A BUSINESS WHITEPAPER FROM NSFOCUS
DISTRIBUTED
DENIAL-OF-SERVICE
(DDoS) ATTACKS:
AN ECONOMIC
PERSPECTIVE
TableofContents
Introduction...............................................................................................................................................3
ADistributedDenial-of-ServicePrimer.....................................................................................................4
Volumetricbasedattacks.......................................................................................................................4
Applicationbasedattacks......................................................................................................................4
ThreatActors,AttackVectorsandMotivations–WhatdrivesDDoSAttacks?......................................4
TheFinancialImpactofDistributedDenial-of-ServiceAttacks................................................................5
DirectCosts.............................................................................................................................................5
IndirectCosts..........................................................................................................................................7
ACloserLookAtTheCostofDistributedDenial-of-ServiceAttacks........................................................8
DDoSAttackCostModel........................................................................................................................8
Example:OnlineRetail......................................................................................................................9
Example:SoftwareDevelopment....................................................................................................12
ReturnonInvestment:AThreeYearCostAnalysis..............................................................................13
Conclusion............................................................................................................................................14
TheEconomicsofDDoSAttacks:AMacroView....................................................................................15
Summary..................................................................................................................................................15
Executive Summary
Senior executives are wisely paying attention to Distributed Denial-of-Service (DDoS)
attacks, since the financial consequences can be significant. A comprehensive analysis
of the financial impact of a DDoS attack should include both direct and indirect costs,
bearing in mind that the cost of a DDoS attack is closely tied to the duration and type of
attack itself.
This paper presents a model that can be used to estimate costs and return-oninvestment (ROI) based on the specifics of each situation.
Payback for DDoS protection solutions can range from immediate to less than 6 months,,
depending on the features, cost and performance of the chosen solution.
In light of the fact that macro trends point to a continuing rise in the frequency and
damage from DDoS attacks, a model such as this becomes increasingly important.
2
Introduction
WhilenetworksecurityexpertsdisagreeonwhenthefirstDistributed-Denial-of-Service(DDoS)
attackoccurred,itisgenerallyconcededthatthemostvisibleseriesofattacksoccurredinFebruaryof
2000whenInternetgiantsYahoo,Amazon,eBay,E-tradeandotherswereattackedintermittentlyover
aperiodofseveraldays.TheYankeeGroupestimatedthetotalcumulativecostsoftheseattacksat
$1.2BillionU.S.Dollars,anditwaslaterdiscoveredthattheattackswereconductedbya15-yearold
Canadianteenagerusingthealias“Mafiaboy”.Theteenagerhadcraftedtheseriesofattacksusing
severalpubliclyavailablehackertools.1
Morethanfourteenyearslater,DDoSattacksaremorefrequent,complexanddestructivethan
ever.Thethreatactorlandscapehasexpandedfromasingleindividualwithahobbyandanagendato
includecyber-terrorists,professionalhackers/crackers/phreakers,hostilenationstates,rival
companiesandevenunwittingemployees,customers,partnersandprivatecitizens.Today,therehas
beenanexplosioninconnectivityusheredinbymobileandcloudcomputing,coupledwiththe
availabilityofsophisticatedbuteasy-to-useDDoStoolsandtherapidcommoditizationofnetwork
bandwidth.Asaresult,ithasneverbeeneasiertolaunchasustainedattackdesignedtodebilitate,
humiliateorstealfromanycompanyororganizationconnectedtotheInternet.Theseattacksoften
threatentheavailabilityofbothnetworkandapplicationresources,andresultinlossofrevenue,loss
ofcustomers,damagetobrandandtheftofvitaldata.
Fortunately,DDoSmitigationtechniqueshavealsoevolved;today,theDDoSmitigationmarket
comprisesdozensofcompanieswhocollectivelyinvestbillionsofdollarsintheresearchand
developmentofadvancedcountermeasures.Theaccuracyandeffectivenessofthesesolutions
certainlydiffer,butthereisnodenyingthatspecializedDDoStechnologyisbeingdeployedby
organizationsofallsizesinordertoinsulatethemselvesagainstthisgrowingthreat.
ThispaperexaminesthefinancialimpactofmodernDDoSattacksbydescribingthecosts
typicallyincurredbythevictimsoftheseattacks.Itsummarizespublicly-availableinformationand
researchaboutthescopeandcostsofrecenthigh-profileattacks,andprovidesamodelthatcanbe
usedtomeasuretheimpactofaDDoSattackforyourownorganization.Whileallofthecostsinthe
modelmaynotdirectlyapplytoyourspecificbusinessororganization,theyarepresentedtoprovidea
completepictureoftheexpensestoconsiderwhenevaluatingthepurchaseofDDoSprotection.
