How CyLab researchers are protecting consumers this shopping season


November 30, 2015

November and December are the busiest months for shopping of the year. Retailers are expecting to rack up over $600 billion in sales this year, with over half of those revenues coming in online. This huge amount of online activity offers opportunities to attackers who can launch malicious distributed denial of service (DDoS) attacks.

“In these types of attacks, websites are flooded with illegitimate traffic creating a bottleneck and causing the service to crash,” says Vyas Sekar, professor of electrical and computer engineering at Carnegie Mellon University. “They deny customers access to that service.”

These types of attacks can have huge financial implications for retailers, such as lost revenue and loss of customer trust. Amazon, for example, makes nearly $2,000 on average every second. A 10-minute DDoS attack would result in over $1 million in lost revenue and many upset customers. This is an average figure, too; an attack during peak activity, like Black Friday and Cyber Monday, would be even greater.

There are a couple reasons these attacks may be administered. The attackers may bring a network to its knees in exchange for a ransom (“pay up and we’ll stop”) or they may leverage the surge in traffic to sneak in malware or other malicious software that could be used to steal users’ personal information (e.g., credit card data or passwords). 

To mitigate DDoS attacks, web services rely on expensive hardware appliances deployed at fixed locations in networks, which can be an issue when needing to adapt quickly to rapidly changing attack patterns.

“The scale of traffic volume in these attacks is rising, the diversity and complexity of attacks is rising, and the frequency of attacks is rising,” says Sekar. “If the volume of the attack changes, or the type of attack changes, we currently have limited capabilities as the current defenses are hardware-based, and you may have to purchase new appliances and patch them into the network.”

Sekar and his colleagues have developed what they call an “elastic” and “flexible” defense— one that can elastically adapt to a new type or scale of an attack in an instant, and flexibly place defense mechanisms when and where they are needed. The defense does not rely on hardware that needs to be updated; instead, Sekar’s defense is purely software-driven and leverages recent technologies such as software-defined networking and network functions virtualization. 

“As the attack changes, our product can elastically scale up or scale down according to what we need,” says Sekar. “It’s a platform for rapidly deploying elastic defenses against new types of attacks when and where they are needed.”

Sekar and his colleagues — including electrical and computer engineering Ph.D. student Seyed Fayaz — named the software-based defense “Bohatei,” the Japanese word for breakwater, a barrier used to defend against tsunamis. Rest assured, if a tsunami of illegitimate traffic threatens an online retailer you’re using, CyLab researchers have the defenses ready to go. 

Related People:

Vyas Sekar