It happens to the best of us—websites can experience slow response times or an outage for a number of reasons that are out of your control. Criminals try to penetrate your security perimeter to steal your users’ private data and credit card information. Hacktivists with an opposing view attempt to take your website offline simply because they disagree. Or, a bored teenager on the other side of the world decides to take your website down with a DDoS attack simply because he can.
DDoS Attacks: What Are They?
Recently,in a webinar “How to Respond to Site Outages”, Incapsula discussed the different types of security incidents, ranging from comments and SEO spam to fraud or security breaches.
“There are a number of different types of security incidents that a company has to protect itself against,” says Nabeel Saeed, Product Marketing Manager at Incapsula. “There is one in particular that can prove to be a menace to online businesses because it’s the only one that can knock a website down. That is the DDoS attack.”
According to Imperva Incapsula’s Q2 2015 Global DDoS Threat Landscape Report, the largest attack recorded during that study period peaked at 253 Gbps and the longest lasted over 64 days. What’s more, these assaults don’t require technical expertise to launch. Instead, there is a mercenary services marketplace that lets anyone hire botnets to perform malicious attacks for very little money. In fact, Incapsula’s report reveals that the average subscription fee for hiring DDoSers is around $38 per hour.
Interestingly, the study also found that over 75 percent of all online web businesses have experienced multiple web outages.
“If you’ve been attacked once, chances are you’re going to get hit again,” says Saeed.
The Common DDoS Attack
These days, website outages and DDoS attacks are a common front page news story, with many sites getting hit by some form of cyber assault. And according to a 2015 Verizon breach report, DDoS attacks have risen over 42 percent in the last few years.
“They can mimic the behavior of legitimate users and therefore are not detectable by traditional defense methods,” says Saeed.
One of the better-known outages in recent months occurred in December 2014 and involved XBox Live and PlayStation Network. Launched by notorious hackers—the Lizard Squad—this multi-vector DDoS attack took down these entire systems and denied service to nearly 150 million combined users during the pivotal, high-traffic holiday season.
Most recently, developer social site GitHub was taken down for more than five days during the largest attack in that site’s history. The perpetrator was linked to the massive censorship apparatus known as the Great Firewall of China, an extension of the Chinese government.
“The attack was multi-vector in nature, targeting both application and network layers. And it crippled GitHub’s entire infrastructure,” says Saeed.
These types of attacks illustrate that no matter how big or protected you think your website is, no one is safe from a DDoS attack.
How to Build a Communication Plan for Attack Outages
Prepare Your Team
If and when your website goes down, the first rule is not to panic. Instead, take these helpful tips from Steve Klein, co-founder of StatusPage.io, regarding how best to prepare and build a communication plan when your site is down.
- Step 1: Define what constitutes an incident:
- Is it an incident if your website is down for one minute, or for several hours?
- Is a section of your website down, or is it the entire site?
- Is it down or just slow?
These questions need to be answered to determine the appropriate response.
- Step 2: Identify which communication channels are to be used:
- Do you have a status page system, such as Statuspage.io?
- Step 3:Who will own the communication process during downtime?
- Plan who will be in charge of updating your audience and providing progress reports.
- Step 4:What message will you convey?
- Create templates for common downtime issues so your team can quickly dispatch an update.
While organizing your team’s communication plan, it’s best to think about specific issues that may occur, and which parts of your audience will and won’t be affected.
“You need to think about the different scenarios. How long can your site be slow before you say something about it? How long can your site be completely down before you publicly acknowledge it? You need to consider what to do if feature X is down, but perhaps feature Y is working fine,” says Klein. “Think about what makes sense for your business and your customer base. You know your customer best and you can come up with guidelines that will work for you.”
Here are a few messaging examples companies can use during potential downtimes.
Sample 1: The site is currently experiencing a higher than normal amount of load, and may be causing pages to be slow or unresponsive. We’re investigating the cause and will provide an update as soon as possible.
Sample 2: Our storage provider for public metrics data is currently experiencing infrastructure issues. Updates will be made available as the situation develops or as information is provided to us.
Sample 3: A recent deployment was found to contain errors or significant performance degradations. Our infrastructure has been successfully rolled back to a previous version of the code, and traffic is being served as normal once again.
What to Do During Latency or Downtime
Klein recommends a fast initial response, coupled with ongoing communication afterward, if and when your website experiences downtime. His best advice is to post your initial response as soon as possible, letting your customers see how quickly you acknowledge the incident, as well as how you handle it.
“People are generally understanding when you have occasional downtime. If the issue is not a recurring theme, they understand,” says Klein, but adds, “If a company’s website is having problems and people on social media are reporting that it’s clearly broken, yet the company hasn’t said anything about it (even on its status page), it feels like I’m being lied to. It’s like the company is trying to hide the problems it’s having.”
If your customers are experiencing any type of latency or broken pages, Klein recommends:
- Step 1: Dispatch regular updates to keep your customers up-to-date regarding how you’re handling the problem. If possible, provide a timeline indicating when new issue updates will be available.
- Step 2: The speed of your initial response is critical and greatly determines how your effort will be graded in the public eye.
- Step 3: Acknowledge your site is down to ease user frustration.
- Step 4: Assign a dedicated communicator to direct communication between the DevOps and support teams. They will also be in charge of posting updates or the status page.
- Step 5: Schedule ongoing updates—never go more than one hour without sending an update.
Do’s and Don’ts After an Attack
After the storm has cleared and your website has returned to full functionality, what should you do now—pretend the event didn’t happen and go on with your day?
Klein recommends writing a postmortem—a detailed, technical review of how and why the incident occurred.
“It demonstrates an understanding of what happened and how you plan to prevent the same thing from occurring in the future—or at least make it less likely.”
- Step 1: Apologize to your customers and mean it—an insincere apology is worse than no apology at all.
- Step 2: Demonstrate understanding and own up to your mistake—show your customers you know exactly what happened.
- Step 3: Plan to avoid it in the future—your customers want to know what it is you’re going to do to ensure that the same problem doesn’t happen in the future.
By following these steps, you’ll be prepared in advance for website latency or downtime. Every scenario will likely be different, but a pre-planned communication strategy will ease frustration for both your customers and your internal teams.
- Know Your Threats – Understand what kind of threats exist for your website and prepare to defend against them. One way is to adopt a strong, highly-effective website security plan that relies on one or more Incapsula offerings.
- Prepare a Communication Plan – Before you experience downtime, prepare an emergency response team to evaluate the type of incident being experienced, the kind of communication it will require, and how you will pass the message along. Will this be via social media? A status page?
- An Informed User is a Happy User – During an incident, assign a communicator and dispatch a steady stream of progress reports to reassure users that you’re seeking a solution. Never ignore the issue—your users will notice.
- Make a Sincere Apology and Provide a Solution – Acknowledge the issue, demonstrate understanding and plan to avoid it in the future.
Outages can happen to anyone—it’s a common occurrence for the biggest and smallest of websites. Communicating to your customers at this critical time shows that you are taking steps to resolve and prevent it in the future.
Watch the complete webinar, “How to Respond to Site Outages”.