Finally,thispaperdiscussesthelargereconomicfactorsthatwillcontinuetofueltheproliferationof
thesetypesofattacksfortheforeseeablefuture.
1
SANSInstitute,“TheChangingFaceofDistributedDenial-of-ServiceMitigation,2001
3
ADistributedDenial-of-ServicePrimer
DDoSattacksareanattempttoexhaustnetwork,serverorapplicationresourcessothattheyareno
longeravailabletointendedusers.Theseattacksgenerallyfallintotwocategories:
Volumetricbasedattacks
Theseattacksarecharacterizedbythepresenceofanabnormalandoverwhelmingnumberof
packetsonthenetwork.Threatactorsattempttoconsumeallavailablenetworkbandwidthand/or
exhaustrouter,switchandserverforwardingcapacitybyfloodingthesedeviceswithmalicioustraffic
sothatlegitimateusertrafficisstarved.SomeexamplesofvolumetricbasedattacksincludeUDP,
ICMPandSYNfloodattacks.
Application-basedattacks
Application-basedattacksaredesignedtoexploitweaknessesorsoftwaredefectsthatexistin
theprotocolsandapplicationsthemselves.TheyattempttodisruptservicebyconsumingCPU,
memoryorstorageresourcesintargetserversthatarerunningtheapplicationsothattheapplication
isnolongerabletoservelegitimateusers.Theymayalsoattempttocrashtheapplicationbysupplying
malformedmessagesorunanticipatedinputtotheapplication.Someexamplesofapplicationattacks
includeHTTPGET/POSTattacks,SIPheadermanipulationattacksandSQLinjectionattacks.
Hybridattacks
ModernDDoSattacksareverysophisticatedandoftenblendseveralvolumetricandapplication
basedattacksinordertodisruptservice.Thesesocalled“hybrid”attacksattempttoconsumeall
networkbandwidthwhilesimultaneouslyexhaustingserverresources.Frequentlytheseattacksare
usedtonotonlycreateacatastrophicdenialofserviceconditionbutalsodistractsecurityoperations
personnelfromothermaliciousactivitysuchastheinstallationofbackdoorsorotheradvanced
persistentthreats(APT)toolsdesignedtostealvitaldata.Anothercommonattacktechniqueisto
probeanorganization’sDDoSresponsecapabilitiesusingaseriesofshortdurationattacksovera
longerperiodoftimeinordertocraftasite-specificplandesignedtocircumventexistingDDoS
protectionsolutions.
ThreatActors,AttackVectorsandMotivations–WhatdrivesDDoSAttacks?
Whoisperformingtheseattacks(threatactors),whatmeansdotheyuse(threatvectors)andwhatis
theirmotivation?
Theanswerstothesequestionsareasvariedastheattacksthemselves.Threatactorscanincludeexemployees,currentemployees,hobbyists,politicalactivists(hacktivists),professionalhackers(hackersfor-hire),competitors,hostilenationstatesorvandalswhosimplyenjoycreatingchaos.
4
Theseattackerscanuseaseeminglyinfinitenumberofdevicesandprotocolsasameanstocarry
outtheirattacks.Sophisticatedandlargevirtualnetworksofcompromisedcomputers,mobilephones,
internetconnectedsmartdevices(IoT/homeautomation),infrastructureservers,homerouters,Unified
Communications systems and almost anything that is internet connected could be controlled by
maliciousattackerstolaunchdirectedandsustainedattackcampaigns.Thesesocalled“botnets”or
“zombie armies” will use a diverse set of protocols typically found at layers 3, 4 and 7 of the Open
SystemsInterconnectionModel(OSI)tocarryouttheattacks.Anon-inclusivelistoftheseprotocols
includesTCP,UDP,ICMP,NTP,SSDP,HTTP,DNS,SNMP,FTPandmore.Attackerscanexploitthemanner
in which the protocols work as well as software defects in their implementation to disrupt service
delivery.Theseprotocolsanddevicesarethethreatvectorstoconsiderwhendesigninganeffective
DDoSmitigationstrategy.
