When a “magic number” was found to crash Java and PHP applications earlier this year, payment services provider Qvalent knew it was only a matter of time before it turned up in DDoS attacks.
The bug caused systems to hang when an application attempted to convert 2.2250738585072012e-308 to a binary floating-point number.
According to Qvalent network administrator Mark Wallis, it was precisely the type of vulnerability that was likely turn up in browser malware and distributed denial of service (DDoS) attacks.
Oracle issued patches for the Java bug last week, but Qvalent – which developed and hosted online credit card payment systems for parent company Westpac and its customers – prepared for an attack right away.
It set up existing load balancers from security vendor F5 to act as an “intermediary” that would block any transactions that contained the so-called “magic number”.
The mitigation strategy remained in place for “a few days”, while Qvalent tested and certified Oracle’s Java patch.
“What we were betting on with this issue, was that it was the type of thing that would turn up in a worm, web browser, DDoS attacks,” Wallis said.
“We needed to have something up now.”
Security was Qvalent’s greatest concern, Wallis said, noting that the company had undergone four PCI-DSS audits in the past five years.
Five of its 50 staff were dedicated to security and PCI compliance, he said, praising the standard as “a fantastic place to start”.
Disaster recovery and resilience was also a concern, with the company committed to replacing its 200 HP servers every two years to keep up to date and maintain warranties.
When Qvalent introduced the load balancers in 2005, it claimed to have retired a total of ten servers from its Newcastle software development house and HP data centres in Olympic Park and Sydney’s north shore.