Websites Select Security Services To Suppress DDoS, Other Attacks

If you want to test the mettle of your website security, then try protecting a site that is considered amoral in its own country or illegal in much of the world.

Web security start-up CloudFlare had such a problem in 2010. The company, which had just begun to offer Web security-as-a-service to protect sites against hacking and denial-of-service attacks, found dozens of escort sites in Turkey signing up for its offering, says CloudFlare CEO Matthew Prince. While escort services are legal in Turkey, the conservative populace frowns on the practice, the company learned.

"The site owners told us, 'We get constant attacks from people who think what we are doing is just amoral, and we never found a solution that would work to stop these kinds of attacks,'" Prince says.

Yet helping sites survive in the legal no-man's land of escort services proved that CloudFlare's offering could protect against sustained attacks. Larger -- and more reputable -- sites soon followed: First small e-commerce sites in Turkey, then larger online retailers, major Turkish media sites, and, eventually, the Turkish government signed up for the security-as-a-service offering, Prince says.

CloudFlare is not alone. Managed Internet security service provider Prolexic got its big break protecting online gambling sites. Last year, when Sony suffered under multiple attacks from Anonymous-affiliated hackers, the entertainment giant turned to Prolexic to protect its Web properties.

[ The news coming from Sony's camp and the security community at large shows that investigators could still be scratching at the surface of the damage wrought by hackers in a major breach. See Sony Still Digging Its Way Out of Breach Investigation, Fallout. ]

Increasingly, larger companies -- once shy of cloud services -- are looking to Web security services to help keep their sites available and secure. And smaller websites are realizing that companies do not have to be in a shady business to suffer an attack. Cybercriminals are increasingly looking for unprotected websites to compromise and host malicious drive-by downloads, says Paul Wood, senior intelligence analyst for Symantec.

"You may think that your site is not going to attract the attention of cybercriminals, but they are probably not interested in what you are selling or what your site represents," Wood says. "For most attackers, websites are a stepping stone, either into your network or to infect others."

Highlighting the danger, Incapsula, another Web security-as-a-service firm, found that 83 percent of traffic seen by small sites -- those with fewer than 2,500 monthly visitors -- is machine-made. And half of all traffic encountered by such sites is potentially malicious.

While Web application firewalls can give a large company a great deal of flexibility in detecting and preventing attacks, they can be difficult to manage. Putting that in the hands of a cloud or managed provider allows companies to benefit from the expertise of the provider, says Marc Gaffan, co-founder and vice president of business development for Incapsula.

"A Web application firewall is something that protects the website's front door, and the challenge today is that you have to leave your front door open -- you have to let customers in," he says. "The problem is that 80 percent of attacks happen through the front door."

In addition to concentrating on Web-security expertise, cloud and managed services can benefit from seeing attacks across a broad community. Combining intelligence to identify attacks against different customers, and then to prevent those same attacks from impacting the entire customer base, is a core benefit of a security service, CloudFlare's Prince says.

"The core value proposition is of one community," he says. "If you mess with one bean, you mess with the whole burrito. If you attack one server, the rest will learn from that attack."

Availability is a critical issue. If a cloud provider goes down, then it could cause problems for all of their customers. That's why it's critical for companies to check out potential cloud or managed service providers and ask the right questions, Incapsula's Gaffan says. The provider should have multiple options through which to route traffic in the case of a failure.

"Not all cloud services are equal," he says. "You should make sure that you are working with a reputable company that will be there tomorrow and will take care of your data."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.