MotivationsforDDoSattackstendtobefinancial,philosophicalorpoliticalinnature.Typical
motivationsincludeblackmail/extortion,politicalorideologicaldisputes,revenge,vandalism,an
attempttogainacompetitiveadvantageinabusinessrivalryoranattempttocoverupordistract
fromotherexfiltrationortheftofdataactivities.Regardlessofthemotivation,itisclearthatifyouare
connectedtotheInternetorrelyontheinternettoconductyourbusinessoperationsyoucanbea
target.ThesignificanceoftheDDoSthreathasnotgoneunnoticed:arecentsurveyofmorethan641
ITsecurityandoperationsprofessionalsrevealedthat38%ofrespondentsrankedDenial-of-Service
attacksastheirmostsignificantITsecurityconcern,placingthisclassofattackinthetop3outof10
overallITsecuritythreats.2
TheFinancialImpactofDistributedDenial-of-ServiceAttacks
InanyDDoSattacktherearebothdirectandindirectcoststothevictim.Directcosts,in
general,areeasiertomeasureandcanbeimmediatelyassociatedwiththeattack.Indirectcosts,on
theotherhand,aremoredifficulttoidentifyandtheireffectsareoftennotfeltforweeks,monthsorin
somecasesyearsfollowingtheactualattackitself.
DirectCosts
Lossofrevenue:Thisisusuallythemoststraightforwardmetrictocollect,particularlyifyourprimary
businessiselectroniccommerce.Onlineretailers,streamingmediaservices,onlinegaming,business
tobusinesshubs,onlinemarketplaces,Internetbasedadvertisersandinternetcommercebusinesses
areamongthosethatexperiencedirectrevenuelosswithanydisruptionofservice.Thesecompanies
typicallymeasurerevenueinclicksorimpressionsperminuteoraveragerevenueperminuteor
transaction.Revenueiscompletelylostforthedurationofanyattackthattakesthemcompletely
offline,orcanbeseverelyreducedduringperiodswhentheironlinesystemsareperformingoutsideof
theirnormaloperatinglevel.
2
PonemonInstitute,“TheCostofDenial-of-ServicesAttacks”,March2015
5
Lossofproductivity:Manycompaniesandorganizationsusetheir
DDoS Attack Cost Categories
network,onlineresourcesandpublicly-availableservicesto
supporttheirprimarybusiness.Anydisruptiontotheavailability
Direct
oftheseimportantresourcesresultsinalossofproductivity.
WhetheremployeesareaccessingtheInternet,performing
Loss of revenue
softwaretasksonremoteservers,transferringoraccessing
Loss of productivity
valuablecompanydataremotely,enteringdataintobusiness
IT operations/security
systems,usingcloudbasedservices,e-mailing,printing,
Help desk
communicatingoranynumberofothernetworkrelatedtasksthey Consultants
canbenegativelyimpactedbyDDoSattacks.
Customer credits/SLA
Legal/Compliance
Personnelcosts–IToperations/securityteams:Thiscostincludes Public relations
thefully-burdenedsalaryofanyemployeeswhoareinvolvedin
eliminatingtheDDoSthreatandrestoringservicetoitsnormal
Indirect
levels.Insomeorganizations,thiscanbeasinglepersonortwo.
Inothers,thiscanbealargerteamcomprisedofbothIT
Damage to brand
operationsandsecurityprofessionalsandinvolvemultiple,
Theft of vital data
geographicallydiverselocations.Duetothesevereimpactofa
Customer loss
DDoSattackmostcompanieswillinvolvealltechnicalresources
Opportunity cost
capableofhelpingtorestoreserviceuntilthethreathasbeen
eliminated.Thesecostscanmountquicklyovertheminutes,
hours,daysandpotentiallyevenlongertimeitcantaketorecoverfromaDDoSattack.
Personnelcosts–Helpdesk:InmostDDoSattacksthereisasurgeofactivityandcallstohelpdesk
supportpersonnel.Callscancomefromcustomers,partnersandinternalemployeeswhocontactthe
helpdeskforavarietyofreasons:toreportthecurrentoutage,torequestthecurrentstatus,tofind
outwhenservicewillberestored,tocomplain,torequestarefundorservicecreditandmore.
SpecializedConsultants:Insomeinstancesitmaybenecessarytocallinanemergencysecurity
consultantorhireamanagedsecurityservicesexpertwhospecializesinDDoSattackstorestore
service.Theseconsultantscanbecomeinvolvedinactivemitigationtoeliminatethethreat,security
incidentandeventmanagement(SIEM)assistance,forensicorcompliancereportingeffortsorprovide
followupanalysisandrecommendationstopreventfutureattacks.
