WorldPay recovers from massive attack
Three Days of the CyberDoS
Analysis WorldPay's systems are back running normally this week following the most serious and sustained Internet attack on a UK business to date.
Operations at the Royal Bank of Scotland's Internet payment transaction outfit were blighted for three days last week as the result of a malicious DDoS attack by unidentified computer criminals. Although customer information was not disclosed by the attack, WorldPay's online payment and administration system were reduced to a crawl due to a flood of malicious traffic directed at its Web-based systems that began a week ago.
WorldPay put in place a series of measures to mitigate the attack and by Friday its services were restored to near-normality.
In a statement to its customers on Friday, WorldPay apologised to its customers for the inconvenience caused by the attack.
Ron Kalifa, WorldPay's managing director, said: "Our service has been badly disrupted over the past three days. However, we have made significant progress and the corrective action we have taken is minimising the potential for further disruption."
"As you may know the cause of the disruption has been a substantial and sustained Distributed Denial of Service attack. WorldPay's payment and administration systems have, in fact, worked safely and securely throughout this, but the networks around them have been systematically flooded with requests for our service on a massive computer-generated scale. Our ability to process payments has been far slower and at lower volumes than normal as a result of this."
"The attack follows a familiar pattern to those seen against other major companies internationally and is regrettably extremely difficult to anticipate," he added.
The company emphasised that the "integrity and security of [customer] data has not, in any way, been compromised" by the attack. WorldPay says the outage is nothing to do with a recent upgrade, during which its systems were moved from Cambridge to Edinburgh, that took place days before the assault began.
Anatomy of an attack
WorldPay's services allow online retailers to accept online payments via credit and debit cards and are thus integral to the operation of the many ecommerce sites that use its facilities. The assault has been a serious disruption to their businesses.
The issue has not gone unnoticed by WorldPay's rivals, with Netbank among other attempting to poach WorldPay customers during the period of the attack by offering "emergency services" to allow e-tailers to continue to trade online.
Meanwhile the source of the "massive and orchestrated attack" against WorldPay's systems last week remains unknown, however security experts agreed on the probable mechanism of the assault.
David Williamson, director of sales for the UK and Ireland for security firm Ubizen, and an expert on computer forensics, said hackers probably used a network of compromised hosts to launch the assault.
Trojan infiltration tools like Stacheldraht (German for "barbed wire") and Trin00 used in the infamous DDoS attacks against Yahoo, Excite and eBay three years ago are still potent attack weapons, according to Williamson. A network of zombie hosts in educational institutions, for example, would allow crackers to remotely launch the WorldPay assault, he speculated.
Williamson said turning off the attack, which can hit a victim from many dozens or even hundreds of directions at once, can be difficult.
"You can mitigate the attack at service provider level. Peering arrangements and clever network design can also minimise disruption but these kind of attacks remain difficult to defend against," Williamson told El Reg.
Neil Barrett, technical director at security consultancy Information Risk Management (IRM), said that while a simple DDoS attack is relatively straightforward to block some tools allow hackers to launch 'mutating attacks' against targeted systems.
"With a simple DDoS attack, systems can be reconfigured to reject that type of attack. But with a mutating attack the assault can be varied by a hacker. By running through a spectrum of attacks you can keep a site locked down for some time," said Barrett.
WorldPay has approximately 28,000 clients worldwide, including major concerns such as Vodafone and Sony Music Entertainment and many smaller online retailers, such as CashnCarrion, The Register's online store.
Worldpay claims 40 per cent of small and medium online retailers in Britain use its service. Around 70 per cent of its business is in the UK and Europe. ®
WorldPay fights 'massive, orchestrated' attack
WorldPay floored by malicious attack
Canadian Feds charge Mafiaboy in DDoS attacks
Trojan turns victims into DDoS, spam zombies
Second-generation DDoS tools now easily detected