Tech Breakout Summit/2021: Why Protection From DDoS Attacks is Critical For Your Business
DDoS attacks are happening more frequently, and with a resurgence in ransom-driven threats, they’re also becoming more sophisticated and complex. If your site is attacked, your customers and your business will likely bear the brunt. WP Engine is committed to delivering enterprise-grade security to our customers and has embedded security best practices throughout all of our products and services.
In this session, WP Engine Product Manager Casey Raim, Senior Technical Architect Michael Smith, and Product Marketing Manager Sarah Wells discuss the best practices WP Engine has in place to ensure your site—regardless of where you are hosting—is secure.
In this session, WP Engine Product Marketing Manager Sarah Wells, Product Manager Casey Raim, and Senior Technical Architect Mike Smith discuss:
- Types of sites that need additional security
- Common types of online attacks
- Steps to take before, during, and after an attack
“We’ve seen and we’ve heard earlier that these attacks are getting smarter. They’re getting more frequent, and there are no silver bullets.”Sarah Wells, Product Marketing Manager, WP Engine
Full session transcript
SARAH WELLS: Hello, everybody. I am Sarah Wells, I’m a Product Marketing Manager here at WP Engine. And today I am joined by the incredible Product Manager, Casey Raim, and the ever-talented, Michael Smith, who is one of our senior architects here at WP Engine.
And today we’re going to be talking about protection from DDoS attacks and why it’s critical for your business. Before we dive into the bulk of our content today, I want to set the stage around what security means at WP Engine.
Security was really one of the founding pillars for WP Engine from the outset. And so, for us, what this means is we seek to understand and make sure security is actually interwoven and the lifeblood of everything we build, both from our own company and what we do in-house, and what we’re delivering to our customers and our clients overall.
So, everything from taking core WordPress updates off the plate of our customers so they don’t have to do it, so we can make sure that they are on the latest version of WordPress, to completing our SOC 2 Type II reports, and we know we’re meeting that upper echelon of security requirements for any of our business and any of our customers out of the gate.
So, thinking about that, and thinking about security holistically, and Casey, from the product perspective, what are some of the things that you see as table stakes, out-of-the-box needs for anything with a managed in front of it offering, especially for WordPress.
CASEY RAIM: Sarah, there’s absolutely things that we would consider table stakes for any managed offering, and honestly, we don’t want our customers to have to think about. Typically, like you mentioned, something like a WordPress upgrade is a great example of that.
Things like new OS versions or PHP versions that need to be updated and patched absolutely fall into that category. We’ve actually recently added to that list on our side. And we’ll chat more about that later.
But if you are going the DIY route, these are things that aren’t necessarily core to your business, but that you should absolutely have in the back of your mind in terms of time and money because they are critical to making sure that your site remains both secure and performant.
SARAH WELLS: Wonderful. So, knowing that there are different levels and different types of sites out there, there might be some things that are those out-of-the-box things that we’re going to do regardless. And everybody should have a solution or a provider that’s providing them for them if they’re not doing it in-house.
But then what might be some of the things that make a customer or a site, or a business need to be a little bit more security conscious if you will?
CASEY RAIM: Yeah. Absolutely there are scenarios where it just makes sense to have a heightened security profile. The first thing that comes to mind is that, if your site has sensitive or controversial content, then you may be a higher risk of being a target, simply because of what you do.
The second one that we focus on a lot actually, at WP Engine, is around what I would call event-driven websites. And by that, I mean that your business is particularly calendar-sensitive. So, whether you’re hosting a major sporting event. And an attack during that event would be both highly visible, but also detrimental to your business.
Or maybe you sell fireworks or Halloween costumes. And so your revenue risk is exponentially higher at certain times of the year. You could take that kind of same lens and take a step back. And it’s really easy to apply that logic generically across ecommerce sites.
So, if you have an ecom website, typically your revenue is dependent on the security of that site. And the same way that you would lock up a physical store at night, it probably makes sense to lock down your website, to some degree.
SARAH WELLS: That totally makes sense. And is also– When we’re thinking about– I mean, I love the analogy of locking up your store at night. We think about security. We think about things, and people breaking in.
One of the things that I’m hearing about more and more on just regular news cycles, not even on niche kinds of technical news rags, is DDoS attacks and the increase of DDoS attacks. And that’s what we’re here to talk about today.
Can you maybe back up a little bit, explain DDoS attacks. But then also think about what are the trends that we’re seeing within DDoS attacks overall, and how are we having to react to them, and the people in this call having to think about them more and more.