Customercredits/Servicelevelagreementenforcement:Somebusinessesofferservicelevel
agreementstotheircustomersthatguaranteeacertainlevelofserviceavailability.DDoSattackscan
preventthesebusinessfrommeetingthesecommitmentsandoftenresultinfinancepenalties.Also,
manycompaniesandretailersareforcedtorefundpurchasesorcreditbackservicesinordertoretain
customersorimproveloyaltyandsatisfactionaftersufferingtheeffectsofDDoSattacks.
Legal/Compliance:Manyindustrieshavestrictregulationsregardingthehandlingofsensitivedata
andthereportingofanycybersecurityattacksandbreaches.Intheseinstances,detailedforensicsand
root-causeanalysismustbeperformed.Theactivitiescantakeanextendedperiodoftimeto
6
completeandtheircostscanbesubstantial.Also,legalcostscanbeincurredinordertodefend
againstpartiesseekingcompensationforthedisruptionofservice.
Publicrelations:SomevictimsofDDoSattacksendupspendingadditionalmoneywithpublicrelations
firmsinanefforttorestorethegoodwillandconfidenceofthegeneralpublicortheircustomersafter
anoutage.Thesefirmswilloftenhelpthevictimscreateclearmessagingabouttheincidentandwhat
isbeingdonetopreventattacksofthistypeinthefuture.Theycanalsohelpwithpress
announcements,editorialcalendars,contributedarticles,speakingengagementsoreventelevised
interviewsandadvertising.
IndirectCosts
Damagetobrand:Somecompaniesspendasubstantialportionoftheiroperatingbudgettocreate
andnurturetheirbrandimagethroughadvertising,PR,direct-mailcampaignsandotherinitiatives.
Earningthetrustandfaithofcustomersandconstituentsoftentakesyearsoftime,effortandmoney.
Today’sDDoSattackscandamageyourbrandandruinyourreputationinashockinglyshortamountof
time.
Customerloss:TheeffectsofaDDoSattackincludingdisruptionofserviceandtheftofcustomer
informationcancausealossofconfidenceinyourcustomerbase.Thesecustomerscandecideto
movetheirbusinesstoacompetitororusesocialmediatoventtheirangerandfrustration.Clearly
noneoftheseoutcomesisdesirableandunfortunatelyitmaytakesometimetorealizethefullextent
ofanycustomerlosses.
Theftofvitaldata:AworrisometrendinrecentDDoSattacksisforthreatactorstousetheDDoS
attackasasmokescreenordistractiontohideothermaliciousactivity.TheDDoSattackitselfisonlya
meanstoanend.Therealgoaloftheattackistostealcriticaldata.Inthisstyleofattack,thethreat
actordirectsaDDoSattacktoacertainportionofthenetworkwhilelaunchingspeciallycraftedattacks
atothertargets.Thegoalistocompromisetheseothertargetsandeitherstealcriticaldataduringthe
DDoSattackorinstallabackdoorthatwillgrantfutureaccesstothenetworkanditsresources.
TheseattackscanbesuccessfulbecauseITstaffarecompletelyfocusedonmitigatingtheDDoSattack
itselfwhileothermaliciousactivitygoesunnoticed.TherearemanytypesofDDoSattacksthat
attempttotakeserversoff-lineorcrashapplicationswhilestillleavingenoughnetworkbandwidthto
compromiseothertargets.Additionally,ifthevictimdoesnothaveadedicatedDDoSprotection
system,thehackersmayattempttoloosenfirewallorIDS/IPSsecurityrulestokeepthesesystems
online.Thiscreatesfurtherholesinperimetersecuritythatcanbeexploited.Thesheervolumeoflogs
generatedduringaDDoSattackmakesdiscoveringothermaliciousactivityextremelydifficulteven
aftertheDDoSattackisthwarted.Vitaldatacanincludecreditcards,passwords,intellectualproperty,
tradesecrets,medicalinformation,privatecustomerrecordsandbankinginformation.Onehigh
7
profileexampleofthisstyleofattackoccurredwhenhackerslaunchedaDDoSattackonCarphone
Warehouseandstolethepersonaldetailsofover2millioncustomers.3
Opportunitycost:Thiscategoryencompassesthesetofprojects,workoractivitythatisdelayedor
droppedbecausethecompanyisoccupiedwithrepairingthedamageofaDDoSattackasapriority.
PriorityactivitiesassociatedwithaDDoSattackcanincludeforensicanalysis,incidentreportingto
complywithrelevantregulations,publicrelationsandthedeploymentofnewDDoSprotection
systems.
