Hacking skills are so overrated. Thanks to distributed denial-of-service attacks, it’s never been easier, or cheaper, to find cybercriminals who will knock credible websites offline by overwhelming them with traffic. It’s an old trick that’s become increasingly sophisticated with wannabe hackers forcing companies to pay ransoms to restore normal service and, if they’re lucky, retain customer trust.
DDoS attacks have been a known threat for years, but now various estimates peg the expected revenue loss for a U.S. business at anywhere from $40,000 an hour (with an average down time of around 9 hours) to as much as $1.5 million in a year, according to a study from the Ponemon Institute.
Earlier this month, a series of attacks temporarily crippled at least four encrypted email providers, and a 51-year-old British man was sentenced to eight months in prison for knocking 300 adoption and social services sites offline. It’s only more proof that even an individual with limited technology skills can visit an open-facing website and pay with bitcoin or their credit card to launch a brief attack.
“The number of these things has exploded over the past five years,” said Shawn Marck, DDoS Defense Expert at Nexusguard, a DDoS attack mitigation company. “Last year and into this year, the size of the attacks has set records for how big they were.”
The biggest change has been the increased popularity of reflected attacks, which occur when an attacker accesses a Web page with an IP address that's not their own, then redirects that traffic at the intended recipient. The attack essentially overwhelms a victim, exhausting the target site’s bandwidth, memory and other essential resources.
“It’s like shouting at the mailman, ‘Hey, that isn’t my package, it’s my neighbor's. And by the way, all of those other packages on your truck also belong to my neighbor,’” said Dan Holden, director of the security engineering team at Arbor Networks. “Only this case involves really big traffic servers.”
Cost estimates vary depending on the type of business hit, the size of the attack, the attack duration, the section of the website (a shopping cart vs. a home page, for instance), the frequency of attacks, and other factors. One 2015 estimate from the Ponemon Institute pegged annual losses at $1.5 million (PDF) for an individual business, and another from Incapsla suggested average losses are closer to $40,000 for every hour a large company is offline.
Jagex, the United Kingdom’s largest independent video game developer, is hit with between with 30 to 40 DDoS attacks every day, according to Barry Zubel, head of IT at the company. Most are between 15 and 20 gigabytes per second, and can be easily mitigated, but others are large enough to cause a 30-second delay in an online game. Earlier this year a particularly hectic January saw over 70 attacks on Jagex, enough to cause $2.2 million in annual lost revenue if that pace continued.
“That takes into account players being disconnected frequently enough to say they won’t play anymore, but it’s also the direct impact of people not being able to access a store or services,” Zubel said. “I have no data to back it up saying it's kids doing this, but it is that mentality.”
Gamers outsource their attacks by contacting various groups through social media or accessible websites. Price ranges from $20 for a brief interruption to hundreds or thousands for a prolonged, sustained attack.
Security professionals are fending off attacks by investing in more bandwidth than is necessary to run a business, blocking attempted connections and differentiating between real and falsified traffic via proxy services, "which becomes an incredibly expensive arms race between us and the attackers," Zubel said. Most cyber insurance policies cover DDoS attacks.
Lizard Squad Strikes
The most prominent DDoS attackers belong to Lizard Squad, a gang of mostly teenage hackers who took the Xbox Live video game service offline last Christmas. A number of Lizard Squad members have been jailed since the group started launching DDoS-for-hire attacks, but other groups are no less dangerous.
The Chinese government, for one. China’s massive censorship apparatus, known as the Great Cannon, was the prime suspect in the case of an incredibly advanced distributed denial-of-service attack pointed at GitHub in March. At the time GitHub was making it possible for Chinese news readers to view content posted by a Chinese version of the New York Times and Great Fire, an anti-censorship organization.
ProtonMail, Hushmail, Runbox and VFEMail were among the email providers victimized by a string of attacks in recent weeks. A group known as the Armada Collective has been blamed for at least one attack, demanding a ransom of roughly $6,066 bitcoin to cease the barrage against ProtonMail. ProtonMail announced it “grudgingly agreed” to pay up, only to be hit by another DDoS by what seemed to be another group without any connection to the first assault.
But it’s likely that most attacks are never publicized. DDoS victims are encouraged to never agree to ransom demands but rather try to fend off the activity by working with their Internet Service Provider. That rationale makes it more likely, experts say, that attackers will target gambling sites, porn sites and other traditionally sketchy dens that aren’t likely to report the attack to an ISP or law enforcement.
“Even if you are legitimate, the issue is that if your business does rely on availability, you might be willing to pay over a period of time until you’re able to defend yourself,” Holden said. “From an attacker’s standpoint, DDoS always has some reputational fallout. Everyone from your janitor to your CEO knows it happened, and that includes the rest of the Internet.”