Verisign service shields small e-tailers from DDOS attacks

I gave short shrift yesterday to an announcement from Verisign that it is offering a DNS protection service to e-tailers, timed to be ready for the heavy-shopping period over the holidays.

Essentially the service is protection against DDOS attacks and insurance that when an e-tailer's traffic load is highest, it won't suddenly go offline because of overloads of legitimate traffic to the name servers pointing the Internet's DNS system to the e-commerce site.

Verisign -- which maintains the .com, .net and other top-level domains -- runs 140 data centers worldwide and keeps up a network whose bandwidth "is higher than anything else on the planet from a DNS perspective," according to Ben Petro, the company's senior vice president of Network Intelligence and Availability business unit.

The service is designed to help customers survive both heavy traffic and DDOS attacks that can grow in volume to as high as 18Gbit/sec against large commercial customers, even though the average Web server is overloaded after about 50Mbit/sec, Petro says.

DDOS attacks often last for days as the attackers try to wear down the victim's capacity to absorb abuse, and vendors like Verisign wade through spoofed IP addresses to find the zombie computers sending bogus traffic and have ISPs filter it out.

By contract as maintainer of top-level Internet domains, Verisgn's DNS network has to have a capacity 100 times the peak it sees in a year. The highest volume ever for a DDOS attack was about 28Gbit/sec for two hours.

Verisign, which sold off its security business to Symantec in May and now focuses exclusively on its Internet-domain business, has been offering the DNS-backup service to large customers for around $400,000 per year, which eliminates most mom-and-pops from contention.

This year the company tried to expand the appeal by aiming it at businesses that are growing, but still live in the small end of the mid-market.

Rather than the $20,000 or $30,000 per month large banks, government agencies and other enterprises pay, Verisign charges "in the hundreds of dollars per month for smaller companies up to a few thousand per month for more mid-sized companies," Petro said.

"It's basically an insurance policy; you don't use it unless you need it, but you're still protected," he said.

The big banks and other large customers are willing to pay $400K for hands-on integration and support of their networks, and because they're far more sure they will be hit by attacks, rather than just being worried they might be, as mid-sized retailers would be.

Just for a reality check, Amazon, Wal-Mart, Expedia, The Gap and a host of other sites spent prime chunks of last year's shopping season offline after a series of DDOS attacks starting Dec. 23 and running into January.

"That's the threat we're trying to address," Petro said.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.