ACloserLookatTheCostofDistributedDenial-of-ServiceAttacks
TherehavebeennumeroussurveysandstudiesconductedonthecostofDDoSattacks.Whilethe
resultsvarybasedonindustry,companysize,securityoperatingbudgetandmore,acommonelement
ofalloftheseestimatesisthatthecostiscloselytiedtothedurationoftheoutagecausedbythe
attack.Considerthefollowing:
•Forsomefinancialandweb-basedbusiness,DDoSattackscanresultinmillionsofdollarsofdamages
perhour.4
•TheaverageamountofdowntimefollowingaDDoSattackis54minutesandtheaveragecostfor
eachminuteofdowntimeis$22,000.However,thecostcanrangefromaslittleas$1tomorethan
$100,000perminuteofdowntime.5
•DDoSisnolongeranannoyancethreat.Infact,ithasn'tbeenforseveralyears.Thereisreallossand
realcost,andcompaniesofallindustriesandsizesarevulnerable.6
Thisinformationprovidesageneralmeasureoftheimpactofthesetypesofattacksandthefindings
demonstratethatthereisasubstantialfinancialrisktonotbeingpreparedforaDDoSattack.This
paperprovidesamodelthatcanbeusedasatemplatetobetterestimatethecostofanattackforyour
specificsituation.
DDoSAttackCostModel
3
TheTelegraph,“CarphoneWarehousehackers‘usedtrafficbombardmentsmokescreen’”,August
2015
4
Frost&Sullivan,“GlobalDDoSMitigationMarketResearchReport”,July2014
5
PonemonInstitute,“Cybersecurityontheoffense:AstudyofITsecurityexperts”,November2012
6
IDCResearch,“BreachIsaForegoneConclusion:DDoS”,October2015
8
Themodelisintroducedbydescribingthecostsassociatedwithahypotheticalattackforbothan
onlineretailerandasoftwaredevelopmentcompany.Thesebusinessesarefictionalbutthecost
factorspresentedarerepresentativeofthosethatwouldbeconsideredinanyreal-worldDDoSattack.
Example:OnlineRetail
CompanyProfile:Thecompanyisanonlineretailerofferingdiscountednamebrandofficefurniture
includingchairs,desks,cabinetsandartwork.Theyalsoofferbulkconsumableofficesuppliesandtheir
currenttrailing12-monthrevenueis$35,000,000.TheirIToperationsteamconsistsof4engineersand
theyhaveaseparatehelpdeskstaffedtoreceivecallsfrombothinternalemployeesandonline
customers.Thereare2fulltimeemployeesstaffingthehelpdeskatanygiventime.
Scenario-A:ThecompanywasthevictimofaDDoSattackthatresultedinacompleteoutageoftheir
onlinestore.Customerswerenotabletobrowsethestoreorcompletepurchasesforthedurationof
theoutage.
ScenarioA–CostTable:
DirectCosts
Lossofrevenue
Lossofproductivity
IToperations
Helpdesk
Consultants
Customercredits/SLA
Legal/compliance
Publicrelations
IndirectCosts
Damagetobrand
Theftofdata
Customerloss
Opportunitycost
Totalcost($USD)
30
Minutes
3,600
108
10
1,600
3
5,320
2
Hours
14,400
430
40
2,000
11
16,881
OutageDuration
5
8
Hours
Hours
36,000
57,600
1,076
1,721
100
160
2,400
3,000
27
43
1,200
1,200
35,000
40,802
98,724
1
Day
172,800
5,163
480
4,000
128
2,400
87,500
272,471
3
Days
518,400
15,490
1,440
8,000
383
3,000
175,000
721,713
Notes
1
2
3
4
5
6
7
Notes:
1–Thecompanydoes90%oftheirannualrevenueduringa12-hourperiod(6am-6pmPST)withanaveragerevenueperminuteof$120.
Theoutageoccurredduringthiswindow.
2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall4employeesinthisexamplewere
involvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.
3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere2
employeesatthehelpdeskatthetimeoftheincidentfielding20totalcallsperhour.Eachcalltothehelpdeskduringtheoutage
averaged2minutesinduration.
9
4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.Theconsultantwashiredforforensicanalysisandtomake
recommendationsimprovingperimetersecuritytopreventfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom
8hoursofconsultingfora30-minuteattackto5businessdaysfora3-dayoutage.Thistimeincludesallnecessaryactivitiesforafull
analysisincludinglogcollectionandeventcorrelationfromaffectednetworkingdevicesandserversystems.
