Practically every modern retailer has an online presence where their products and services can be purchased by new and returning customers. The average consumer practically expects it, and they often want the shopping experience to be smooth, easy and secure.
Whether you’re just now beginning to expand your online retail presence, or have a more established site that you want to increase conversions on, view this presentation to learn the following:
- Common pitfalls and shortcomings in many online retail sites
- Guidance on protecting your site against fraudulent attacks
- Tips to increase your site reliability and performance
- How Cloudflare can help you
3. 2010 Launched at Techcrunch disrupt
700+ employees and counting
9 Offices
San Francisco // London // Singapore // Austin // Miami
Washington D.C. // Champaign // Boston // New York
Cloudflare at a glance
4. The Cloudflare Advantage
Integrated Performance, Security, and Reliability
9.5 M domains and routing traffic for
2.5
Data Centers with
15 Tbps capacity
150+
HTTP Internet traffic
10% All DNS queries
38%&
SCALE
INTEGRATED
STACK
EASY FINE-
GRAINED
CONTROL
Global
Data Center
Anycast
Network
China
Network
WAF/Firewall DDoS
Content
Optimization
Load
Balancing
Rate
Limiting
DNS
Argo Workers Latest Web
Standards
TLSSpectrum
Mobile SDK
Access
CDN
Stream
5.
6. eCommerce News Events
Amazon
$90 million lost in a concentrated 75
minute outage
Adidas
Millions of contact information,
usernames and encrypted passwords
leaked
Macy’s
Personal information and credit card
information potentially exposed to a
third party
8. Factors increasing exposure to security risks
Greater scrutiny by
government and media
around data, privacy
and security
Greater attack surface area
from more public APIs, moving
to the cloud, and increasing
third-party integrations
Stronger and more
sophisticated attackers
9. Customers’ Security Threats
SYSTEM
DDoS Attack
Attack traffic impacts
availability or performance
Vulnerable Applications
and APIs
Multi-vector attacks that
exploit vulnerabilities
Webpage
10. Volumetric DNS Flood
Bots
DNS Server
DNS Server Server
Amplification (Layer 3 & 4)
HTTP Flood (Layer 7)
1
2
Bots
3
Bots
Degrades availability and performance of applications, websites, and APIs
HTTP
Application
Application/Login
Types of DDoS Attack Traffic
11. Application and API Vulnerabilities
Fake Website
Visitors
1DNS Spoofing
Malicious Payload
eg: SQLi that ex-filtrates PII
and credentials
3
Attacker
Bots Brute Force
4
Data Snooping
2
13. Customers’ Performance Challenges
INFRASTRUCTURE
Unavailable Applications
Overloaded or unavailable
infrastructure stops users
from accessing applications
Slow Internet
Applications and API
Heavy pages and long
distances from the origin
slow down Internet
applications and APIs
Internet
Application
Mobile
Slow Mobile Sites
and Apps
Mobile clients introduce
performance and content
delivery constraints that
hurt user experience
Users
14. Slow Web Pages, Applications, and APIs
Business, customers, and users
are more globally distributed,
requiring content to travel longer
distances
Origin
Heavier pages from more and
bigger assets like images and
javascript take longer to load
More interactivity and
personalization require
more trips to the origin
15. Slow Mobile Sites and Apps
Origin
Mobile devices have limited
compute, memory and power
which slows down processing
content like images or client-side
code
Mobile apps use APIs which
increase calls to the origin
Mobile devices have
slower and more erratic
networks which hurts
throughput
16. Overloaded or Unavailable Infrastructure
Applications or individual origin
servers experience unexpected
downtime and hard-to-troubleshoot
outages, which prevent user access
Traffic, both expected and unexpected,
exceeds capacity of the origin server or
data center, making them unavailable
or less performant
Manual disaster recovery and in-
house load-balancing exposes
applications to downtime while
increasing maintenance and
operational costs
Primary
Failover
18. Multi-layer Protection
Deploy rate-limiting on
Cloudflare and build it
into our software.
Never rely on a single
point of protection.
Network-Access Based
Locking down systems
to particular networks
using Cloudflare URL
lockdown rules and only
provide access to what
is needed - the principle
of least privilege.
