By NETSCOUT Arbor South Asia regional director Jason Hilling
There are an increasing number of independent providers of DDoS-attacks-as-a-Service.
Promoting their criminal services online, these DDoS developers can either sell attackers access to the tools to conduct their own attack, or they will launch the attack on the client’s behalf and provide detailed reports about their achievements.
There is a lot of competition in this market, so fees are shrinking rapidly while service offerings are expanding.
As a result, the off the shelf DDoS business is very much a buyer’s market.
Often called “stressers” or “booters,” the price for these DDoS attack services vary significantly, as do estimates of the total impact of an attack for the target.
However, the monetisation of this services is simple: DDoS attacks are cheaper than ever for attackers, lucrative for the attack service provider and financially and operationally crippling for the victim.
The low cost and turnkey nature of attack services which require nothing to build or configure have democratised DDoS attacks.
Individual DDoS attacks can now be launched for as little as US$5.
As such, attack service providers look to make their money on volume; explaining why a DDoS attack occurs every six seconds.
One such attacker was arrested by police in Croatia in April for his DDoS for hire service called Webstresser.org, which has been implicated in multiple attacks on banks.
The 19-year-old man they suspect is behind Webstresser.org allowed users to rent DDoS infrastructure to shut down or slow websites by flooding them with data.
To capitalise on increasingly lucrative opportunities to unleash DDoS attacks worldwide, more and more of these DDoS-for-hire providers resemble legitimate service provider infrastructures with significant computing power.
They typically run their own botnets - vast networks of Internet-connected computers, machines and devices infected with malware that turns them into “bots,” or oblivious robotic accomplices, to launch DDoS attacks.
Perpetrators can rent the providers’ botnets by the hour, day or week, or in some cases can buy a specific number of bots outright.
The mechanics of transactions follow a classic web service model, meaning the perpetrator and the provider need never come into contact.
Providers that conduct attacks-as-a-service boldly post their “menus” online with tiered pricing reflecting the many different flavours of attacks they offer.
Prices are based on several factors and can include the duration of the attack, defensive measures used by the target, the perceived value of the target, the country in which the attack takes place, or the different attack methodologies employed.
Increasingly, other criteria can apply, including attacks on government agencies and financial institutions, which can command a significant premium.
Incidentally, attack vendors charge a higher price for attacks on organisations they discover are using strong anti-DDoS protective measures.
One threat actor tracked by the NETSCOUT Arbor security engineering and response team (ASERT) offered $US60 daily and US$400 weekly pricing, as well as discounts on orders of US$500 or US$1,000.
ASERT’s research pegged the mean cost at US$66 per attack, compared to the potential cost to the victim of around US$500 per minute.
For a large organisation, the cost of being attacked can be substantially higher.
The consequences of DDoS attacks are severe and getting worse, according to NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR).
The number of survey respondents reporting revenue loss as a business impact of DDoS attacks nearly doubled in 2017.
Those who reported the cost of internet downtime at US$501 to US$1,000 per minute increased by nearly 60%.
Around 10% of enterprises experienced an attack with an estimated cost greater than US$100,000, five times more than the previous year.
More than half of respondents experienced a financial impact between US$10,000 and US$100,000, almost twice as many as in 2016.
And it’s not just lost revenue, as 57% cited damage to their reputation or brand as the primary business impact of an attack.
All of this points to the need to invest wisely when protecting against DDoS attacks.
A hybrid solution that combines on-premises and cloud-based protection is the industry best practice in DDoS defence and becoming more affordable with managed services and virtualised solutions.
With the attacker’s costs falling sharply and the target’s costs skyrocketing, the economics of DDoS attacks today clearly favour the attacker over the victim.
That is why DDoS attacks aren’t going away, and in fact, they are projected to rise at an extraordinary rate.