5–Inanefforttobuildgoodwillamongthosecustomersaffectedbytheoutagethecompanyoffereda$10discounttowardsfuture
purchases.Themodelassumeddiscountsweregivento1%ofthetotalcustomerswhowereaffectedbytheoutage.Thecostsarebased
onanaveragemarginof15%peronlinepurchase.
6–Thecompanypaysanaverageof$15,000permonthtoapublicrelationsagencyforpressandanalystrelations.Thecompanybegins
toworkwiththePRfirmwhenthedurationoftheoutageisgreaterthan5hours.TheamountofadditionalhoursbilledbythePR
agencyrangesfrom10billablehoursfora5-houroutageto40billablehoursforanoutagelasting3days.
7–Thecompany’s12-monthrevenuewas$35,000,000from152,174onlinecustomersatanaveragepurchaseof$230percustomer.
Thefinancialimpactofpermanentlylosingcustomerstocompetitorsduetotheoutageisexaminedoverathree-yearperiod.The
th
numberofcustomersthecompanylostisassumedtobe1/10 of1%oftotalannualcustomersduetoan8-houroutage,¼of1%oftotal
annualcustomersduetoa24-houroutageand½of1%oftotalannualcustomersforanoutagedurationof3days.
Scenario-B:Thecompanywasthevictimofahybridvolumetricandapplication-layerDDoSattack
thatresultedinacompleteoutageoftheironlinestoreandthetheftofvitalcustomeraccount
information.Customerswerenotabletobrowsethestoreorcompletepurchasesforthedurationof
theoutage.Thestolendataincludedcustomernames,phonenumbers,addresses,emailaddresses,
accountpasswordsandcreditcardnumbers.
10
ScenarioB–CostTable:
OutageDuration
DirectCosts
Lossofrevenue
Lossofproductivity
IToperations
Helpdesk
Consultants
Customercredits/SLA
Legal/compliance
Publicrelations
IndirectCosts
Damagetobrand
Theftofdata
Customerloss
Opportunitycost
Totalcost($USD)
30
Minutes
2
Hours
5
Hours
8
Hours
1
Day
3
Days
3,600
108
15
17,600
3
60,000
22,050,000
3,500,002
25,631,327
14,400
430
60
18,000
11
60,000
22,050,000
3,500,002
25,642,903
36,000
1,076
150
18,400
27
60,000
22,050,000
3,500,002
25,665,654
57,600
1,721
240
19,000
43
60,000
22,050,000
3,500,002
25,688,606
172,800
5,163
720
20,000
128
60,000
22,050,000
3,500,002
25,808,813
518,400
15,490
2,160
24,000
383
60,000
22,050,000
3,500,002
26,170,435
N
o
t
e
s
1
2
3
4
5
6
7
8
Notes:
1–Ninetypercentofthecompany’sannualrevenueisrealizedduringa12-hourperiod(6am-6pmPST)withanaveragerevenueper
minuteof$120.Theoutageoccurredduringthiswindow.
2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall4employeesinthisexamplewere
involvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.
3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere2
employeesatthehelpdeskatthetimeoftheincidentfielding30totalcallsperhour.Eachcalltothehelpdeskduringtheoutage
averaged2minutesinduration.
4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.Theconsultantwashiredforforensicanalysisandtomake
recommendationsimprovingperimetersecuritytopreventfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom
88hoursofconsultingfora30-minuteattackto15businessdaysfora3-dayoutage.Therewere80hoursspentontheforensicanalysis
ofthedatatheftalone.Thistimeincludesallnecessaryactivitiesforafullanalysisincludinglogcollectionandeventcorrelationfrom
affectednetworkingdevicesandserversystems.
5–Inanefforttobuildgoodwillamongthosecustomersaffectedbytheoutagethecompanyoffereda$10discounttowardsfuture
purchases.Themodelassumeddiscountsweregivento1%ofthetotalcustomerswhowereaffectedbytheoutage.Thecostsarebased
onanaveragemarginof15%peronlinepurchase.
6–Thecompanypaid$20,000permonthtotheirPRagencyforaperiodof3monthstohelpminimizethedamagecausedbythetheftof
theircustomer’spersonaldata.
7–AccordingtoastudyconductedbythePonemonInstitute,theaveragediminishedvalueofanorganization’sbrandinvolvingthetheft
7
of100,000ormorecustomerrecordswas21%. Thebranddamagewascalculatedatmorethan$22,000,000basedonatotalcompany
valuationof3timestrailing12-monthrevenueor$105,000,000USD.
8–Thecompanylost10%ofitscustomersduetothedatatheft.
7
PonemonInstitute,ReputationImpactofaDataBreach”,November2011
11
Example:SoftwareDevelopment
CompanyProfile:Thecompanyisa500-personsoftwaredevelopmentfirmbasedintheSanFrancisco
BayArea.Theyareaglobalcompanywith8locationsconnectedusingaprivateMPLSwide-area
network(WAN).TheirInternetdatacenter,inSanFrancisco,supportstheirmaininternetconnection
aswellasavirtualizedserverfarmthatisusedbythecompany’s200softwareengineersastheir
primarydevelopmentenvironmentforapplicationdevelopmentandtesting.
Scenario-C:Thecompanywasthevictimofahybridvolumetricandapplication-layerDDoSattack
thatcompletelyexhaustedWANbandwidthandbroughtdownthecompany’sdevelopmentservers.
ThispreventedaccesstotheInternetfortheentirecompanyanddisruptedsoftwaredevelopment
activities.
ScenarioC–CostTable:
DirectCosts
Lossofrevenue
Lossofproductivity
IToperations
Helpdesk
Consultants
Customercredits/SLA
Legal/compliance
Publicrelations
IndirectCosts
Damagetobrand
Theftofdata
Customerloss
Opportunitycost
Totalcost($USD)
30
Minutes
2,462
81
5
1,600
4,148
2
Hours
9,849
323
20
2,000
12,191
OutageDuration
5
8
Hours
Hours
24,622
39,394
807
1,291
50
80
2,400
3,000
1,845
11,228
29,723
54,993
1
Day
118,183
3,873
240
4,000
11,228
137,523
3
Days
354,550
11,618
720
8,000
11,228
386,115
Notes
1
2
3
4
5
Notes:
1–Lossofproductivitycostsduringtheoutagearecalculatedusinganaveragefullyburdenedsalaryof$123,600persoftwaredeveloper.
Onaverage40%ofthecompany’sdevelopersareonlineandusingthecentralizeddevelopmentserversortheInternetforresearch.
2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall3employeesinthisexamplewere
involvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.
3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere10
totalcallsperhourtothehelpdeskbyinternalemployeestoeitherreporttheoutageand/orrequestastatusupdate.
4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.Theconsultantwashiredforforensicanalysisandtomake
recommendationsimprovingperimetersecuritytothwartfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom8
hoursofconsultingfora30-minuteattackto5businessdaysfora3-dayoutage.Thistimeincludesallnecessaryactivitiesforafull
analysisincludinglogcollectionandeventcorrelationfromaffectednetworkingdevicesandserversystems.
5–TheopportunitycostwascalculatedassumingadelaytotheimplementationofotherprojectsbytheITteamduetotheDDoSattack.
Atanoutagedurationof5hours,theattackwasadistractionandonlyresultedina2-weekdelaytootherprojects.Inthecaseofan8or
12
more-houroutagethecompanydecidedtoevaluateandinstallanewDDoSprotectionsolutionwhichdelayedotherITprojectsfora
three-monthperiod.Inthisparticularexample,thecompanyhadplannedtoreplaceitsagingMPLSWANinfrastructurewithanew,
software-definedWANsolutionthatwouldsavethecompany66%inmonthlybandwidthcosts.Atamonthlycostof$500perMPLS
WANlink,thecompanywouldsave$2,640monthly.Inaddition,theITteamhadplannedtoimplementanew,automatedpassword
recoveryandmanagementsolutionaswellasconverttoanewanti-virussolutionfortheirhostmachines.Itwasestimatedthatthese
projectswouldsavetheITdepartmentanaverageof$52.50perdayineliminatedhelpdeskcalls.
ReturnonInvestment:AThreeYearCostAnalysis
ThispaperhasdescribedthecostsassociatedwithasingleDDoSattackusingavarietyofscenarios.It
isusefultoanalyzetheimpactofmultipleattacksoveralongerperiodoftimetoobtainanaccurate
pictureofthereturn-on-investment(ROI)ofanyDDoSprotectionsolution.
Acomprehensivesecuritysurveyofover370networkingandsecuritymanagersfrommorethan14
industriesreportedthatrespondentsexperiencedaweightedaverageof4.5DDoSattacksperyearand
anaverageattackdurationof8.7hours.8Thefollowingtablecalculatesthethreeyearcostofthe
scenariosdescribedinthispaperusingtheinformationprovidedbythesurvey.
