Counting the cost of DDoS attacks
A Distributed Denial-of-Service DDoS attack occurs when high rate machine generated traffic, usually from compromised systems, floods the resources of a targeted system such as a webserver, making the service unusable by legitimate users. There are many reasons for hackers/hacktivist/state actors to initiate a DDoS attack – to damage a brand, to limit web based sales, to protest or for notoriety. After the initial incident response and triage, important questions will be asked, chief among them, what did the DDoS attack cost?
For a consumer or internet user there is an immediate impact. It means that they might not be able to buy those concert tickets, or make an online a payment on time, or complete any number of internet-based e-commerce purchases, if the webserver needed to process that transaction is under attack. It might mean loss of connectivity and remote control of IoT devices or connected home appliances. Or if the DDoS attack is being used to mask a much more sophisticated data exfiltration attack it could mean that personal subscription data is being stolen from a website.
From a commercial businesses perspective it might be prevented from selling goods online. A media outlet from releasing a story. A streaming video provider from generating Pay Per View revenue. Or as already said, the DDoS attack may be masking something more insidious such as data exfiltration or malware injection. Published reports say that enterprises face a bill of between $50,000 (£35,000) to $2.5M (£1.8M) for each attack.
In February 2018 GitHub was hit with one of the biggest DDoS attacks ever recorded, this is what the traffic looked like
Some of this can be mitigated by deploying DDoS scrubbers in front of the webserver/cloud infrastructure to detect and remove DDoS, although, of course, this is another cost.
These are all of the direct, visible impacts. But what about the network carrier, ISP or peering provider who is carrying the traffic? One European carrier reports that when an attack is active, up to 70% of their network traffic can be DDoS. So 70% of their routing and transmission infrastructure carries malicious traffic that will ultimately be scrubbed. That infrastructure is not free. And what if that traffic is just being transported between two network peering points. Should the DDoS be detected and removed? Whose DDoS is it anyway? If it is removed does that reduce the peering revenue by 70%? And could that DDoS flood the carrier network and affect other services running on (their) Critical Infrastructure?
And finally, if it is your infrastructure that has been compromised and operating as a botnet that is attacking someone else’s service with DDoS, are you liable for damages?
So there are multiple costs and impacts, to different people and groups. DDoS can be detected and removed on a per gateway or webserver basis. But in a massive scale, nation-wide network, there can be multiple DDoS attacks active simultaneously, increasing data volumes by up to 70%, impacting quality of service for all users who share that network resource. The first step to mitigation is being able to see those attacks in real time inside the huge volumes of legitimate traffic. Most enterprise scale DDoS prevention systems just won’t cope with the data volume on a national network.