From free booters to $2.5m - the business of DDoS
Businesses can now expect a bill of at least $2.5 million every time they become a DDoS victim, according to new research.
DDoS attacks have come a long way from script kiddies messing around with booters, as a new report quantifies - a standard attack can now cost an organisation more than $2.5m in revenue on average.
The headline figure uncovered by researchers at Neustar is down to the results of a survey, where 43 per cent of the more than 1,000 information security professionals polled said more than $250,000 of revenue an hour was at risk, while UK retailers said DDoS attacks would usually put $100,000 to $250,000 revenue an hour at risk.
An astonishing 84 per cent of organisations polled reported that they had been targeted by DDoS attacks in the last 12 months, to boot. Least shockingly, average attack volumes have rocketed, with the number of attacks greater than 10 gigabits per second (Gbps) up 11 per cent on the previous year to 45 per cent.
More interesting perhaps is the strategic element, where attackers are using the economics of defence against their targets. Companies that pay vendors for the duration of an attack should be particularly concerned, as the report notes: “By exploiting the duration of the DDoS attack, bad actors can drive up costs on the target side and in extreme cases, force that target out from under their protection.”
Ilia Kolochenko, CEO of High-Tech Bridge agreed: “DDoS attacks are quite simple to organize, but very difficult and expensive to mitigate. At the end of the last year even Akamai was obliged to terminate its DDoS protection service for US journalist and investigative reporter Brian Krebs’s website, following ongoing and massive DDoS attacks against it.
“More and more insecure devices are connected to the Internet, from smart watches to coffee machines, and cybercriminals won’t miss their chance to turn them into zombies to reinforce their DDoS botnets. In the next couple of years, we may arrive at a situation when several hacking groups will be able to “censure” and temporarily shut down even such companies as Google.”
Attackers are inevitably developing their attack methods in order to outpace mitigation technologies, using application layer attacks to target application APIs, such as those of security management services. In addition, some attacks are targeting Generic Routing Encapsulation (GRE) tunnels that connect targeted organisations with their DDoS mitigation providers.
Unfortunately, it seems that enterprise is losing the arms race at the moment, with more than half (51 per cent) of those attacked requiring at least three hours to definitively identify an active DDoS attack. Detecting the attack in 2017 is a mixed bag, with 40 per cent admitting a customer tipped them off, and a further 33 per cent being helped out by a partner - both considerably increased from 2016, 29 per cent and 22 per cent respectively. Luckily the percentage of enterprises alerted by social media has dropped, from six per cent in 2016 to four per cent in 2017.
Impressively, 76 per cent of businesses invested more in DDoS specific defences than in the previous year, which means a significant number of enterprises have spent on mitigation that didn’t alert them to an attack taking place.
Response times have slipped too, with the proportion of organisations taking three to five hours to respond increasing by four per cent to 28 per cent, while those taking six to 12 hours increasing two per cent to 14 per cent. The proportion of companies taking 12 to 24 hours to respond was unchanged at four per cent, while those taking a lackadaisical ‘more than a day’ increased to two per cent.
While the technology arms race continues, there’s clearly plenty of process work to be done in terms of improving internal response times - especially for the significant percentage of businesses alerted by a third party. Unfortunately, there’s often little budget available and even less appetite internally - at least until you lose $2.5m...