Malicious Distributed Denial of Service (DDoS) attacks do not occur often. Nevertheless, for an enterprise trying to stay in business they are difficult to resist. The concept of a 'friendly' DDoS attack may, therefore, seem fanciful or even impossible. But it can occur in highly specific circumstances (and not ones simulating a malicious DDoS attack). If you are not prepared for a 'friendly' DDoS attack then the consequences may be costly.
To understand how a 'friendly' DDoS might happen, consider the following example. Imagine you are running an airline (but it could be a railway or a utility or manufacturing company). You use your website and the internet extensively both as part of your brand and marketing as well as for sales, taking orders, supplying information, and a myriad of other tasks.
Now imagine that a fog descends on Heathrow, a volcanic dust cloud is found heading for Europe or snow falls on Madrid. All of a sudden your airline's flight operations are significantly affected if you are based in London, somewhere in Europe or in Madrid. Your planes cannot land or take-off. Your flight crews are in the wrong places. And, here is the rub, your customers with bookings want information, in a situation where accurate information may be difficult to find.
So what do these customers do? The obvious. They go to your website. They call customer support and reservations - all in the hope that they can find out whether their flights are operating and if not what your airline plans to do with them.
The result is, in effect, a friendly DDoS attack. Friendly because these are customers who have paid to fly trying to contact your airline. DDoS because the effect of thousands or tens of thousands of enquiries in a compressed period is to flood and possibly overwhelm what works well on most other days. In other words, some event (in this case fog, dust cloud or snow - but it might be something completely different) sets off an environment where the airline and the customers experience a denial of service.
And this is not all. These existing customers who are trying to find out information are almost certainly preventing potential customers, those wishing to make future bookings, from doing so. This has a different business impact: sales foregone. Similarly, with this deluge of enquiries staff are trying their best to help, but in so doing they are being distracted them from what they would normally be doing. More costs.
The question is - does your enterprise operate such that if a 'friendly' DDoS occurs it might prevent your enterprise from doing business? If so, does your enterprise have plans to mitigate the impact?
Ironically it is not that difficult to handle a 'friendly' DDoS - but only if you have done the preparation. Reduced to its simplest the basics are either ready-to-go additional website capacity or a dedicated alternate Web site, comprehensive mobile device support including SMS and a specific 'crisis' information communications group.
Many may prefer possessing sufficient additional online capacity that can support a doubling or tripling (or more in the case of a major event), because this seems simplest (though it may be the most expensive). The difficulty is predicting 'sufficient'.
However, by dedicating a specific alternative 'crisis' website (pointed to, for those affected, from the main page of the website) an organisation:
- removes substantial query traffic from the main order/sales website so that the main site can continue to accept ongoing (future) business.
- establishes some sense of responsibility for those affected by the crisis.
- shows how the situation is constantly evolving.
- communicates that people are working to help customers (thereby delivering a positive impression that the organisation cares - updating information as it becomes available is an important element).
- exploits customers' laptops, tablets, smartphones or feature phones connectivity (whether at the airport or further away) to make information availability universal - via a browser, SMS, phone calls, Twitter, Facebook, the organisation's dedicated mobile applications etc.
Of course, having such an alternate website is not sufficient by itself. Such a website has to have as much up-to-date information as is practical. In the airline case above, a small crisis information group should be tasked with keeping the 'crisis' website fresh by relaying information from flight operations, the weather people, and others along with their forecasts. This crisis information group should include relevant IT specialists who can rapidly process and disseminate 'good' information. They will also be more intimately aware of the multi-channel dimensions that will inevitably arise at some point in communicating that information.
It might seem obvious but an alternate website has other advantages when it is located on different infrastructure. The use of cloud services, like those from Amazon, Microsoft, IBM and many others, may be particularly relevant, not least because these can also be on standby and can scale up (and down) as demand requires. A superior website might even assist customers to do their own rescheduling online - after all, they probably know best what they need.
Note that all of this, if implemented, has a trickle-up effect, because it reduces the burden on other hard-pressed resources and staff. This happens, at least in the airline example described, because customers are close to each other and so help each other. Those with mobile technologies will tell those who do not have them. If you receive an SMS telling you that your flight (or order or service or whatever) has been rescheduled, most people will share this with others similarly affected. In this way customers help each other and, in so doing, the business with the problem. But they can only do this if they are given information. Conversely, customers (usually inadvertently) will hinder when left ignorant, if only by constantly asking questions.
Friendly DDoS 'attacks' do not happen often, thankfully. But they do occur. The net of this is that most organisations, with a little forethought and planning, can exploit simple and readily available technologies to make themselves work better (and look better) in a crisis situation when all appears to be going wrong. The alternative - failing to take simple steps - can prove expensive, not just in lost customer satisfaction but in staff loyalty, brand image, lost orders and other related costs.
By Charles Brett, principal analyst at Freeform Dynamics