8
SANSInstitute,“DDoSAttacksAdvancingandEnduring”,February2014
13
Singleincidentcost
(8hour)
EstimatedThree
yearcost
EstimatedMonthly
cost
OnlineRetailer-ScenarioA
DDoSAttack
OnlineRetailer-ScenarioB
DataTheft
SoftwareCompany
DDoSAttack
$98,724
$25,688,606
$54,993
Singleincidentcostx13.5=
1,332,770
(Singleincidentcostx13.5)+
Costdatatheft=$33,471,156
Singleincidentcostx13.5=
$742,402
$36,743
$929,754
$20,622
Usingthisanalysis,wecanseethatthepaybackperiodformostDDoSprotectionsolutionswillrange
fromimmediatetolessthan6monthsdependingonthecost,capabilityandperformanceofthe
particularsolution.
Conclusion
Inexaminingthedirectandindirectcostsofourthreesamplescenariositbecomesclearthatthe
distributionofcostscanvarywidelydependingontheresultsoftheattack.Whiledirectcostsrelated
toservicedisruptionarerelativelyeasytoidentify,theindirectcostsassociatedwitheitheradata
breachorthepermanentlossofcustomerscanquicklybecomethemostexpensiveportionofaDDoS
attack.AsshowninScenarioB,thedamageduetothetheftofcustomerdataandthelossof
customersdwarfedthedirectcostsincurredasaresultoftheattack.Itisimperativethatanycost
analysisincludebothdirectandindirectcostsinordertoobtainacompleteviewofthefinancial
impactoftheattack.Thechartsbelowdepictthecostdistributionofaneight-houroutageforthe
threesamplescenarios.
14
TheEconomicsofDDoSAttacks:AMacroView
Unfortunately,ithasneverbeeneasierorlessexpensivetolaunchaDDoSattack.Thelastdecadehas
seenordersofmagnitudeincreasesinbandwidth,computepoweranddeviceconnectivitythatmakeit
easytoquicklyoverwhelmtheonlineactivitiesofmostcompaniesandorganizations.Compounding
theproblemisthefactthatthetechnicalbarriertoentryforlaunchingDDoSattackshasneverbeen
lower.Theearlydaysofhackingrequiredsomeamountoftechnicalskillandadetailedunderstanding
oftheunderlyingnetworkandapplicationprotocolstocreateanattack.Today,therearemassive,
automatedbotnetsavailableforrentrangingfrom$10to$300USDmonthlyandcapableofgenerating
upto3Gbpsworthofattacktraffic.9
Theycanbecombinedandusedwithotheramplificationtechniquestogenerateanoverwhelming
amountofattacktraffic.Thesebotnetsincreasinglyusesophisticated,complex,multi-layerattacksbut
canbecontrolledwithasimplewebGUIfront-end.AsinglecreditcardnumberorPayPalaccountand
theIPaddress(oraddresses)ofthevictimareoftenallthatisneededtolaunchmassiveattacks
capableofdisruptingcriticalonlinesystems.
DDoSattacksareataninflectionpointwherethelowcostandsimplicityoflaunchinganattackmean
thattheirfrequencywillonlyincrease.Wesawthesamethingafewyearsagowithspam,whenthe
costofsendingbulkemaildropped,andcomputepower,bandwidthandemailsoftwareimproved,and
theamountofSPAMincreased.
Similarly,trendsinthecost,performanceandavailabilityofmodernDDoSattackspointtothe
proliferationofthesetypesofattacksfortheforeseeablefuture.
Summary
ThispaperhasdetailedthecostfactorstoconsiderwhenevaluatingthefinancialimpactofDDoS
attacksonanyorganization.Ithasalsodemonstratedhowthecostscanvarybasedonthenatureof
thethreat,thetypeofbusinessunderattackandthevulnerabilitiesthatareexploited.Itprovideda
templatethatcanbeusedtomeasuretheimpactofanypotentialattackforyourspecificsituationand
providesacostmodelthatisusefulforevaluatingtheROIofDDoSprotectionsolutions.Finally,it
describedthewidelandscapeofthreatactors,threatvectors,motivationsandeconomictrendsthat
willcontinuetodrivetheincreasedfrequencyandeffectivenessofmodernDDoSattacksforthe
foreseeablefuture.
9
Karami,ParkandMcCoy,“StressTestingtheBooters:UnderstandingandUnderminingtheBusiness
ofDDoSServices,August2015
03122015
15
NSFOCUSGLOBAL.COM