CASEY RAIM: So, we’re absolutely seeing and feeling the increase in these activities. Not only are we having these customers more and more often– I’m sorry– these conversations more and more often with our customers. But we’re actually internally really making sure that we have our response plans defined and that we have the right tools in that kind of proverbial toolbox to help customers if they are impacted.
But before we get too far into more of a deep dive on DDoS, I want to really level set on what DDoS actually means. So, the DoS section of DDoS stands for Denial of Service. So, the intent of that attack is to reduce your site’s ability to perform its basic functions. Typically that means it takes your site down.
That first D stands for distributed, which generally just means that the bad actors are leveraging multiple systems, or multiple locations in order to perform that attack. So, all DDoS attacks are Denial of Service attacks. Not all Denial of Service attacks are distributed. So, very high level. That’s sort of what we’re talking about when we talk about DDoS attacks.
SARAH WELLS: Wonderful. And I know that the occurrence of major attacks has tripled in Q1 of this year compared to Q4 of last year. And so, Michael, from a technical perspective, and looking at this graph—and this graph is showing size of attack. It is also showing the amount of attacks is also increasing overall.
So, can you talk a little bit about why this is happening and we’re seeing such sharp increases in these types of attacks?
MICHAEL SMITH: So, this slide shows over the last decade this rise of both the size of the attacks, but also there’s a corresponding increase in the frequency of them. Generally, I think you can attribute this both to the fact that– Just like cloud computing has unlocked the ability to make it easier for people to build sites on the web and run their business on the web, but also the same technological advances have made it easier for attackers to gather and generate the traffic at a sort of distributed scale to overwhelm servers.
Unfortunately, it’s also in the last year with the pandemic and a lot of businesses shifting to adopting more ecommerce than they might have done it previously, there’s been an acceleration just within the last year. I think those are some of the reasons why we’re seeing that increase right now.
SARAH WELLS: Totally makes sense. And to the point earlier, like ecommerce are mission-critical, or your entire revenue is on there, it’s even more important to understand what these attacks are.
So, Michael, can you explain a little bit, like, what are the different flavors of DDoS attacks that are out there that people should be thinking about and protecting themselves against so that they can continue to do their business successfully online?
MICHAEL SMITH: When we think about DDoS attacks and how to protect yourself from them, we think about it as three different types of attacks with each category requiring different mechanisms of protection.
So, the first one is– The first category is volumetric attacks. And so these kinds of attacks are really taking advantage of generally generating a large amount of traffic to overwhelm the network that hosts your site.
And an example of this, probably the most still common type of volumetric attack is a DNS amplification attack, which is a way that an attacker can use a relatively small amount of bandwidth to generate a large amount of bandwidth, targeted at a particular attack and a victim.
And to protect yourself against this kind of attack, it usually requires having a high capacity network that has a bandwidth capacity that’s large enough to withstand this volume of attack.
Another category of attacks that we think about it are the protocol layer attacks. So, these are attacks that target the underlying network protocols that are used for computers to connect to each other. And these attacks generally aim to overwhelm the servers or the lower-level networking stack of these servers.
A really common example of this, probably the most famous protocol layer attack is the SYN Flood, which is taking advantage of the way that TCP protocol establishes connections from a client to a server.
And a SYN Flood, essentially, the way it works is that these clients begin to open a connection to the server, but never actually complete that connection process. And that forces the servers to keep this intermediate state about all of these half-connected clients.
And if you do that enough times with enough clients out there, you can actually overwhelm the state tracking tables on the server. And then it starts to deny legitimate users from being able to make connections to that website.
So, your protections against this kind of attack is generally making sure, again, that you have a large capacity to absorb these attacks. And this might mean having several machines, or many, or even dozens or hundreds of machines, depending on your capabilities, that can absorb these attacks and spread that load. So that it doesn’t all have to be satisfied by your main application servers.
And then the third type of attack that we think about is the application layer. So, in the context of a website, the application protocol is HTTP. And so this attack works by the attacker essentially emulates a full HTTP request sending to the server, and forces the server to respond to that by doing what it normally does, which is rendering the page and sending it back to the client.
In the case of a WordPress site, that might include things like running your PHP code and pulling data from the database and combining that back into an HTML page to send back to the client. All of that requires work. And if you do it– If you have enough clients requesting that work to have it at the same time, it can overwhelm the server’s ability to handle the requests.
