Understanding the risk and cost of a DDoS attack

Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks writes on why a continuing and growing threat to service availability is distributed denial of service (DDoS) attacks.

Today, more and more companies are outsourcing their online operations, such as websites, e-commerce, e-mail and domain name system (DNS), to focus on core business activities and lower costs. As a result, hosting providers are experiencing double-digit growth as they meet this mounting market demand.

Service-level commitments and customer expectations are also on the rise due to the business-critical nature of many hosting services. In particular, the highest-value customers have the lowest tolerance for outages.

As explained in the Arbor Networks white paper, The business value of DDoS protections, a continuing and growing threat to service availability is distributed denial of service (DDoS) attacks. In fact, the paper states that most hosting providers experience DDoS attacks on a regular basis.

Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, says: "DDoS attacks are a growing reality in Africa. As a supplier of superior DDoS defence systems we are able to show that an effective DDoS defence system can safeguard a business operating on the continent against DDoS-related outages. However, we have realised that for many businesses, determining the return on investment (ROI) of purchasing and deploying such a system remains challenging."

One needs to thus quantify both the risks of DDoS attacks and their financial consequences, and the white paper mentioned earlier provides a simple, step-by-step approach for evaluating whether an investment in a DDoS defence system is financially justified.
Adds Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks: "Since Africa has seen an immense increase DDoS attacks during the past couple of months, the continent has become a main focus area for Arbor."


In its 11th Annual Worldwide Infrastructure Security Report (WISR), Arbor offers direct insights from the global operational security community on a comprehensive range of issues, from threat detection and incident response to staffing, budgets and partner relationships. The survey covers data from November 2014 through to November 2015. Highlights of the report reveal:
· A change in attack motivation: The top motivation was not hacktivism or vandalism but ‘criminals demonstrating attack capabilities', something typically associated with cyber extortion attempts.
· Attack size continues to grow: The largest attack reported was 500 Gbps; with others reporting attacks of 450 Gbps, 425 Gbps and 337 Gbps. In 11 years of this survey, the largest attack size has grown more than 60X.
· Complex attacks are on the rise: 56 percent of respondents reported multi-vector attacks that targeted infrastructure, applications and services simultaneously, up from 42 percent last year. 93 percent reported application-layer DDoS attacks. The most common service targeted by application-layer attacks is now DNS (rather than HTTP).
· Cloud under attack: Two years ago, 19 percent of respondents saw attacks targeting their cloud-based services. This grew to 29 percent last year, and now to 33 percent this year – a clear upward trend. In fact, 51 percent of data centre operators saw DDoS attacks saturate their Internet connectivity. There was also a sharp increase in data centres seeing outbound attacks from servers within their networks, up to 34 percent from 24 percent last year.
· Firewalls continue to fail during DDoS attacks: More than half of enterprise respondents reported a firewall failure as a result of a DDoS attack, up from one-third a year earlier. As stateful and inline devices, firewalls add to the attack surface and are prone to becoming the first victims of DDoS attacks as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

"Hosting providers in particular often have a higher risk of DDoS attack than stand-alone online businesses because hosting providers in effect aggregate the risk of all their customers. An attack on one customer can affect others and potentially the entire hosting operation because of the heavy reliance on shared infrastructure. Risk is also a function of the type of customers being hosted. Sites that engage in controversial activity, as well as large, visible businesses, are more likely targets of DDoS than small business Web sites. However, just one small customer can attract a massive DDoS response with a single controversial act," quotes Hamman from The Business Value of DDoS Protection white paper.

The research also reveals that cost of outages due to DDoS attacks is comprised of operational costs and revenue impacts. It states that lower-impact/ duration attacks may only result in added operational costs. High-impact attacks will also negatively affect revenues due to customer defections, SLA credits and reputation damage. The paper lists the elements contributing to the overall cost of DDoS consisting of the following:
· Personnel time spent addressing and recovering from the outage;
· incremental help desk expenses;
· customer credits and refunds;
· cost of customer defections and nonrenewal of contracts; and
· degradation of reputation resulting in higher customer acquisition costs and a lower rate of business growth.

"We encourage organisations to contact us to determine the business impact a DDoS attack and the resultant outage of service will have on their business, as well as to calculate the ROI from a DDoS solution," says Hamman.

Read more