There’s an interesting deconstruction from Paul Mutton of UK network analytics business Netcraft of the effects of the DDoS attack on the BBC on New Year’s Eve, that we could all learn some valuable lessons from.
For those of you who were offline over Christmas and New Year and didn’t see the news, the BBC was hit with a very powerful DDoS attack on New Year’s Eve, that put the site out of action for three and a half hours between 7am and 10.30am, and at points exceeded 600Gbps of request traffic – enough to kill any site even the strongest military sites.
According to Mutton, the way the BBC got themselves out of the DDoS hell was to instigate Akamai’s cloud-based Content Delivery Network (CDN) network which instead handled the requests for the BBC worldwide and in the process improved the BBC’s performance.
“At the time of the attack, www.bbc.co.uk was served from a netblock owned by the BBC. It seems that service was restored by migrating the site onto the Akamai content delivery network, after which there were no apparent outages.”
“Moving www.bbc.co.uk onto the Akamai CDN also resulted in some significant performance benefits, particularly from locations outside of the UK. For example, prior to the attack, most requests from Netcraft's New York performance collector took around 0.4-0.6 seconds to receive a response, whereas after the site had migrated to Akamai, all requests were served in well under 0.1 seconds. These performance benefits are typical when using a globally distributed CDN, as cached content can be delivered from an edge server within the client's own country, rather than from a remote server that can only be reached via transatlantic cables.”
For those of you, that thought that a DDoS attack was just a temporary attack there’s more worrying news as Mutton explains the DDoS attack is still ongoing.
“The performance chart for news.bbc.co.uk shows massive outages long after the DDoS attack on New Year's Eve.” Adding
“It is unclear whether this indicates a separate ongoing attack, or an attempt at mitigating such attacks, but nonetheless, it is likely to affect lots of users: Many old news articles are still served directly from news.bbc.co.uk, and some users habitually reach the news website by typing news.bbc.co.uk into their browsers.”
The source of the attack according to the BBCs Technology Correspondent Rory Cellan-Jones has been identified as New World Hacking (@NewWorldHacking) a small group of 12 anti-ISIS hackers who were testing out the power of the DDoS systems and chose the BBC to ‘test’ the system. Apparently they never meant for it to kill the site in quite the way it did. New World Hacking said in a tweet, "It was only a test, we didn't exactly plan to take it down for multiple hours. Our servers are quite strong."
The moral of the story, - if there is one - is that even a site as big and capable as the BBC can fail if enough requests are thrown at it, and that the only way to survive is to have a Plan B that involves switching to a CDN like Akamai and to plan it in advance and have it ready to switch to at a moments notice. The BBC has sufficient clout to be able to get Akamai engineers on the case at a moment’s notice on New Year’s Eve; your site won’t be as lucky.