Playing defense on the Net

The attacks against Visa and MasterCard paralyzed their company websites for hours. But even though the assault on the retail sites used similar methods, they didn’t have the same effect. The floods of illicit data were intercepted by a global network run by Akamai Technologies Inc.

Akamai is a Cambridge Internet infrastructure company, delivering massive amounts of online data for major businesses and government agencies. It is also one of many companies that defend the Internet from distributed denial of service, or DDOS, attacks, old but potent digital weapons wielded by criminals, protestors, and vandals around the world.

What was unusual about the recent attacks was that the public heard about them. Similar online data blitzes happen constantly, but they hardly ever do real damage, and even when they do, the effects are usually fleeting.

“The capabilities to stop them have significantly evolved over the last decade,’’ said Craig Labovitz, chief scientist at Arbor Networks Inc., a Chelmsford company that specializes in quashing DDOS attacks.

In principle, the attacks are simple. Through spam e-mails or other digital approaches, computers owned by millions of unsuspecting Internet users become infected with programs that allow the machines to be controlled remotely. Networks of infected machines, called botnets, can be ordered to send an endless flood of data requests to a particular website. If the attack works, the targeted website is overwhelmed by the huge number of botnet requests, and legitimate users can no longer access the site.

Akamai itself was victimized by a DDOS attack in 2004, and several of its customers, including Microsoft Corp. and Yahoo Inc., suffered significant disruptions. Since then, said Akamai spokesman Jeff Young, “Akamai has bulletproofed its global network, and has never experienced any further issues.’’

When a DDOS storm hit five of Akamai’s retail customers on Nov. 30, the spike in traffic was spotted almost instantly at the company’s network operations center in Bangalore, India.

Akamai, which maintains about 80,000 server computers in 70 countries, immediately assigned extra servers to handle the traffic, ensuring that the retailers’ websites would not be swamped by the incoming traffic. The sites were hammered for three days, some getting 10,000 times their normal traffic, but none were knocked offline.

Akamai declined to reveal who the retailers were, but said they had been the targets of a carefully coordinated assault launched from botnets in Mexico, Thailand, Brazil, and the Philippines. Yet even Akamai engineers did not realize how extensive the attacks were, because the company’s automatic responses to the traffic surge were so effective.

“Most of them, we didn’t know they were under attack until after the fact,’’ said Andy Ellis, Akamai’s senior director of information security. “And neither did they.’’

Akamai relied on the simplest defense: a network of servers and data lines with such huge capacity that it can’t be overwhelmed by such an attack.

“If your pipe is bigger than their pipe, you win,’’ said Bruce Schneier, chief security technology officer at the British telecom giant BT Group.

The biggest DDOS attack ever to hit an Akamai customer occurred on July 4, 2009, when several US government sites were attacked by a botnet based in South Korea. But that attack generated a stream of data equal to just 4 percent of Akamai’s average daily traffic load, and was easily absorbed.

The data traffic aimed at the five Internet retailers equaled less than half of 1 percent of Akamai’s daily load and was barely noticed.

Akamai’s robust network may have also helped protect Internet retailer Amazon.com from online vandalism.

A group calling itself Anonymous posted Twitter messages that took credit for bringing down the Visa and MasterCard sites, saying the attacks were revenge for the credit card companies’ refusal to do business with the website WikiLeaks, which had published secret US government documents.

Anonymous said that Amazon, which had also cut ties to WikiLeaks, would be the next target. But within hours, Anonymous dropped the idea, posting that “The Hive isn’t big enough to attack Amazon.’’

Amazon is an Akamai customer, but Akamai declined to say whether it had a hand in defending the company from an Anonymous attack. Amazon also declined to comment.

Arbor in Chelmsford also often rescues businesses from DDOS attacks. Arbor’s software first surveys a site’s normal performance.

“In general, the system is building very detailed models of what the network looks like,’’ said Labovitz.

That makes it easy to spot unexpected data spikes, which can be analyzed in detail to see whether they are attacks or just surges in legitimate traffic, he said. If the site is under assault, the Arbor system can filter out the bad traffic while allowing legitimate data requests to get through.

Network engineers say DDOS attacks are far from the worst Internet security problem.

“The biggest, scariest threat is going to be data loss — someone getting into your system and stealing vital information,’’ said Beth Jones, senior threat researcher at Sophos Ltd., a security software company in Burlington.

Size is no guarantee of safety, though.

This month, the fast-food giant McDonald’s Corp. reported that customer e-mail addresses and phone numbers were stolen from company computers.

McDonald’s did not say how many customers were affected, but given that the company serves 47 million people worldwide every day, the number could be huge.

Hiawatha Bray can be reached at bray@globe.com.