The real cost of DDoS
The real cost of DDoS

Recent distributed denial-of-service (DDoS) assaults are just the latest example of what network professionals have known for a long time – attacks are becoming more prevalent and the costs are mounting.

Using a mushrooming array of advanced tools, including pay-per-service and mobile devices, attackers are taking down websites, domain names and email servers as a means to destroy a company's online revenue, customer service and brand reputation.

The technology however, is only half the story. The thinking that shapes attacks is an ever-evolving blend of careful planning, probing and improvisation, and is often the difference between the duds and the strikes that cripple their victims.

So what of these victims? Not just the brand names and online entities, but the IT professionals that have to deal with the consequences: the network service managers, senior systems engineers, systems engineers, administrators and directors of IT operations that have to live with the threat of an attack at any moment.

In early 2012, Neustar, the company I work for, surveyed 1,000 global IT professionals to better understand their DDoS experiences. What were the risks and what were some of the losses they have encountered as a result of a hit? The results were shocking - of the 1,000 professionals we interviewed, over 300 claimed their businesses had been hit by a DDoS attack.

Not surprisingly, it was the industries where customer service is largely web-based, such as financial services, where the instance of attack was at its highest. The same was true of businesses selling connectivity, where nearly half of all respondents reported being hit.

Of course, any business that uses the web for customer service, direct sales or brand awareness is vulnerable. Ruthless competitors, angry customers or social and political protesters can easily take down a website without the adequate protection or defences in place.

Worryingly, it seems that the tools required to accomplish such attacks are more affordable and easier to acquire than ever. For instance, one of the most commonly used tools is a Low Orbit Ion Cannon (LOIC for short), which is a favourite among attackers and lets anyone with a computer unleash a deadly barrage.

For as little as £43 per day, you can also rent a botnet, an adhoc computer network that can be used to amplify attacks. There are now over 50 different tools capable of mounting a successful DDoS attack, and new tools are being developed every day.

Even in some of the industries reporting fewer instances of attack, such as retail, it tends to be that the larger sites with millions of pounds/euros/dollars at stake are the ones being targeted. This is especially true during busy times of the year, such as the winter holiday season.

More than half of all companies report that a DDoS outage would cost them dearly. Those whose costs were £6,355 an hour stand to lose £152,507 per day, and those with tabbed costs at £31,772 an hour would feel a daily impact of as much as £762,534.

Some industries fare worse during outages than others. Over 80 per cent of respondents from the world of financial services placed their losses at over £6,000 per hour and in retail, nearly 70 per cent of respondents say outages would hit them to the tune of £63,545 an hour, in excess of £1,270,890 a day.

It is important to remember that the costs of DDoS attacks aren't measured in revenue loss alone, but customer service and brand equity. A customer who cannot access a website is unable to buy, login to an account or find useful information.

Brand-related costs can also be significant. According to recent research by the Yankee Group, a mid-sized enterprise with £6 million in annual revenue would lose an additional £12,708 (equating to roughly 0.02 per cent of total revenue) through costs associated with public relations damage, customers who never return and customers who return but spend less frequently.

So what can be done? Well, it's not all doom and gloom. While the criminals have many tools at their disposal, understanding what's at risk and how you will be attacked allows organisations to understand how to take the first steps in order to protect against attacks.

For starters, the internal team needs to know its network inside out. A thorough security assessment is essential. The findings can be used to optimise systems and will often uncover gaps in defences that could have gone undetected. 

It's not only the attackers whose thinking makes a difference. The good guys that invest more brainpower in understanding how DDoS attacks work are also more skilled in deploying the technologies designed to keep their online presences out of harm's way.

Ted Swearingen is director of information security operations at Neustar