This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
In my daily routine I go to a variety of websites to gather information and news. I've noticed that recently, two of my regular sites have been totally unavailable from time to time. It seems this lasts for an hour or more and then the site is open for business again. While I don't know for sure, I suspect that these websites could be victims of distributed denial of service (DDoS) attacks.
According to Incapsula, DDoS attacks occur much more frequently than many people suspect. Incapsula just released its 2014 DDoS Impact Report, which found that nearly half (45%) of all companies have been hit by a DDoS attack at one time or another. Of these, almost all (91%) reported an attack during the last 12 months, and over two-thirds (70%) were targeted two or more times. It's possible that my regular news sites are among those repeat victims.
Eighty six percent of the organizations that experienced an attack said it lasted less than 24 hours. However, Incapsula says there is no predictable pattern on how long an attack will last. Some organizations experienced days-long attacks. I suppose the motivation behind the attack has a lot to do with how long it will last. Incapsula indicated there is no unified motive behind attacks. Some are for financial gain via ransom; some are for political or hacktivist purposes; still others are to knock competitors offline at crucial times, such as when a new online game is being released. I know of one small company that was attacked for several days for revenge over a business dispute.
Regardless of the motive behind an attack, the business impact is costly. Based on survey results, Incapsula estimates that a DDoS attack costs an average of $40,000 per hour. Of course, this figure will vary greatly depending on the kind of business that can't be transacted while applications or services are unavailable. An e-commerce site being knocked offline might experience far greater losses per hour than, say, a news site—especially this time of year when consumer shopping is in full swing.
Incapsula says its cost estimate includes the immediate loss of business plus the cost of resources to fight the DDoS attack. It does not include the cost to replace any hardware or software after the attack; the cost to remediate any virus or malware planted on systems during the attack; the loss of data or intellectual property that might be stolen during an attack; and the loss of customer trust. All of these are very real potential ramifications of a DDoS attack. Of the companies in Incapsula's study that experienced a DDoS attack:
- 87% experienced at least one non-financial consequence
- 52% had to reconfigure hardware or software
- 50% had a virus or malware installed / activated on its network
- 43% experienced loss of consumer trust
- 33% acknowledged customer data theft
- 19% suffered intellectual property loss
Organizations that do nothing to prepare for the possibility of a DDoS attack are at high risk. Believing that a traditional firewall will be enough to overcome an attack is the equivalent of doing nothing. New and more sophisticated varieties of attacks are emerging, and attackers often use combined techniques for maximum effectiveness.
What's more, volumetric attacks continue to grow in size. Arbor Networks reports that its ATLAS threat monitoring infrastructure saw more than 100 attacks larger than 100 GB/sec in just the first half of 2014 alone. NTP reflection attacks were responsible for nearly 50% of the attacks over 100 GB/sec. Firewalls aren't designed to handle this kind of traffic.
The most practical way to prepare for a potential DDoS attack is to buy a purpose-built appliance or contract for a cloud-based anti-DDoS service. These kinds of solutions are specifically crafted to fight the kinds of attacks as well as the volumes of attacks that are commonly seen today. While next generation firewalls might have some anti-DDoS capabilities built in, they are not designed specifically to fend off DDoS attacks and might fail or become overwhelmed in the throes of an active attack.
If you host any crucial applications in the cloud or contract for services through a cloud service provider, talk to the provider to find out what capabilities that company has for defending against DDoS attacks. Your company could become collateral damage if an attack is aimed at another company hosted on the same network as your systems.
If you've been complacent about planning how to mitigate a DDoS attack, now is the time to make your plan. The cost figures in the Incapsula report might give you the data points necessary to get your upper management to pay attention to the ramifications of the threat.