Distributed denial of service (DDoS) attacks are a method attackers favor for disrupting an organization’s operations by flooding the network with traffic, overwhelming available bandwidth, and making network resources unavailable. According to research from the Ponemon Institute, DDoS attacks accounted for 18 percent of data center outages in 2013, up from 2 percent in 2010. They found that such attacks are the most costly data-center attacks to mitigate, costing an average of $822,000 per outage, leading to problems such as business disruption, loss of revenues, and reduced productivity.
However, the costs can be even higher for organizations that rely on their websites as their main sales vehicle, since the unavailability of those websites can lead to those organizations losing multiple millions of dollars in sales. According to Forrester Research, the average organization loses $27 million for a 24-hour outage, with business services and financial services institutions faring the worst.
Despite the damage that DDoS attacks can do in and of themselves, they are often used as a smoke screen to divert resources into clearing up the disruption, leaving organizations unaware of other attacks happening simultaneously. Often, the real motivations are financial manipulation or a competitive takeout.
In other cases, the motivations are ideological, looking to hurt or embarrass organizations. For example, in late 2012 to early 2013, 46 financial institutions in the United States were hit with over 200 coordinated and timed DDoS attacks. It is believed that the motivation for this campaign of attacks was to cause consumers to lose their trust in the retail banking system.
However, organizations in any walk of life can be impacted, both in the private and public sector, and such attacks should be considered a top concern by any organization, especially as DDoS attacks are increasingly becoming a weapon of choice.
Not only are DDoS attacks growing in number and affecting a wider range of organizations, but more tools are becoming available that make them easier to pull off. Whereas previously an attacker would have had to possess a fair degree of skill and recruit an army of computers into a botnet in order to create enough computing power to launch an attack, new attack methods require considerably fewer resources and less skill. DDoS attack kits are now readily available on the Internet for low prices, making the job of a relatively unskilled hacktivist much easier, and DDoS-as-a-service attacks are an increasingly common phenomenon, whereby attackers hire themselves and their botnets out to those wishing to launch attacks.
Another recent development is the use of network time protocol amplification attacks, which use publicly available network time protocol servers, the real purpose of which is to provide clock-synchronization services over public networks. Using this method means that attackers no longer need to go through the effort of putting together a botnet to launch their attacks. Recently, there has also been a dramatic rise in mobile applications used in DDoS attacks, driven by the ease with which mobile apps can be downloaded. These apps allow any mobile user to join a DDoS attack if he or she wishes—for example, for an ideological cause with which he or she sympathizes. It is predicted that such attacks will increase dramatically.
The tremendous growth in DDoS attacks in 2013 that continued, if not accelerated, in 2014 means that all organizations should beware of the consequences. Where they do not have the resources in-house to defend themselves, organizations should investigate the use of services that can divert traffic away from their networks while remediation measures are taken. While, on the one hand, there is a trend toward increasing complexity and sophistication of attacks, on the other hand, attacks are becoming easier to pull off by an ever-wider range of criminal actors. The DDoS attack landscape is set to become much more complicated, and many more organizations will become victims. All organizations should beware.