Amazon victim of DDoS attack of its own making

The renowned Amazon marketing machine was in high gear.  The promotions started more than a week before the event: Amazon, the world’s biggest e-commerce site, was launching its annual Prime Day on July 16, with 30 hours of deals online.  And then, at noon eastern time on Monday, as Prime members sat down at their computers and tried to shop, the site failed. You just gotta hate it when that happens. Shoppers were redirected to pictures of dogs, with captions like “Sorry. Something went wrong on our end. Please go back and try again.” The hashtags #PrimeDayFail and #DogsOfAmazon started trending on Twitter.

Amazon failed to secure enough servers to handle the traffic surge on Prime Day, causing it to launch a scaled-down backup front page and temporarily kill off all international traffic, according to internal Amazon documents, reported CNBC.  And that took place within 15 minutes of the start of Prime Day — one of Amazon’s biggest sales days every year.

Some experts estimate that the outage potentially resulted in ~$75 million in lost sales and was comparable to a self-invited DDOS.

Emphasising how this self-inflicted DDoS attack illustrates the potential impact of the real thing on e-commerce sites, Sean Newman, Director of Product Management, Corero Network Security said:

“Although Amazon appears to have been a DDoS victim of its own making, this just goes to show how even an organization with such immense resources can still be vulnerable to denial of service attacks. And, when you look at the estimated potential financial impact of this, it’s not difficult to understand why organizations which rely on delivering online services cannot afford to be vulnerable to DDoS attacks. Plus, there are two sides to risking such obvious and significant financial impact: firstly, if you get attacked, there’s the direct impact but, secondly, you lay yourself open to DDoS for Ransom

With such significant, and easily calculable, revenue at risk for every minute of downtime, a potential DDoS attacker can readily size a ransom demand which is way less than the sum at risk but, still presents a healthy return for the cyber-criminal, should an organization feel the need to pay-up, to keep the business online. Of course, the alternative is to deploy the latest generation of real-time, automatic DDoS protection and know you can safely ignore any such demands.”

In a statement to CNNMoney, Amazon said, “Some customers are having difficulty shopping, and we’re working to resolve this issue quickly. Many are shopping successfully — in the first hour of Prime Day in the U.S., customers have ordered more items compared to the first hour last year. There are hundreds of thousands of deals to come and more than 34 hours to shop Prime Day.”

CNN Tech reported that calls to Amazon’s customer service number were answered with an automated message saying, “We’ve heard some customers are having trouble with our website right now. We’re very sorry and we expect to have the website fully functioning again soon.”

Today Amazon is reporting that Prime Day 2018 is “the biggest global shopping event in Amazon history.”  You might then say, no harm, no foul and wonder what the sales results might have been without this snafu.  The top sellers for Prime Day 2018 are, as you might expect, Fire TV Stick with Alexa Voice Remote and Echo Dot.

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine