Analysis: Counting the cost of a DDoS attack

By Sooraj Shah
05 Jun 2012 View Comments
A hacker committing cyber crime on a laptop

In the past month, the Information Commissioner’s Office (ICO), the Leveson inquiry website, Visa and Virgin Media have all been hit by distributed denial of service (DDoS) attacks.

Much had been made of the motives for such attacks, and the methods that attackers use, but what impact do they have on the victim’s finances?

Further reading

John Pescatore, analyst at research firm Gartner, told Computing that there were three main costs associated with attacks.

“There is the cost of the outage, as it means that a business’s customers cannot reach them through the internet. Then there is the cost of making the attack stop – and, often, a third cost in the form of a potential extortion fee,” he said.

Obviously losses vary, depending on how much revenue is generated directly from a company’s web presence. John Roberts, head of managed services at MSP Redstone, said: “If a betting organisation trades £600m a year – or £2m a day in revenue terms – and 50 per cent of that comes from the web, then they are losing £1m a day.” Any web-dependent organisation within the global 1,000 might incur similar losses, he added.

But there are some less obvious victims of these blunt-instrument attacks.

“A Scottish football club who were playing in a European match had its website taken down by the opposing teams’ fans with a DDoS attack. The club was not able to generate significant revenue, because a number of its customers were signed up to stream live games on a monthly fee basis. So an organisation as innocuous as a football club can lose hundreds of thousands of pounds as well,” Roberts said.

Public-sector bodies can also suffer substantial financial damage through loss of productivity.

“There is a cost implication for local government as people will be looking to procure services over the internet. If those services are unavailable, public-sector staff will receive a lot more incoming phone calls,” he said.

Other repercussions are harder to assess and quantify. For example, businesses can suffer reputational damage from DDoS attacks, said Andrew Kellett, analyst at research firm Ovum.

“With [the attack on] the Serious Organised Crime Authority [SOCA], the issue was that this was not the first time it had been exposed to a DDoS attack. You would have thought that enough resilience would have been built after the first attack to deal with something similar a year later,” he said.

But Gartner’s Pescatore said that reputational damage is often less severe than many organisations fear; customers are used to websites not working for any number of other reasons that are not related to DDoS attacks.

“There is reputational damage if the website is defaced or if the website is attacked and customers’ financial information is disclosed, but DDoS generally does not have much of a reputational impact,” he argued.

Kellett disagreed and emphasised that reputational damage can itself cause financial loss to enterprises, as their customers opt for an alternative service from a similar provider.

He warned that DDoS attacks could also be used as cover for a simultaneous assault on the targeted business.

“The noise around  DDoS attacks can be used to hide another backdoor-style assault, such as data being stolen from within the organisation.

“There is an example of clerical records, including credit card information, being stolen from an organisation when a DDoS attack was taking place. It was a hacktivist attack where the credit card details were used to make donations to a charity. For any organisation protecting those details it would be both embarrassing and expensive, as they could lose customers and have to repay anyone who has had money taken from their accounts,” he said.

Pescatore said that, of the three costs typically associated with DDoS attacks, extortion attempts have reduced significantly.

“In the last two years, businesses have not paid off extortion attempts and are focusing on putting in place services to mitigate DDoS attacks. Several years ago there were incidents where it was deemed less expensive to pay off the attackers as they would only be asking for €5,000,” he said.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

53 %
20 %
6 %
17 %
4 %