HTTPS Everywhere
Ensure that all customer
facing systems
communicate over
HTTPS at the application
level.
Web App Firewall
Enabled WAF on all of
our sites - we're a
common target for
scraping since we
advertise prices on our
sites, utilise the WAF not
only for protection but
also to stop fake bots
from scraping our sites.
Security Best Practices
19. Cache Everything
With Cloudflare we
specify what we don’t
want to cache - any new
pages added to our site
get cached by default.
Minification
We minify all of our
content using Cloudflare
Auto Minify. This
improves customer
download times on
mobile, and reduces our
bandwidth costs as well.
Smart Routing and
Tiered Caching
The cost of network
latency can often be
overlooked and it's
important that the
customer receive the
fastest route to our
sites.
A 50 millisecond win
through smart routing is
a win that applies to all
of your requests.
Async Script Loading
JavaScript can be
deferred and loaded
asynchronously (in
parallel with each other)
- we currently utilise
Cloudflare Rocket
Loader on 50% of our
sites to achieve this
technique without
having to make changes
to our underlying code.
Performance Best Practices
20. Customer Case Study:
de Bijenkorf
CHALLENGES
• Protection against DDoS attacks
• Maintain performance
CLOUDFLARE SOLUTION
• Automatic DDoS mitigation for layer 3 & 4 attacks
• Global CDN
KEY RESULT
• Peace of mind with a protected, secured app
• Prevents significant, six figure revenue loss
www.cloudflare.com/case-
studies/debijenkorf/
de Bijenkorf is a luxury
department store based in the
Netherlands dedicated to
surprising its customers with
exceptional products through an
inspiring and unique customer
experience.
"We were really excited
about a single vendor
solution with easy setup,
easy use, maximum
protection, and a very
friendly team."
Christiaan Mourik
Head of Technology
21. Customer Case Study: Lenskart www.cloudflare.com/case-studies/lenskart/
Lenskart has sprinted to be India's
fastest growing eyewear business
“Cloudflare’s Web
Application Firewall blocks
over 30,000 threats from
hitting our website every
month,” Barat noted. “We
process sensitive customer
data, so having Cloudflare
as an extra layer of
protection to prevent
exfiltration of that data
brings us peace-of-mind.
Plus, with Cloudflare’s DDoS
mitigation we know our site
won’t experience costly
down-time.”
Nirbhab Barat
CHALLENGES
• Protecting Customer Data
• Rapid growth meant high notoriety for attack
CLOUDFLARE SOLUTION
• CDN
• WAF
KEY RESULTS
• Sensitive data protected with 30,000 WAF blocks per month
• 72% (8Tb) bandwidth savings with CDN
• DDoS mitigation
22. Customer Case Study:
Touch of Modern
CHALLENGES
• “We save customer credit cards for reuse, which provides a more
convenient shopping experience, but if a customer account got
breached, it could result in unauthorized credit card charges, which
would be a nightmare for both us and our customers.”
CLOUDFLARE SOLUTION
• Global CDN with 150+ Data centers
• Argo Smart Routing
• WAF
KEY RESULTS
• Sensitive Customer data protected
• Estimated 5% increase in conversion with a faster website
• 27% faster web presence with Argo Smart Routing
www.cloudflare.com/case-studies/touch-of-
modern
Touch of Modern is a curated
commerce destination for the modern
man. “We discover the most
interesting products in the world,”
explained Steven Ou, CTO of Touch of
Modern, “and make them available to
you at unbeatable prices.”
“Cloudflare helps keep us
online, provides a faster site
experience to our end
users, and protects our
customers sensitive
information.”
Steven Ou
CTO
23. Customer Case Study: NatureBox www.cloudflare.com/case-studies/naturebox/
NatureBox is a leading packaged
food provider offering their products
through their online store and
leading grocers.
“We use Cloudflare . . .
to cache all of our non-
customer specific data,
including our entirety of our
product catalog, inventory,
etc. so that we can deliver
those responses to the
customer as fast as
possible.”
Shawn Zeller
Principal Architect
CHALLENGES
• “Having a quick website is very integral to us being able to sell a
product online.”
