Information Regarding Recent UK Denial of Server Attacks
We want to provide you with an update on the recent increase in DDoS attacks that are targeting UK hosting providers and inform you of the solutions we are putting in place. There have been a spate of significant, organised attacks in the past few weeks that we know multiple clients have been affected by.
What is a DDoS attack?
A DDoS (distributed denial of service) attack is a method of sending a large amount of packets of information towards a target server from a huge amount of destinations. The number of servers being used to send these packets and the size of the packets themselves will determine the scale of the attack.
An attack typically involves hundreds of thousands of different machines sending these packets, which would be impossible to block individually using traditional access control lists.
The origin of the attack is impossible to trace, so the attackers themselves remain anonymous unless they claim responsibility of the attacks.
How is it possible to generate a DDoS attack?
There are various methods available to attackers. Some control large botnets that have found insecure servers on the internet and use those to send packets of information towards a target server. Others will use techniques to spoof a target IP address to make various false requests for packets of information, which can often be amplified along the network chain.
Due to the increasing number of compromised servers on the internet, as well as these tools becoming more accessible to the public, it is becoming very easy for individuals to perform such an attack.
Why is Ecommerce Sussex LTD affected?
Our network provider owns their network from end to end, starting from our core routers in multiple London docklands locations that then send traffic to our UK datacentres over our privately owned fibre links.
The core routers receive transit from multiple global network providers - labelled 'upstream providers'. We peer extensively with LINX for UK traffic and then use other global transit providers to receive traffic that comes from outside of the UK. All the traffic is received into our core and then sent out to its destination within our network over our own, private fibres.
When an attack occurs, our upstream providers can become saturated beyond their capacity, which prevents traffic from entering our network from those providers. Once that traffic is then in our network, it is sent to the datacentres over our fibres, which carry a mix of UK and non-UK traffic. As the volume of non-UK traffic spikes heavily, it causes interruption to UK traffic as well.
This congestion both entering the network and then being sent across the network can cause packet loss. Some packets are lost before they enter our network, and non-UK traffic is more affected as a result.
Currently, the only interruption occurs when the attacks are so significant that they manage to cause congestion on our network - hundreds of smaller attacks happen constantly, but due to the size of our network, have no effect on clients' services. Unfortunately these significant attacks are becoming more frequent in nature and we are aware of some smaller network providers being forced out of business as a result.
What is the solution?
There is both a short term and long term solution to minimise interruption to services for our clients from these large attacks.
The short term solution is to identify any spikes in traffic coming towards our network, and null-route the traffic before it arrives at our core routers. This has been achieved by utilising our development team to write a tool that identifies the kind of erroneous traffic a DDoS attack contains and identify the target IP near-instantaneously. We then null-route within our network instantly, and are working more closely with upstream providers to request that they null-route traffic for the target IP before it reaches our cores.
The longer term solution will be to vastly increase capacity into our network, so that all traffic sent to our network is received without the need for upstreams to null-route traffic to targeted IPs and so that we are not relying on any third parties to react. We will then filter the traffic multiple times within our network, using a variety of tools, before we send the 'clean' traffic on to our datacentres and our clients.
This longer term project has been ongoing for a number of months, but with the constant increases in the size of DDoS attacks and new methods being used to generate these attacks, we are having to continually re-evaluate the solution required in order to be effective against mitigating DDoS attacks.
When will the solutions be implemented?
We have a target implementation date for the short term solution of the 24th of February.
The longer term solution is also in progress. Multiple hardware appliances have been purchased already and the capacity of the upstream providers has been increased. The project requires a multi-million pound investment in hardware, as well as a significant increase in transit capacity. Neither are easily achievable in short timescales. We expect this to have a 6 month implementation programme.
We would like to take this opportunity to thank you for your patience during the past couple of weeks and to apologise for the intermittent interruptions to service. Please be assured that a high quality, stable service is our highest priority for our clients.
Ecommerce Sussex LTD