livelihood. A large enough DDOS attack could wipe their business out in one fell swoop.
Fleeing to the Big Guys
When customers of hosting companies suffer outages, that in their mind are unacceptable, they decide that even though they are saving money using this smaller hosting company, the fact that they aren’t protected from DDOS attack outages far outweighs anything they’ve saved. So what do they do? In an attack like Linode’s, these unhappy customers will likely move to one of the bigger clouds, but are they really safer and free of DDOS attacks? Well, yes and no. The biggest concern for a customer, with regards to DDOS attacks, is whether their services will still be up, even if another customer on the network is being attacked. If your services sit on a hosting company with only a 20Gb inbound connection, then a DDOS attack to the network big enough to saturate that full 20Gb pipe will take you out no matter which customer it’s aimed at. This problem exists to a much lesser degree on larger clouds, but it does exist. If a customer’s VM or cluster is being attacked, it’s usually taken offline, and traffic is filtered to make sure it doesn’t affect other customers’ VMs. Because larger clouds have big bandwidth pipes, they can can absorb most DDOS attacks. Can they absorb a 602Mb/s attack? This remains to be seen, but I doubt it’s highly publicized if they can.
Keeping The Little Guy in The Game
Could DDOS attacks really shutdown business for the smaller hosting companies? Absolutely. In fact, a new industry has been formed around the problem of mitigating DDOS attacks, to prevent just this. The most well known company to offer these services is Cloudflare. They were the company contacted to help Spamhaus deal with the infamous DDOS attack aimed at their service. They even wrote a blog post about it detailing the whole ordeal. This is usually how it goes. A company is attacked, they reach a point of desperation, and they hire an expert. These services are not cheap either. Thankfully though, Cloudflare is not the only one of these to exist. Many DDOS mitigation services have cropped up out of necessity. You have the big ones and you have the small ones. Some so small, they service single data centers, and are not widely known unless your business lives in said data center.
How Can We Help?
We all know DDOS attacks aren’t going anywhere anytime soon, and the pattern suggests they will not only be more frequent, but also more powerful. Even though the option to protect the small hosting company exists, it’s quite expensive to employ one of these companies to protect a network. This, though, is a new cost of business that must be considered, or the risk of losing everything still lingers. We as consumers don’t want our small hosting companies to go away. So what can we do to help? We can start by making sure we (or our system and network administrators) are locking down services like DNS and NTP so they can’t be used in any amplification or reflection DDOS attacks (not easy I know). This also goes for locking down web servers, or servers of any kind, to make sure malicious hackers can’t add them to their botnets. Attackers will always find new vulnerabilities in ubiquitous services, but implementing good security practices can help to make sure our own servers aren’t being used in a DDOS attack. Another thing we can do is help to distribute the cost of DDOS mitigation services by subscribing to a smaller subset of them for our own websites and applications. While most of these services are not readily available to the average consumer, companies like Cloudflare have made it affordable for you or I to mitigate our own DDOS traffic, should we ever attract it. This sort of effort can contribute to keeping the inbound pipes of our favorite smaller, alternative hosting services free of DDOS traffic.
Many of us may not care that the small hosting company can be pushed out of existence. In many minds, the hosting business is already dead. We like our big boy cloud providers. We set our services up and hardly notice a DDOS, should it happen. While this is certainly an ok attitude, I for one would still like to see the smaller companies survive. Competition and options are good for the industry, and I would hate to see it diminish at the whims of another DDOS attack.