Unplanned outages cost the average data center $8851 per minute. That is an expensive minute. Given how huge that number already is, you don’t want the situation to become even more expensive because your customers don’t feel that they are in the loop. Acting quickly and getting out a careful, conscientious, and informative email to your customers can help you retain their business. In fact, it can even end up becoming a positive (although don’t count on it – as noted below).
Let’s look at the state of DDoS in 2017, the good news and the bad. Then we’ll talk about what to say to your customers if you do get hit with one.
2017: good news and bad news on DDoS
If you have fared well to this point dodging or mitigating distributed denial of service (DDoS) attacks, the climate is shifting rapidly, according to an ominous report released by financial consultancy Deloitte in January. The paper, the 2017 edition of “Technology, Media and Telecommunications Predictions,” noted that volume of a single DDoS event grew at an average rate of 30% from 2013 through 2015. However, the sort of tipping point for these assaults came in 2016, when two attacks surpassed 1 terabit per second (Tbps). Deloitte forecast that there would be more mega-attacks of that scope during 2017.
“Businesses of all sizes should acknowledge the growing DDoS threat and consider how best to handle attacks of these magnitudes,” Phil Everson of Deloitte UK told ComputerWorld.
Now, let’s look at today: was Deloitte correct? As it turns out, the attack last October on managed DNS provider Dyn is still the largest in history. That attack, brought about by the Mirai botnet (a massive DDoS tool made up of more than 100,000 Internet of Things devices), measured 1.2 Tbps at its peak. That is our good news: ginormous attacks have not become the standard and have not even been repeated individually to that same 2016 scale.
What’s the bad news? Analysis of the average size of distributed denial of service attacks during 2017 by various DDoS mitigation providers shows an increase of the average size. In other words, the headline-winning huge tidal waves of requests are not as much of a threat. However, what would be considered a typical attack is certainly continuing to get bigger this year.
4 tips to communicate with customers if a DDoS occurs
What can you do if your company experiences an attack? One of the trickiest aspects is communication. How should you talk to your customers if your site is being pummeled with thousands of garbage requests?
1.) Beware getting caught up in the “service recovery paradox.”
Before we talk about what to do, let’s talk about what not to do: try to exploit the situation and make the attack about your great response. It may sound cynical to even mention opportunism related to these events, but the service recovery paradox can lead organizations astray. This paradox describes a situation in which a company has a service outage, returns to service, and ends up with higher customer satisfaction than they had before the incident.
The evidence to back this idea? One important study came in 2006. “The art of service recovery: fact or fiction? [sic],” published in the Journal of Services Marketing, found that “effective post?recovery efforts may not only counteract bad service experiences, but may increase satisfaction beyond levels held before the service.”
While this idea may have some grounding, it is by no means accepted fact. Another study from 2008 that appeared in the Journal of Hospitality & Leisure Marketing looked at numerous different scenarios, finding that there was higher satisfaction after recovery in some situations; in the majority, customer satisfaction had not dropped significantly lower. The key takeaway from this study is the warning: while a strong recovery strategy can help you avoid a plummet in satisfaction, reported the researchers, it is not a sound plan to look at service recovery as a chance to boost your approval levels.
2.) Tailor your message
We will get into some of the pertinent details below; but as an overall issue, you don’t want to send out something that is so flat and sparse that it is devoid of pertinent information. In other words, you can’t just send out boilerplate text in these situations.
Doug Johnson of the American Bankers Association (ABA) noted that it is a good idea to include some description of the attack and what form it took (what kind of traffic was used, etc.). Also, you want to discuss what your company is doing to overcome the situation, how expensive the scenario will be, and any other impacts, said Johnson.
3.) Aim for the right balance
One key concern with cyberattacks is that you strike the appropriate balance between keeping your customers aware of the situation and not disclosing anything that could be used against you by the attackers. It is of course never worth it to give out any information that could be of particular value to the people who are trying to bring you offline – so be cautious.
You want to let your users know what is going on, though – after all, they rely on your services, and you want that relationship to continue. “[T]here’s great value in being able to ensure that your customers know what the nature of the attack is and how you’re responding to it and how they, themselves, can respond to it,” noted the ABA’s Johnson.
4.) Present information not ornamentation.
To get a sense of what type of information is key to include within a DDoS message, or any message related to breach or outage, we can look at the standard information technology services alert (ITS) alert from the University of Nebraska–Lincoln. It is helpful to look at something so dry and bureaucratic as a public university academic procedure, since (as indicated above by the concern with opportunism) these steps should really be about information, not ornamentation.
The Nebraska ITS noted that a strong alert would feature three primary characteristics: they would be short, clear, and complete (not verbose, but fully stating present understanding and potential results). Nebraska’s system is actually not as dry and boring as I’ve suggested above – presenting the nitty-gritty you need to have within your notice in a catchy format, following the acronym ALERT (which can be used for planned downtime too, as noted below):
A – Note the APPLICATION and the issue. That’s the standard advice. In this case, what are the systems taken down? Mention the type of attack that is occurring – DDoS – and perhaps the type and volume of traffic.
L – Mention the LOCATION. Is the DDoS limited to certain applications? What is its scope?
E – Note the EVENT date and time. When did the DDoS start? (For planned downtime, you simply let them know when.)
R – When do you think that your system will RETURN to service?
T – Who is available to TALK with your customers? How can they get help?
The importance of prevention
As doctors are saying more and more, good health is fundamentally based on solid preventive strategies. It is true with cyberattack as well – and we can help. At KnownHost, all of our managed VPS hosting packages now include DDoS protection at no additional charge! See our VPS options.