Five tips from a CIO on dealing with massive DDoS attacks

LiveJournal is a social-media blogging site that attracts millions of users each month from across the globe, especially the U.S. and Russia. Owned by Moscow-based SUP Media, its website is hosted in a Montana data center, and according to Tim Turner, the firm's London-based CIO, LiveJournal regularly faces massive distributed denial-of-service (DDoS) attacks.

DDoS attacks "have grown in size and complexity in the last three years," says Turner, noting that every couple of months, an attacker exploiting DDoS botnets will try to blitz LiveJournal with gigabits of malicious traffic. Here are his tips about responding:

#1: It's critical to recognize early that an attack is occurring. The attack traffic starts to crowd out the legitimate traffic and you want to keep to a bare minimum any "collateral damage" that prevents the user population from reaching your website, says Turner.

+ ALSO ON NETWORK WORLD Massive denial-of-service attacks pick up steam, nefarious new techniques | Anti-Bot Working Group to fight DDoS attacks from cloud infrastructure +

LiveJournal makes use of monitoring of the global Internet that indicates changes in traffic. It's a good idea to have anti-DDoS equipment or an anti-DDoS provider to turn to when trouble hits. But the relationship with a DDoS provider must be based on the idea of a partnership, he says. "When something happens on the website, we'll make the decision" to engage the anti-DDoS provider, Turner says. He notes he hasn't managed to automate the entire anti-DDoS process, though perhaps others have.

#2: Make sure your anti-DDoS provider shares data with you. Sometimes it's frustrating when anti-DDoS providers are "secretive with the data they have," Turner says. Some will not share botnet source addresses for example, or other data that might profile the attacker. When an attack starts, there will have to be decisions made about blocking IP addresses. The prevalence of network-address translation technology means there could be 20,000 people behind a single IP address. "You've got to get users to your website," says Turner, even as the DDoS attack escalates. Turner currently uses the service from Defense.Net in part because there's good data-sharing, he says. LiveJournal will re-direct traffic through Defense.Net for protection when a DDoS attack begins.

#3: Understand the type of DDoS attack that's coming. DDoS attacks vary in scope, some can be 5Gbps or even 30Gbps, plus some are application-specific, or make use of SYN floods, UDP floods and other techniques. The "blended ones" that combine attack techniques are among the hardest to combat, says Turner.

#4: Be clear about pricing with your anti-DDoS provider. Some providers are charging their customers based on "clean pipes," while "other providers want to charge for dirty traffic," Turner says. He adds that cheaper may not be the better deal if the anti-DDoS provider can't really filter out the attack traffic.

#5: Motivations for DDoS attacks are many. They can include extortion by demanding money to turn off the DDoS attack stream; simple rage over someone's expressed opinion; and even oddball episodes where someone will DDoS you as part of begging for a job. DDoS attackers love to strike when there are holidays and they think there are fewer IT staff to protect websites. Since November, "we've been hit four or five times, such as Christmas and New Year's," says Turner. "They want to catch you unaware." He thinks it's rare that DDoS attackers are ever apprehended. More information sharing among online businesses about DDoS attacks is needed, Turner says. Some industries, such as online gaming for example, have set up their own community groups to discretely share the experiences they have had in combatting DDoS attacks.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCIOanti-malwareWide Area Network

More about IDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place