Why attackers can't take down Amazon.com

The organizers of an attempted Amazon takedown called off the attack less than an hour later.





NEW YORK (CNNMoney.com) -- The website-attacking group "Anonymous" tried and failed to take down Amazon.com on Thursday. The group's vengeance horde quickly found out something techies have known for years: Amazon, which has built one of the world's most invincible websites, is almost impossible to crash.

Amazon has famously massive server capacity in order to handle the December e-commerce rush. That short holiday shopping window is so critical, and so intense, that even a few minutes of downtime could cost Amazon millions.

So Amazon (AMZN, Fortune 500) has spent years creating and refining an "elastic" infrastructure, called EC2, designed to automatically scale to handle giant traffic spikes. The company has so much spare server capacity, in fact, that it runs a sideline business hosting other websites. Its customers include the New York Times, Second Life, Etsy, Playfish, the Indianapolis 500 and the Washington Post.

Until last week, WikiLeaks was one of Amazon's website-hosting customers. Amazon gave WikiLeaks the boot in the wake of the site's controversial release of a trove secret U.S. State Department documents.

That put Amazon in the crosshairs of Anonymous, a group that originated on image-board site 4chan.org, which organizes swarms to try to crash the websites of those it deems enemies. In the past, Anonymous has taken down several high-profile sites, including those of the Motion Picture Association of America and the Recording Industry Association of America.

This week, Anonymous launched takedown campaigns against organizations that have shunned the site WikiLeaks. Under the banner "Operation Payback," the Anonymous group successfully crashed Mastercard.com and strained the websites of Visa and PayPal. (Mastercard and Visa's transaction networks -- which run completely independently of their websites -- were unaffected.)

Anonymous makes its attacks not through hacking, but merely by directing a giant traffic surge to the targeted website. That's called a DDoS attack, short for distributed denial-of-service -- and it's hard for most websites to defend against. The attack itself isn't sophisticated. It's the equivalent of simply hitting the "refresh" button on a website thousands of times, which attackers use automated programs to do.

But Amazon's entire business model is built around handling intense traffic spikes. The holiday shopping season essentially is a month-long DDoS attack on Amazon's servers -- so the company has spent lavishly to fortify itself.

Anonymous quickly figured that out. Less than an hour after setting its sights on Amazon, the group's organizers called off the attempt. "We don't have enough forces," they tweeted.

Instead, they decided to go hammer PayPal's API, which seems to be holding up fine under the attack. "These attacks have at times slowed the website itself down, but have not significantly impacted payments," a PayPal representative said.

So click away, holiday shoppers. Amazon's got your back.