Payment Gateway StormPay Battling Sustained DDoS Attack

Payment gateway StormPay is recovering from a distributed denial of service attack (DDoS) that has kept its web site offline for much of the past two days. The company, which provides online payment processing for thousands of e-commerce web sites, came back online Friday after a sustained attack that commenced last weekend. The DDoS on StormPay is the latest in a series of attacks on services that allow web merchants to accept credit cards.

The attacks flooded StormPay with up to 6 gigabits a second of data, according to Barrett Lyon, chief technology officer of Prolexic Technologies, which specializes in DDoS defense and is working with StormPay to mitigate the attack. Lyon said the DDoS involved DNS amplification, using bogus DNS requests to cause Internet nameservers to inundate StormPay's web site with traffic. The impact can be seen on the performance chart for StormPay.com:

StormPay site performance

A dynamically updating performance chart is available for stormpay.com. Netcraft offers a web site performance monitoring service that provides similar charts, along with e-mail alerts when an outage occurs.

StormPay has been mentioned in recent news stories after it froze the payment processing account of 12daily-Pro.com, a controversial service that pays users to view Internet ads. 12daily-pro.com is under investigation by the FBI and SEC, according to a front-page story in today's Wall Street Journal (subscription site). Many web hosting companies use Stormpay to process payments for recurring services, and its outages have been widely discussed this week on web hosting forums.

Prolexic's proxy-based defenses were effective against the attack, Lyon said. But the situation grew more complicated at midweek when the attack was expanded to StormPay's hosting providers. The stormpay.com site remained offline as Prolexic developed a defense strategy that could get StormPayback online while protecting the other providers' operations and customers. Lyon said the attacks were unusually persistent. "I haven't seen this kind of aggression in quite a while," he said.

In a DNS amplification DDoS, attackers use a botnet to send a large volume of requests to DNS servers, spoofing the target's URL as the "from" address on the request. Instead of responding to the machines in the botnet, the DNS servers send responses to the target, in this case stormpay.com. Because nameserver responses can be significantly larger than DNS requests, the attack can be amplified.

In a December advisory (PDF), the U.S cyberdefense agency US-CERT warned of an increase in DNS amplification attacks - also known as DNS recursion attacks. "These attacks are troublesome because all systems communicating over the internet need to allow DNS traffic," said US-CERT. "An organization could be used as a DNS recursion amplifier if its DNS server is misconfigured."