And so, this one is also a tricky one to defend against, but the typical ways are– A really common– The good starting point is to make sure that your servers and your network are optimized and fast, and able– The faster they’re able to service these requests, the less load that it takes to handle these attacks.
Additionally, you can do things like enabling more aggressive caching, which is generally a good practice, even for performance in general. But caching allows you to reduce the amount of competition that the server has to do.
Other things you can do are enable web application firewall rules that block certain types of requests based on their characteristics. So, if you can identify characteristics that are unique to an attacker and distinguish that from the legitimate users, you can write rules that block the bad guys and let the good guys in.
And then finally, another mechanism is, if those tools don’t work, you might introduce some sort of challenge page, or CAPTCHA is a common thing that you’ve probably seen on the web, where the users are asked to essentially prove that they’re human.
And once they’ve passed the CAPTCHA, that allows them to access a site, where bots and other automated crawlers aren’t able to access the site. And you can block them more efficiently that way.
SARAH WELLS: Definitely. Those find-the-light-post CAPTCHAs are always fun when answering the questions.
MICHAEL SMITH: Identify the school bus.
SARAH WELLS: Exactly. But you’re mentioning something here that’s pretty interesting. There’s these bots, there’s bad actors, but there’s also good actors. And if we think back to what Casey said earlier, we have also—we see customers at WP Engine who have event-based things. Well, they will see that large spike overall.
And then we know that there’s good bots that are used for search, or for social optimizations, or those types of things. I can only imagine that that makes kind of understanding when a DDoS attack is happening harder, and then protecting against it even harder still.
MICHAEL SMITH: Yeah, that’s right. If you have a spike in traffic to your site, that might be an attack or it might just be a good event driven by a lot of people visiting your site at the same time. First of all, you need to identify, recognize whether it’s malicious or not. And that helps you decide if you want to take action to actually try to block certain visitors to the site.
Additionally, those are good bots versus bots. Not every automated crawler of a website is bad. In fact, your search engines are all constantly crawling websites in order to index them. And you don’t want to block those crawlers from doing their job.
So, it becomes really tricky and you have to be careful about how you do this, so that you don’t have adverse effects on the legitimate uses of your site.
SARAH WELLS: What if somebody listening here today is thinking like, OK, I have to identify that this is actually a malicious actor, or this is a DDoS of one of the flavors that we just talked about. What are some of the things that they should be doing when they are quote-unquote, “Under attack.” What does that attack mode look like? What are the things that they should be setting in place?
MICHAEL SMITH: I mean, if you’re doing this– If you’re doing this on your own, you’re operating your own servers or your own site, the first thing to look at is really, like, am I hosting it on a server or on a network that has enough capacity to handle large attacks.
And there’s other things you can do from the lower-level operating system tuning aspect of things. For example, with that SYN Flood attack, there’s a mechanism called PCP SYN cookies that you can enable, that basically make it so that the client doesn’t need, or the client can– The server, sorry, does not need to track as much state about every client. And that can offload some of the burden from the server and make it more resilient to those SYN Flood attacks.
That does come at the expense of a little bit more CPU load on the server. But if you’re under an attack especially, that can be a good worthwhile trade-off.
Then, additionally, things like enabling certain firewall rules. Where if you can recognize the bad traffic based on some patterns, you can block that before it reaches a deeper layer of your application stack.
So that might entail blocking things immediately at the machine’s networking stack later before it reaches the application layer, or you might be able to block it even farther up at a location that’s close to the visitors.
And so that leads into the fourth and probably the most powerful way you can do this, is to utilize a service that specializes in protecting sites from this kind of thing. And there’s a lot of commercial solutions out there that you can choose from.
In the WordPress space, there’s a lot of vendors that people use. Cloudflare is one of the ones that we use a lot here, and are familiar with. But additionally, there’s a lot of other really good ones: Fastly, Security, Imperva, Akamai. All of these, there’s a whole range of these different types of vendors. And they all specialize in a different thing.
Some of them are a little bit more focused on security aspects, and some of them are a little bit more focused on performance aspects. Some are tailored more to the enterprise, and some are tailored more to smaller businesses.
But really, you can choose from those tools. Those can provide you a lot of protection by giving you the capacity to sit in front of your website and act as a shield against a lot of these attacks.
