Retailers: It’s Time to Prepare for Your Holiday Outages

By Chris Wraight

As retailers ramp up their planning for the 2019 holiday season, they need to prepare for a number of factors that can negatively impact website performance. It’s not enough to simply ensure there's sufficient network capacity for the traffic they're forecasting.

First and foremost is security, and preventing the debilitating performance problems, including outages, that bot (robot) attacks can inflict on a website. Akamai’s recent report, Retail Attacks and API Traffic, found that bots can represent up to 60 percent of overall web traffic, but less than half of them are actually declared as bots — making tracking and blocking difficult. This dilemma is compounded by the fact that not all bots are malicious. Retailers welcome certain bots, such as those directed by search engines or price aggregators. This is the crux of the challenge facing retailers: How do you distinguish good bots from bad bots without diminishing the user experience?

Akamai's research spotlighted retail as the top industry targeted by credential stuffing, an attack method that attempts login using stolen credentials, on the belief that end users have the same login and password for multiple sites. Out of nearly 28 billion credential stuffing attacks, retail tallied approximately 10 billion alone. Put another way, that’s a staggering 115 million attempts to compromise or log in to retail user accounts every day. This sheer volume presents an immense challenge to retailers with limited in-house staff or expertise.

Other attack types, including DDoS, are plaguing retailers’ websites. These attacks all have the potential to diminish a website’s performance to unacceptable levels (or even cripple it). To prevent outages caused by these attacks, retailers first should accurately distinguish between good bots and bad. Their security staff must constantly study attack vectors, and they must be prepared to quickly reroute traffic should a debilitating attack occur.

Retailers should be cognizant, however, that their view of internet traffic is typically restricted to their network/web server, a very small percentage of the internet. In order to comprehensively examine sufficient traffic for a holistic view of an attack posture, they should partner with a provider that offers these capabilities and insight.

Beefing up retailer protection against bot attacks such as credential stuffing and DDoS is harder than it sounds. While many retailers have very capable in-house security staff, their window on the internet is very small compared to that of a partner that “sees” much higher volume and variety of traffic.

A second factor affecting website performance is traffic generated by APIs when one application makes a request to another application or service. Retailers must be sure that the performance of the third-party applications driving the API traffic doesn't contribute to user frustration. A payment/shopping application is a good example. A retailer’s website page might perform well, but when shoppers attempt to check out, the system responsiveness drops to zero due to performance problems with the third party. At this point, shoppers will probably abandon the site in favor of a competitor’s website, probably to never return.

In addition, API traffic slows retailer websites, which also leads to user abandonment. According to the Akamai report, API traffic grew from 47 percent of all traffic in 2014 to 83 percent in 2018. It's not unusual for some web applications to be inundated with millions of API calls in a day. Retailers should implement a system that governs these third-party applications via API management, maximizing scalability and reliability in order to avoid system meltdowns.

It's logical to think that the way to prevent web outages is to crank up bandwidth. In reality, there are many other issues that can cause web performance problems for retailers. Certain security attacks are designed to interfere with how websites operate, and the inherent way web applications work — while creating convenience — can inject operational hiccups. For retailers, a holistic view of these and other potential challenges, along with bandwidth capacity management, will aid in ensuring a consistent exceptional online shopping experience.

Chris Wraight is director of industry marketing at Akamai Technologies, a globally distributed intelligent edge platform.