LiveJournal is a social-media blogging site that attracts millions of users each month from across the globe, especially the U.S. and Russia. Owned by Moscow-based SUP Media, its website is hosted in a Montana data center, and according to Tim Turner, the firm's London-based CIO, LiveJournal regularly faces massive distributed denial-of-service (DDoS) attacks.
DDoS attacks "have grown in size and complexity in the last three years," says Turner, noting that every couple of months, an attacker exploiting DDoS botnets will try to blitz LiveJournal with gigabits of malicious traffic. Here are his tips about responding:
#1: It's critical to recognize early that an attack is occurring. The attack traffic starts to crowd out the legitimate traffic and you want to keep to a bare minimum any "collateral damage" that prevents the user population from reaching your website, says Turner.
LiveJournal makes use of monitoring of the global Internet that indicates changes in traffic. It's a good idea to have anti-DDoS equipment or an anti-DDoS provider to turn to when trouble hits. But the relationship with a DDoS provider must be based on the idea of a partnership, he says. "When something happens on the website, we'll make the decision" to engage the anti-DDoS provider, Turner says. He notes he hasn't managed to automate the entire anti-DDoS process, though perhaps others have.
#2: Make sure your anti-DDoS provider shares data with you. Sometimes it's frustrating when anti-DDoS providers are "secretive with the data they have," Turner says. Some will not share botnet source addresses for example, or other data that might profile the attacker. When an attack starts, there will have to be decisions made about blocking IP addresses. The prevalence of network-address translation technology means there could be 20,000 people behind a single IP address. "You've got to get users to your website," says Turner, even as the DDoS attack escalates. Turner currently uses the service from Defense.Net in part because there's good data-sharing, he says. LiveJournal will re-direct traffic through Defense.Net for protection when a DDoS attack begins.
#3: Understand the type of DDoS attack that's coming. DDoS attacks vary in scope, some can be 5Gbps or even 30Gbps, plus some are application-specific, or make use of SYN floods, UDP floods and other techniques. The "blended ones" that combine attack techniques are among the hardest to combat, says Turner.
#4: Be clear about pricing with your anti-DDoS provider. Some providers are charging their customers based on "clean pipes," while "other providers want to charge for dirty traffic," Turner says. He adds that cheaper may not be the better deal if the anti-DDoS provider can't really filter out the attack traffic.
Sign up for CIO Asia eNewsletters.