SARAH WELLS: That’s wonderful. So, having that front-line defense with those things is really important. And to that point, Casey, Michael mentioned that we have that partnership with Cloudflare. Can you expand upon what that partnership is from a product standpoint, and how we’ve leveraged that to bring some of these things? And how our customers aren’t having to manage it necessarily themselves.
CASEY RAIM: Yeah, absolutely. So, Michael mentioned a few of the industry experts in this space. And just like we all do when we choose a partner at this level, we had a range of criteria that we had when we were trying to decide between these industry experts.
We really felt like we found our home with Cloudflare. They have a best-in-class content delivery network to address those kind of caching concerns that Mike was just talking about. They actually offer multiple levels of DDoS protection. So, obviously, right on point with what we’re talking about today.
But they’re also a really WordPress-conscious company. And so they’ve put a concerted effort into their web application firewall and its compatibility with WordPress Core, but also with the most commonly used plugins in the community.
SARAH WELLS: Wonderful. So, from a product standpoint, and knowing at the very beginning we can kind of oversimplify cohorts of security thinking into table stakes, basic protection levels, and then maybe the more security conscious. Is that an approach that you’ve seen adopted within WP Engine and with this Cloudflare partnership?
CASEY RAIM: Yeah. So, we do. We do have those two layers to this partnership with Cloudflare. The first one is advanced network. And advanced network is actually relatively new. And the idea here is that it’s really time to shift the baseline in both security and performance.
So, going back to those table stakes that we were talking about at the beginning, really just raising that level up. An advanced network gives our customers access to Cloudflare CDN network, as well as to that initial tier of DDoS protection. Actually, along with some image optimization.
And this is at– It’s at no cost to our customers at WP Engine. Because again, from our perspective, this is really the new bar for table stakes when we talk about what our customers need for their businesses.
SARAH WELLS: That totally makes sense, especially as we saw in the trends of DDoS becoming more and more frequent. Having that kind of baked in as part of it makes sense to make sure that there is that front-line defense, as Michael was saying earlier. I’m also seeing on here though there’s this upper echelon for maybe that more security conscious.
CASEY RAIM: Yeah, absolutely. So, as we’ve been talking about, some customers do have an increased risk, for any number of reasons. And for those customers, we have our enterprise security offering in the form of Global Edge Security.
Global Edge Security is also in partnership with Cloudflare, leverages additional DDoS protection capabilities, does have access to the Cloudflare web application firewall that we were just talking about. And also has an additional smart traffic routing capability that is sort of the functional equivalent of being able to route internet traffic around traffic jams that happen within global networking.
SARAH WELLS: Very fun. Nobody likes a traffic jam, especially when trying to get to the site. So, do you have any fun anecdotes, or products, like wins, use cases for either of these solutions from a customer experiencing, maybe a DDoS attack. And how they were able to protect or resolve any of the issues that arose with that.
CASEY RAIM: Yeah, totally. Here’s the gotcha on that particular question though. No good security story ever starts with, “we didn’t think that anything would go wrong on Tuesday.” And ends with, “and nothing did go wrong on Tuesday.” It doesn’t make for a good story.
So, this story actually did start on a Tuesday, with a customer who was being impacted by a DDoS attack. So, our amazing customer experience team worked with them, move them on to an advanced network. Again, relatively new offering here at WP Engine.
We were able to much more easily see what was happening to this particular customer, helped mitigate that attack. Great. Story over. Tuesday’s good. We’re moving on.
And then I’m sitting on my couch on Friday night, and I get a note from Support. And they go, “Hey, Casey, I’ve got that customer in chat.” And all I can think is, “oh, no.” Because who voluntarily gets on chat on a Friday night?
So, here we go. So, I reach back out. Yeah, I’m sitting here, how can we help? And he goes, “yeah, that website from earlier this week had a bunch of images and videos on it. And now that they’re all cached, this customer is seeing a 30% performance improvement. He wants to know if we can put all of his accounts on it. And he’s got a maintenance window tomorrow, so, Saturday. Can we tee him up to be able to get that done this weekend?”
And I was so excited. And we obviously worked together, partnered with that customer, got them ready to go. But such a great example of really those table stakes on a Tuesday turning into something that was a value add for a customer later that week, to the point where they’re asking for our help to onboard additional websites.
So, such a great story. And one that just makes my heart happy.
SARAH WELLS: Love that story, especially on the product side too. And it also goes back to the point of protecting from DDoS is important, not just to make sure your site is secure enough, but there are possibly other added benefits that will improve your site, and then ultimately improve your business overall.
