Blog

Get news about our products, which events we are attending plus industry insights and commentary

Counting the cost of DDoS attacks

Written by Steve Patton on Wednesday, 29 August 2018. Posted in Cyber

A Distributed Denial-of-Service DDoS attack occurs when high rate machine generated traffic, usually from compromised systems, floods the resources of a targeted system such as a webserver, making the service unusable by legitimate users. There are many reasons for hackers/hacktivist/state actors to initiate a DDoS attack – to damage a brand, to limit web based sales, to protest or for notoriety. After the initial incident response and triage, important questions will be asked, chief among them, what did the DDoS attack cost?

For a consumer or internet user there is an immediate impact. It means that they might not be able to buy those concert tickets, or make an online a payment on time, or complete any number of internet-based e-commerce purchases, if the webserver needed to process that transaction is under attack. It might mean loss of connectivity and remote control of IoT devices or connected home appliances. Or if the DDoS attack is being used to mask a much more sophisticated data exfiltration attack it could mean that personal subscription data is being stolen from a website.

From a commercial businesses perspective it might be prevented from selling goods online. A media outlet from releasing a story. A streaming video provider from generating Pay Per View revenue. Or as already said, the DDoS attack may be masking something more insidious such as data exfiltration or malware injection. Published reports say that enterprises face a bill of between $50,000 (£35,000) to $2.5M (£1.8M) for each attack.

In February 2018 GitHub was hit with one of the biggest DDoS attacks ever recorded, this is what the traffic looked like

Some of this can be mitigated by deploying DDoS scrubbers in front of the webserver/cloud infrastructure to detect and remove DDoS, although, of course, this is another cost.

These are all of the direct, visible impacts. But what about the network carrier, ISP or peering provider who is carrying the traffic? One European carrier reports that when an attack is active, up to 70% of their network traffic can be DDoS. So 70% of their routing and transmission infrastructure carries malicious traffic that will ultimately be scrubbed. That infrastructure is not free. And what if that traffic is just being transported between two network peering points. Should the DDoS be detected and removed? Whose DDoS is it anyway? If it is removed does that reduce the peering revenue by 70%? And could that DDoS flood the carrier network and affect other services running on (their) Critical Infrastructure?

And finally, if it is your infrastructure that has been compromised and operating as a botnet that is attacking someone else’s service with DDoS, are you liable for damages?

So there are multiple costs and impacts, to different people and groups. DDoS can be detected and removed on a per gateway or webserver basis. But in a massive scale, nation-wide network, there can be multiple DDoS attacks active simultaneously, increasing data volumes by up to 70%, impacting quality of service for all users who share that network resource. The first step to mitigation is being able to see those attacks in real time inside the huge volumes of legitimate traffic. Most enterprise scale DDoS prevention systems just won’t cope with the data volume on a national network.

The good news is that’s what Telesoft does. To find out more – This email address is being protected from spambots. You need JavaScript enabled to view it..

About the Author

Steve Patton

Steve Patton

Steve is an experienced technical B2B cyber security specialist and Director. Steve is a frequent speaker on topics including security breaches, big data analytics, audit and compliance, and IT forensics.

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.