DDoS losses potentially £100k an hour, survey shows

DDoS attacks could expose 40% of businesses to losses of £100,000 or more an hour at peak times, a survey shows

Distributed denial-of-service (DDoS) attacks could expose 40% of businesses to losses of  £100,000 or more an hour at peak times, a survey by communications and analysis firm Neustar has revealed.

Some 12% estimated potential losses due to outages at peak times would be greater than £600,000 an hour, and 11% admitted they did not know what their losses would be.

The poll of 250 IT professionals in Europe, the Middle East and Africa also showed that half of respondents believe DDoS attacks are a bigger risk than a year ago.

Only 18% said they believed the risk was lower, yet 59% of them still admitted they are investing more in DDoS protection compared with 2014.

Apart from direct financial losses, the biggest risk identified by more than a quarter of companies is the damage to company reputation and a loss of customer trust.

“For 26% of companies, brand damage and loss of customer trust is a top concern,” said Neustar product marketing director Margee Abrams.

“Companies are beginning to understand that the impact of DDoS attacks is across the organisation, also impacting areas like customer services and regulatory compliance,” she told Computer Weekly.

Underlining the business threat of DDoS attacks, 30% of respondents said their companies had been hit multiple times, with the number of companies being hit only once down 30% compared with 2014.

The financial sector reported the highest level of multiple attacks, with 79% reporting six or more DDoS attacks a year, compared with the cross-industry average of 20%.

Respondents said attacks were lasting longer, with 30% of attacks lasting between one and two days.

They also said DDoS attacks are often accompanied by theft, with 52% of DDoS victims also reporting theft of customer data, intellectual property (IP) or money, representing a 24% increase from 2014.

The survey revealed that 84% of companies still use up to 10 employees to mitigate DDoS attacks, which the report notes is exploited by attackers to distract companies.

"Smokescreen" DDoS attacks

In “smokescreen” DDoS attacks, the real objective is theft, the report said. In 30% of DDoS attacks, malware was either installed or activated, in 18% customer data was stolen, in 12% IP was stolen, and in 12% money was stolen.

Read more about DDoS attacks

  • Distributed Denial-of-Service attacks require more sophisticated protection than in-house development
  • All indications show that DDoS attacks are increasing in variety, number and size
  • Cyber threats evolve at the same pace as technology, and denial-of-service attacks are no different
  • Employ a mix of internal and cloud-based DDoS mitigation controls to minimize business disruptions from these increasingly complex attacks

The survey showed that 56% of retailers hit by DDoS attacks were also hit by malware installation or activation compared with the cross-industry average of 30%, and 76% of retailers hit by DDoS attacks were also robbed of data or funds compared with the cross-industry average of 52%.

The report notes that managed mitigation services help to free up IT security staff to focus on other activities that may be taking place during a DDoS attack.

“However, the effect of DDoS attacks is so much wider than information security,” said Abrams. “Companies also need to review how DDoS attacks could affect their overall online performance and customer experience."

As a result of increased recognition of the threat of DDoS attacks, many organisations are taking stronger action, with 35% investing in hybrid DDoS protection that combines on-premise hardware with cloud-based mitigation services.

The biggest investment in hybrid systems is being made by financial sector organisations which are a prime target of DDoS attacks, with 40% investing in hybrid protection and 80% choosing a hybrid approach to block attacks at peak times.

Hybrid approaches seek to combine the instant blocking capabilities of on-premise hardware devices with cloud-based “traffic scrubbing” to deal with high-volume attacks.

According to the report, hybrid systems are able to detect and respond to attacks nearly twice as fast as other systems while providing the bandwidth to deal with larger attacks.

The report showed that 56% of attacks average around 5Gbps, while some organisations have recorded attacks in the past year of up to 300Gbps.

Smaller attacks still cause damage to businesses

However, companies targeted by smaller attacks still reported damage to brand trust, loss of customer data, loss of IP, and loss of revenue.

More than a third of organisations are using stand-alone, cloud-based DDoS mitigation services, up 11% compared with 2014, and 36% are using DDoS mitigation appliances, also up 11% on 2014.

It is important to improve attribution and the ability of law enforcement to identify perpetrators and bring them to justice

Rodney Joffe, Neustar

Overall, 70% of respondents said they are spending more on DDoS protection, although 40% feel their investment should be even greater.

Although 28% said they were investing less in DDoS protection, only 6% said they did not see DDoS defence as a priority.

Only 8% continue to rely on content distribution networks as a form of DDoS protection, and only 2% report no DDoS protection at all.   

However, most companies (61%) still use internet service provider-based firewalls to combat DDoS attacks. But firewalls are not sufficient as they often cause bottlenecks and accelerate outages during attacks, the report said.

Some 28% of respondents said they still use web application firewalls, switches and routers as a defence against DDoS attacks.

However, with cyber criminal services available to enable anyone to take down a website using DDoS attacks for just $6 a month, it is clear that increasing mitigation capacity alone is not enough, according to Neustar senior vice-president and fellow Rodney Joffe.  

“We have to become more strategic. The online community needs to develop industry-based mitigation technologies that incorporate mechanisms to distribute attack source information to internet service providers so they can stop attacks closer to the source,” he said.

Joffe believes there is also a need to improve visibility and understanding of activities in the criminal underground, so that their command and control structures can be disabled quickly.

“Finally, it is important to improve attribution and the ability of law enforcement to identify perpetrators and bring them to justice. While these improvements will not happen overnight and will not solve everything, they will make a significant and positive difference,” he said.

Read more on Hackers and cybercrime prevention