Kaspersky: Criminals Make 95% Profit on DDoS

Ordering a DDoS attack has become as easy as ordering the latest bestseller from Amazon—and can offer incredible return on investment for the attacker.

According to Kaspersky Lab, DDoS-for-hire services are generally self-service, eliminating the need for direct contact between the organizer and the customer. Customers can make payments, get reports on work done and so on, all online. In fact, Kaspersky said that the order page “looks more like the web page of an IT startup than a cybercriminal operation.”

“These web services are fully functional web applications that allow registered customers to manage their balance and plan their DDoS attack budget,” the firm said in a blog posting. “Some developers even offer bonus points for each attack conducted using their service. In other words, cybercriminals have their own loyalty and customer service programs.”

But lowering the barrier to entry doesn’t stop there—it’s also incredibly cheap to carry attacks out these days. One DDoS service advertised on a Russian public forum offers attacks from $50 per day, for instance.

Kaspersky did a review of the Dark Web to find out the going rate for DDoS as-a-service, and found the average to be slightly higher than the example above—attacks typically cost $25 per hour, with the cyber-criminals making a profit of about $18 for every hour of an attack.

The security specialist also found that organizers of DDoS services generally offer customers a tariff plan in which the buyer pays a per-second rental price for botnet capacity. For example, a DDoS attack of 300 seconds using a botnet with a total bandwidth of 125Gbps will cost about between $5 and $6.

As for profitability, it should be noted that DDoS attacks and, in particular, ransomware DDoS have already turned into a high-margin business. “The profitability of one attack can exceed 95%,” the firm noted. “And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire. All the above suggests that the average cost of DDoS attacks in the near future will only fall, while their frequency will increase.”

Of course, the actual cost of any one service depends on a few variables. Those include the target—government victims cost more to attack than, say, an online store, and some countries cost more to attack than others—as well as the type of attack requested. Atypical attacks that ask the botnet owner to alternate between different methods of DDoS attacks within a short period of time or implement several methods simultaneously can increase costs.

The rate also depends on the anti-DDoS protection the potential victim has. “If the target uses traffic filtering systems to protect its resources, the cyber-criminals have to come up with ways of bypassing them to ensure an effective attack, and this also means an increase in the price,” Kaspersky explained. In one case, “cyber-criminals were asking for $400 per day to attack a site/server that uses anti-DDoS protection, which is four times more expensive than an attack on an unprotected site.”

Also, the cheaper it is for a criminal to maintain a botnet (defined, for example, by the average cost of infecting a device and including it in a botnet), the more likely they are to ask for bargain-basement prices for their services. For example, a botnet of 1,000 surveillance cameras may be cheaper than a botnet of 100 servers, simply because cameras and other IoT devices are less secure and take less effort to compromise.

As for mitigation, Ben Herzberg, security group research manager for the Incapsula product line at Imperva, offered us the following advice: “In a nutshell, though the organization needs to map their assets, understand what sort of risks they’re facing on the different assets (for example: websites, third-party services, VPNs, etc.), and set a process which will minimize those risks—in most cases by taking a DDoS mitigation service to protect the organization.”

He added, “The best way for organizations to mitigate DDoS attacks is as far away from their network as possible, such as in the cloud, before it even reaches the organization’s ISP. With the vast increase of IoT devices, allowing cheap attacks like the ones stated in the Kaspersky research, attackers may send enormous amounts of traffic and packets, which may easily exhaust the organization’s pipeline.”

What’s Hot on Infosecurity Magazine?