StormPay caught in a whirlwind

Listen to this article

00:00
00:00

On the afternoon of Friday February 3 2006, Jim Grago, chief technology officer of online payment processing company StormPay.com was winding down for the weekend.

Suddenly, disaster struck.

At first Mr Grago thought his mail server had failed, but it soon became clear that cyber criminals had launched a distributed denial of service (DDoS) attack to try to extort money from the Tennessee company.

“Our entire site had become unreachable. Our hosting company informed us we had a DDoS attack so large there was no way we could handle it,” says Mr Grago.

The attack took out StormPay’s two data centres – and effectively its business – for most of the weekend.

“We process on average 40,000 plus transactions a day and our customers were saying: ‘where is my money?’ There were financial losses, stress on the management team, and with 3m customers some of them were pretty upset,” he says.

The criminals used a domain name server (DNS) amplification attack against the company, overcoming expensive firewalls and detection systems.

They had surreptitiously taken control of thousands of broadband users’ computers to create a “botnet”. They sent a huge volume of inquiries to the DNS, making it appear they were from StormPay’s website.

This meant that instead of responses being sent to the compromised computers, they all went to StormPay, pummelling the company’s servers with activity, which at times reached eight gigabits of data a second.

Then the extortion e-mail arrived, demanding money in return for stopping the attacks.

But by this time StormPay had contacted Prolexic, an anti-DDoS technology company. “We could have paid the criminals and they may have left us alone for a while, but they would have kept coming back. The best way was to fight it,” says Mr Gragos.

On the Saturday, Florida-based Prolexic began directing StormPay.com’s internet traffic away from the payment firm’s choked servers to its own Clean Pipe network, which looked for and filtered bad traffic sent by the attackers.

Late on Sunday, the IT security company had restored the site, by filtering StormPay’s network traffic.

But the criminals did not stop. They switched their attacks to StormPay’s internet hosting facilities. In response, Prolexic’s engineers created a virtual private network tunnel. “This meant we could tunnel traffic to them and escape the attack,” says Mr Gragos.

StormPay soon had its operations back up and running and despite the crooks continuing to attack the system for another two weeks, the website remained unaffected.

“We have been attack-free since those first two weeks, but we are continuing to protect ourselves. It might be expensive but it is good to know you’re safe,” he says.

DDoS attacks are getting more sophisticated and are targeting any organisation where the internet plays a role in transferring money, says Mr Gragos. “The e-commerce industry is very vulnerable. These people are ruining businesses.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.