You can't Performance test without Security testing

As shown by the outage with the Australian Census 2016 website yesterday night, Performance testing on its own is not sufficient to protect yourself against hackers using Denial of Service (DOS) techniques to take your website down.

What happened to the Census Site?

According to reports from the ABS it seems they suffered four distinct DOS attacks from overseas hackers. The method in which they were able to do this was not described, but all DOS attacks share one common mode of attack - they all aim to 'consume' or 'block' one shared resource in the technology stack used to implement a website, causing a demand backlog and effectively taking the website off-air. Given they suffered 3 attacks before they suffered the attack that took them down, I think the first 3 attacks were 'probes' to find weaknesses in the technology of the site, the 4th attack making use of such findings to devastating impact.

Such DOS attacks can cause an overload in various parts of the technology stack:

• Front End - requesting resources off the server(s) to the point of 'hogging' all the web serving processes, in effect a busy wait.. 
• Middle Ware - repeatedly enacting of a complex equation or function that consumes shared resources until they block, a sort of dining philosophers problem by proxy..   
• Back End - usually manifests by causing a landslide of queries against a database or web based service, hogging the service to such an extent that it stops working.
• Network - it is possible for the Hacker to specifically attack the network infrastructure in which the website is based, but this rather an extensive form of attack, it's usually easier to go after a specific performance weakness in the website itself.

So why won't Performance Testing stop this?

Performance testing in its own will not protect against this, its pretty much guaranteed, as the assumption with Performance testing is that people will not go out of their way to 'break' the service and hence it only tests 'valid' traffic loads that are progressively increased to a required benchmark of loading.

Hacker traffic loads are completely different to Performance Testing loads, hackers are lazy, they will try to avoid needing to consume vast tracts of servers to bring your site down and instead profile it, work out what specific requests they can make to your website that consume the most resources - then purely hit you with those expensive requests - such traffic is not typical of Performance Testing traffic.

Also the skills required to do such a DOS attack are not typically found in those operating Performance Testing, rather you need to have a different mental insight into systems and data flows to discover exactly what will 'trip up' a system and causes a cascading overload event. Most Performance Testing is done using established tools and methodologies, DOS is initially done by direct examination then tools are combined to enact the weaknesses found. Sometimes if a site is particularly vulnerable automated analysis and exploit tools can be applied.

So what is the answer?

The answer is simple, engage someone like me (a system Architect) who has direct experience dealing with large scale online systems and a background in online security. It might be some little tweaks are needed in your system to remove or protect the resource load 'sweet spots', it is rare a full redesign is required, but the earlier someone like me gets involved the less the cost of implementing the required changes.

I would also recommend you engage dedicated security testing independently of the Performance testing undertaken to ensure proper coverage. I can advise you on who to engage for this function.