All that being said, to have to be “security on a Tuesday isn’t going to happen, nothing happens.” Something is going to happen. We’ve seen, we’ve heard earlier that these attacks are getting smarter. They’re getting more frequent.
And there are no silver bullets. You’re not ever done with security. We’ve seen this over our course and our life here at WP Engine.
So, Michael, question for you. With those attacks getting smarter, what are some of the gotchas that we see? And then what do we recommend in those situations for those customers where the solution that we have or a solution that they might be operating under might not be enough for them today based off of what they’re seeing and experiencing.
MICHAEL SMITH: So, the managed solutions that Casey talked about a minute ago, where we’re constantly trying to evolve these and offer more protections for the vast majority of our customers. But what we realize is sometimes we’re discovering new types of attacks and more sophisticated attacks that come up from time to time.
It’s never going to be the case that we can anticipate and handle all of those attacks on day one, we’ve learned. And sometimes it requires more manual intervention. And for some customers, they choose to use their own security layers in front of the protections that we provide as part of the WP Engine platform.
And so that might include using some of these other vendors that I mentioned, in addition to what we provide. And that will give you more control to directly manipulate things. Maybe you have more knowledge about what should be blocked and what shouldn’t, because what’s happening at the moment for your business. Or you want to take advantage of tools or features that are available on those other platforms that are not currently available as part of the managed offerings that we provide.
And so that’s always something they should consider, is that something that you might want to do. And we aim to make it so that our solutions are compatible with that.
SARAH WELLS: Love that. And thinking about that, Casey, how do you then decide from a product standpoint of what are those tools. Are you like, hey, no, that should stay in that toolbox over there that the customers have access to, versus the toolbox that we are providing or any other managed solution is providing to see those elevated table stakes or another tool in the arsenal.
CASEY RAIM: So, generally, when we talk about trade-offs in terms of increasing security. Increasing security comes with usually an increase in time, or sometimes it’s money, or sometimes it’s just plain inconvenience.
And so a lot of our conversations internally around this topic surround whether the idea of something is appropriate for all of our customers, or whether, again, it really just makes sense to have that as a tool, again, back to that toolbox, for customers in specific situations, or who might have a higher risk profile.
So, we want to be really, really mindful whenever we talk about increasing table stakes that we’re continuing to be customer-inspired and not making it harder to just get a website off the ground and running.
So, a really great example of that is that web application firewall that we’ve been talking about. It’s an incredibly powerful tool. But for our customers that don’t really need it, it just kind of adds an additional layer of overhead to managing that site.
So, we’ve actually specifically added that feature only into our enterprise security offering for those customers that we really feel can get that optimal value from it.
SARAH WELLS: Great insight. So, we’re getting close to time here. So I have one final question. So, for everybody on the call who’s joining in today, whether they’re a WP Engine customer or whether they’re not, assuming that they’re on WordPress– We can make that kind of general assumption. If they can leave this session and go do one thing to make sure that their site was secure today, what would that one thing be? Michael, I’m going to start with you.
MICHAEL SMITH: I think that one thing that you should do if you are thinking about your site security is to make sure you have a plan for when something bad happens. That doesn’t necessarily mean you need to– I’ve talked about a lot of different layers of protection that you can add for your site, but it doesn’t necessarily mean you need to add them all from day one and keep them all running all the time.
But you need to know what are your options, and what am I going to do in the case that I am actually under attack and I need to decide and figure these things out right now. It’s a lot better to have thought about that in advance.
SARAH WELLS: Definitely. Have your plan, your escape plan, your go-bag for when the apocalypse comes you’re ready to go. Casey, same question. What’s the one thing you would have everybody leave here and do today?
CASEY RAIM: So, I’m actually– I think I’m going to circle all the way back up to the beginning of this conversation and say that I think upgrading and patching the components of your site, for me, is step one.
It’s generally not a core competency of the business, and so it’s something that can fall off on the wayside. But if we take the apocalypse approach, it’s sort of like putting a lock on your front door with a note that says, “Dear, Zombies. Check the window.”
So, I think that that’s where I would start, is making sure that your stuff is up to date.
SARAH WELLS: Wonderful. Well, I think we are at a time now. I want to thank you both so much for all of the insights and knowledge that you shared. Hopefully, everybody attending has learned a little bit today and knows how to protect themselves against DDoS attacks.
If you have any questions, please feel free to reach out to any of us. And we’ll stay in touch. Thank you, everybody.