DDoS-for-hire services are making it cheaper and easier than ever to mount distributed denial-of-service (DDoS) attacks, and to great effect: These network-layer attacks cost the victim $40,000 per hour.
Incapsula’s annual DDoS Threat Landscape Report found that DDoS perpetrators fall into two main offender archetypes, the first being the professional cybercriminal, the second being a user of botnet-for-hire services—so called “booters” (or “stressers”).
DDoS-for-hire is priced around $38 per hour on average—talk about getting a bang for your buck. It’s no wonder that these botnets are behind 40% of all network-layer attacks. The subscription-based model offers anybody the ability to launch several short-lived DDoS attacks for just a few dozen dollars per month.
This is playing out in unexpected ways: Consider the case of the 17-year-old Idaho teen, who launched an attack on his school district, the state’s largest, earlier in May. The attack dragged on for a week and a half, and had far-ranging consequences, including causing students working on Idaho Standard Achievement tests to lose all of their work, and preventing teachers from getting paid because payroll systems were blocked.
In terms of tactics, most attacks are short-term affairs, signaling the continued impact of DDoS-for-hire, although more than 20% of all network-layer attacks last more than five days.
“On one hand we observed long, complex, multiphase assaults that resemble advanced persistent threats (APT),” Incapsula noted. “These employ different methods and can last days, weeks and even months at time. On the other hand, we also noted a preponderance of rudimentary single-vector attacks usually lasting no longer than 30 minutes.”
Also, large-scale attacks are not uncommon. The largest network attack that Incapsula mitigated this past quarter was 253Gbps. UDP flood attacks are used in more than 56% of all network layer threats, the report found. Of these, 8% are SSDP DDoS attacks launched from Internet of Things devices—this dovetails with other industry research showing an uptick in the usage of smart devices to launch attacks.
Interestingly, botnet operators have all but abandoned the use of search engine impersonator bots (down from 57% in 2014 to a current 0.9%).
The report also found that DDoS attackers are relentless on the application-layer side. Half of all application layer DDoS attack targets are hit again within 60 days. Targets are hit once a week on average. These can be large-scale as well: The largest application-layer assault amounted to 179,700 requests per second.
Overall, the report delineates the persistent threat that DDoS events pose to online businesses.
“The real-world cost of an unmitigated attack is $40,000 per hour,” Incapsula noted. “Implications reach far beyond lost revenues to include loss of consumer trust, data theft, intellectual property loss, and more. Today, with a substantial percentage of attacks lasting for days, and half of all targets being repeatedly hit, a worst-case scenario entails losses of hundreds of thousands—if not millions—of dollars.”