2016 Holiday Shopping Advisory

Author: Benjamin Brown

Executive Summary

The 2016 holiday shopping season is fast approaching. More and more, shoppers are opting to make their purchases online rather than risk the frothing hordes at brick and mortar stores. With this in mind, now is a good time to review potential threats retailers digital properties may run into and what they can do about them. You will first want to get a sense of what legitimate traffic to expect and how that traffic is bound to change over time. Along with shopper traffic you will also want to prepare for potential floods of malicious traffic such as Distributed Denial of Service (DDoS) attacks, crawlers, scrapers, spammers, scalpers, account checkers, DNS hijackers, and malware pushers.

Past Traffic Patterns and Flash Mobs

As shoppers shift to digital outlets (see figure below) it is important to take a closer look at their online shopping habits in detail. “How” shoppers are shopping isn’t the only changing factor; “when” shoppers shop is also shifting. The National Retail Federation’s Holiday 2015 research showed that 41 million of those consumers who shopped over the Thanksgiving weekend said they also shopped online on Thanksgiving Day itself (40%). While retailers may be focusing on Black Friday, the weekend, and Cyber Monday, it is now important that they not overlook the potential for increased traffic on Thanksgiving Day. If not, they could end up being overwhelmed by legitimate traffic they are under-equipped to serve.

Holiday Threat Advisory NRF

Genuine shopper traffic doesn’t always flow with a consistent or predictable pattern, so it is crucial for digital retail outlets to be prepared for flash mobs, bursts or waves of legitimate traffic that can look very similar to a DDoS attack. One way to tell the difference is to look at the ratio of clients to requests. Since a flash mob consists of human beings interacting with the digital property, there will be a relatively low number of requests and a high number of clients. In contrast, most DDoS attacks are likely to consist of a high number of requests per client with a medium to large number of clients. One way to effectively deal with flash mobs is to identify what content is likely to be highly requested and configure for efficient caching/offloading. Strategic use of static content, that flash mobs may request en mass, can also greatly reduce strain to the site. If you are an Akamai customer, you can contact your account team to assist you in evaluating and optimizing your site setup in preparation for such an event.


Aside from floods of legitimate traffic, retailers should also be prepared for malicious traffic in the form of a DDoS. It could be young blackhat hackers looking to make a name for themselves, like Poodle Corp and Lizard Squad (see a screenshot of their DDoS tool below), or perhaps political activists, like Anonymous ‘hacktivists’. It could be Eastern European actors retaliating for the recent attacks on Russian banks. A DDoS can also serve as a cover or distraction for the attacker’s true goals such as account takeovers or data exfiltration.

A good first step in DDoS protection would be implementing a Web Application Firewall (WAF) between your website and the outside world. You will want to make sure you have the latest rule sets and review your active rules to make sure they are in alignment with your configuration and set of properties. Enforcing rate limiting rules makes sense for the type of legitimate traffic you are expecting. You may want to consider denying traffic from geographies that don’t match your target consumer demographic. You may also consider blocking traffic coming through known, anonymous proxies. Plus, companies should review their current level of DNS reliability and see if a second or backup DNS provider makes sense. If the recent Dyn DNS attack showed us anything, it is that DNS centralization can lead to catastrophic scenarios. Have a play book put together ahead of time with possible attack scenarios and applicable defense maneuvers available to your team. Improve this playbook by running tabletop exercises and attack scenarios with your team. During the post-simulation review, dedicate time and effort to revising and tweaking the playbook. Iterate simulations with ever-changing variables, combine or cascade attack scenarios, and consider bringing in a professional penetration tester to refine your incident response further. Work with relevant third-party vendors to improve response times and cement clear communication protocols for system you are leveraging, but do not have complete control over.