• “One of our main API requests for our catalog data was taking on
average 20 seconds”
CLOUDFLARE SOLUTION
• CDN
• DNS
• Application Security
KEY RESULTS
• Completely edge cached response to ~ 35 ms response time
(17x Improvement)
• Single vendor for every solution (DNS, CDN, Security)
Founded in 2010, we have over 700 employees who speak over 41 different languages.
We’re Headquartered in San Francisco, and have offices in New York, London, Singapore, as well as regional offices in 4 other cities.
From a growth perspective, we have a very strong balance sheet and are continually reinvesting into our products, people, network and research and development.
https://jira.cfops.it/browse/MRK-5212#
Talk Track
Cloudflare leads other performance and security providers in addressing each of the three major requirements:
Cloudflare works at a global scale with an anycast network of 120+ global data centers serving 10% of all HTTP internet traffic and 38% of all DNS queries to over 2.5 billion visitors on behalf of our 7 million customers.
Every Cloudflare data center supports every Cloudflare security and performance product including: dynamic routing, caching, DDoS mitigation, SSL termination, DNS, WAF and more.
Even the largest of Cloudflare customers can onboard in under 5 minutes. Cloudflare’s easy to use dashboard, API, and included support make initial configuration and any required changes simple to complete.
Talk Track:
Three factors are leading many of our customers to experience a growing exposure to security threats:
Greater attack surface results from three common trends:
Applications publishing more public APIs
Companies are moving more applications, including production-level workloads, to the cloud
Increasing third-party integrations
Attackers are stronger. Here are three ways:
Greater volume, greater distribution, including IoT devices as sources
Greater motivation through success of holding companies for ransom
Shifting to harder to detect and block “application” layer attacks
A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is
Greater scrutiny for security incidents:
Governments are applying greater scrutiny over privacy and data issues
Media reports of breaches and cybersecurity incidents have increased
Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2)
Questions:
Do any of these actually sound familiar for your business?
Do you believe your exposure is decreasing, increasing or is the same? In what ways?
Background Reading - you can build this into your talk track:
Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are:
Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications
Attackers are stronger, more sophisticated, and highly motivated
Heightened public and government scrutiny of data, privacy, and security
Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact.
In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact.
Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
Talk Track:
In light of this growing exposure to security risks, what are those primary threats you may encounter?
We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting:
Site is unavailable because of denial of service attack
Customer data is compromised, (e.g. breached or stolen)
Increasingly, abusive bot activity
For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like.
Questions:
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
Talk Track:
This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well.
The important take-away is that these attacks are layered.
In other words, a DDoS can attack different parts of your infrastructure.
Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable
Amplification: using a DNS to amplify requests and overload yours server over UDP
HTTP Flood: volumetric HTTP attack to bring down the application
All of those attacks impacts availability and performance of of websites, applications and API’s.
Questions:
This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that?
Which have you experienced in the past, if any? How did you respond to them if you did?
Talk Track:
When it comes to compromise of sensitive customer data, you may be most familiar with malware.
While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft.
The take-away for this slide is that attackers can take advantage of different vulnerabilities.
DNS Spoofing: visitors are directed to a fake site instead of your site
A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts.
Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers.
Brute Force: attackers are repeatedly trying credentials to take over an account
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data
Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application.
The risk is that sensitive customer data, such as credit card information, might get compromised.
Talk Track
As customer expectations increase, as the importance of mobile rises, and as users globalize faster, these three forces strain application performance.
The top three performance concerns resulting from these major shifts are the following:
Slow web pages, applications or APIs due to heavier “content” or longer distances to the origin
Slow mobile experiences, for both sites accessed over mobile, or native mobile apps
Unavailable
applications through overloaded infrastructure, congested networks, or unexpected, hard-to-troubleshoot issues with the application itself
Let’s look at the some of the underlying causes of these problems:
Additional Info
Heavier pages and long distances from the origin slow down sites or applications.
Higher expectations results in heavier pages.
More global user base increases distances from the origin
Mobile clients introduce performance and content delivery constraints that hurt user experience:
Lower power and memory
Poor networks
Frequent calls to origin
Overloaded or unavailable infrastructure stops users from accessing applications
Because of richer interactions and more business transacting online, availability and disaster recovery even more important
Questions
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
How geographically distributed is your customer base?
