This blog post is part of Forrester’s Holiday 2019 retail series.

No, Virginia, there’s no denying there is a Santa Claus. There’s also no denying the threat that distributed denial of service (DDoS) presents to retailers and eCommerce sites during the holidays.

Nothing says “happy holidays” like a multivector DDoS attack against your digital properties during the busiest shopping season of the year. Like holiday spending activity, industry DDoS attack metrics are difficult to predict. Volumes can trend upward and then mysteriously die off. The trends are only obvious after the attack campaigns have ended.

As part of our Holiday 2019 retail series, Researcher Madeline Cyr interviewed Forrester security and risk analysts David Holmes and Joseph Blankenship to help retailers understand the threat of DDoS attacks during the upcoming holiday retail season.

Q. Last year, DDoS attacks on eCommerce sites peaked during Black Friday weekend. Could a DDoS attack wipe out Black Friday/Cyber Monday online sales?

Joseph: DDoS attacks happen against eCommerce digital properties every year, though it’s usually impossible to predict who the exact victims will be.
We’ve heard from DDoS service protection vendor Radware that the typical reasons for service outages involving retailers/eCommerce include:
• Self-inflected DoS — that is, simply not having the proper resources to deal with a burst of natural traffic
• DDoS — Criminal attack to prevent/restrict access under ransom denial of service (RDoS) threat
• DDoS — Criminal attack to impact sales
• DDoS — Criminal attack to divert shoppers to other sites during an outage
• DDoS — Hacktivist attack for political reasons that are direct or indirect
• Bots — Criminals trying to purchase an item and flood system resources in the process; prevents others from checking out

Q. What strategy and technology protections do retailers need to have in place now to thwart DDoS attacks?

David: The most important advice is that retailers should seek a DDoS protection agreement before an attack occurs and to work with the service to set up your clean traffic tunnels during business as usual. Trying to combat a DDoS attack with no protection in place is a stress-inducing nightmare that no IT team wants to contemplate during peak season. There’s also the potential impact to sales if a site is unresponsive or slow during the critical buying season. And many DDoS protection providers charge a five-figure premium to put protections in place during an attack; configuring the protection is much more difficult when the retail services cannot be reached.

Q. If you are hit with an attack, how do you get your site back online?

David: Most modern eCommerce retailers will have migrated to a cloud service or content delivery network (CDN), and these services usually have integrated DDoS protection. In some cases, the attached protection services are gratis, though Forrester has heard that their quality can be inconsistent. To see how your provider fared in Forrester’s evaluation of DDoS protection services or to consider other vendors, see our research, including “Now Tech: DDoS Mitigation Solutions, Q2 2018” and “The Forrester Wave™: DDoS Mitigation Solutions, Q4 2017.”