Have you run into any performance problems when trying to create richer content or more interactive experiences?
Have you seen a shift towards more mobile users? What % of customers are coming from mobile devices? Are mobile users more or less engaged than traditional users?
Have you had unplanned outages? How do you handle outages? Do you have an action plan?
Talk Track
Because of the need for richer experiences by users, your application and website pages become heavier, for example, because of more complex css, larger images, or the ever increasing number javascript snippets, whether for business metrics or user interactivity
The higher page size increases the amount of data that must travel over the networks.
As dynamic content to support personalization and interactivity grows, the number of connections or trips to the origin also increase.
For example, an interaction which needs to fetch profile information, or to process inputs from the user around purchase preferences, raises the amount of personalization and interactivity, and, therefore trips to the origin and connections.
Each additional trip adds to latency because of the added time to make connections, as well as the greater distances to go to the origin for this dynamic content.
And as users, whether customers or internal employees, become more globally dispersed, content must travel longer distances, sometimes on less-reliable networks, which introduces even more latency.
Additional Info
Heavier pages take longer to load.
There are more assets, like images and javascript, which send more bytes
The assets, themselves, are heavier -- bigger, full-size images, more complex javascript frameworks, more tracking javascript
More assets require more requests
More interactivity and personalization requires more trips to the origin.
Content is more personalized and pulls from data-store
Interactivity sends more requests to the origin
Passive data collection back at the origin (?)
Move global, faster
Customers are further away from origin so content have further distances to travel
Global base increases numbers of customers with slower networks
Interesting Statistics
In an article on Wired, the average size of the website is now 2.3MB, which is larger than a famous computer game called Doom was when it was first released.
"The Average Webpage Is Now the Size of the Original Doom", Klint Finley, 4.23.16, Wired
https://www.wired.com/2016/04/average-webpage-now-size-original-doom/
"Today’s average webpage, meanwhile, requires users to download about 2.3MB worth of data, according to HTTP Archive, a site that tracks website performance and the technologies they use."
Talk Track
When it comes to customer mobile experience, the same issues we just discussed for web pages, application, or APIs hurt the user experience even more.
Mobile clients add latency when decompressing and rendering images, processing client side code, and establishing connections because of less performance CPU, memory, and power compared to desktops.
Mobile devices often connect to spottier and lower throughput networks, which increase latency and errors
Mobile apps also typically increase the number of API calls needed, which reduces the effectiveness of caching and required requests to travel longer distances to the origin.
Additional Info
Growth in mobile usage, traffic, and transactions compounds existing performance issues found on desktop.
Mobile clients introduce performance and content delivery constraints that hurt user experience.
Mobile devices have limited compute, memory and power which slows ability to process content like images or client-side code.
Networks are often slower and more erratic:
Mobile network operators throttle: https://opensignal.com/blog/2015/06/16/data-throttling-operators-slow-connection-speed/
Mobile networks introduce latency: https://serverfault.com/questions/387627/why-do-mobile-networks-have-high-latencies-how-can-they-be-reduced and https://en.wikipedia.org/wiki/Radio_Resource_Control
Mobile customers move from hot spot to hot spot, and tower to tower
Mobile apps designed around API requests to origin:
Users on mobile devices are often mobile, and can switch between hotspots while using applications.
The devices themselves have limited memory, CPU and power which slows down the ability to process content such as image decompression, rendering, or running client-side code, such as javascript
The networks for mobile are often spottier than wired connections. Sometimes mobile network operators throttle connection speeds, or in many countries, the network hasn’t been upgraded to accommodate faster transit.
Talk Track
The other primary problem occurs when performance degrades so badly due to network congestion or overloaded infrastructure, that the applications stop becoming available to users altogether.
The common causes of unavailability include the following:
Applications or individual origin servers experience unexpected downtime and hard-to-troubleshoot outages.
Traffic, both good or bad, exceeds capacity of a specific origin server or data center, making them unavailable.
Many companies have a manual, error prone disaster recovery and in-house load-balancing, which increases risks of application failure while adding maintenance and operational costs
Talk Track
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
Talk Track
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
Talk Track
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.