We asked IT pros what’s at stake during a DDoS attack. Here’s what they said about downtime, losing customers and public trust.

Introduction

Distributed denial of service (DDoS) attacks continue to grow as a threat to organizations worldwide. By unleashing extremely high volumes of malicious Internet traffic or surgically targeting Web applications, attackers seek to shut down a company’s Web resources, typically websites but also email servers, APIs and more. When they achieve their purpose, DDoS attacks can do lasting damage to customer service, online revenues and brand reputation.

In February 2012, Neustar surveyed IT professionals across North America to better understand their DDoS experiences. Most were network services managers, senior systems engineers, systems administrators and directors of IT operations. In all, 1,000 people from 26 different industries shared responses about attacks, defenses, ongoing concerns, risks and financial losses.

The survey shed light on five key questions:

• Who has been attacked and who hasn’t?
• How much do DDoS outages cost?
• What’s the single biggest fear about DDoS attacks?
• How long have attacks lasted?
• What type of DDoS protection are people using?

Survey Responses

Have you ever been DDoS-attacked? 300+ said yes.Over 300 businesses across numerous industries reported having been hit by a DDoS attack. Industries where customer service is largely Web-based, such as financial services, were victimized more often. The same is true of businesses selling connectivity; nearly half of all responding telecom companies have been hit.

Of course, any business that uses the Web for customer service, direct sales or brand awareness is vulnerable. Ruthless competitors, angry customers or social and political protesters can easily take down a website lacking adequate protection.

These days the tools to accomplish such attacks are increasingly cheap and available. Example: the low orbit ion cannon (LOIC), a favorite piece of attack software, lets anyone with a computer unleash a deadly barrage. For as low as $67 a day you can even rent a botnet, an ad hoc computer network used to amplify attacks. There are now over 50 popular DDoS tools and the number is growing fast.

In certain industries the survey results can be deceiving. While over 80% of participating retailers report no attacks, large ecommerce sites with millions of dollars at stake have long been targets, especially during the crucial winter holiday season. As the next set of responses shows, online retailers have sometimes paid a steep price.

Impact of Attacks on Revenue

More than half of all companies report that a DDoS outage would cost them dearly. Those whose costs were $10,000 an hour would lose $240,000 per day. Those who tabbed costs at $50,000 an hour would feel a daily impact of $1.2 million.

Some industries fare worse during outages than others. Over 80% of financial services firms place losses at over $10K per hour. And in retail, the cost reaches a whole new level. Nearly 70% of retailers say outages cost over $100,000 an hour—in excess of $2 million a day.

The costs of DDoS attacks aren’t measured in revenue loss alone. Customer service and brand equity factor in, too. A customer who can’t get access to your website is unable to buy, login to an account or find useful information. Instead, that customer is on the phone complaining to your support team. Minute by minute, hour by hour, this costs you even more.

Brand-related costs can be significant, too. According to research by Yankee Group, a mid-size enterprise with $10 million in annual revenue would lose an additional $20,000 (.02% of revenue). That includes public-relations damage control (think online rants and bad reviews), customers who never return and customers who do but spend less frequently.

Therefore, it’s no surprise that tarnished brands and customer service topped the list of DDoS fears.

Greatest Fears of DDoS Attacks

What is your greatest fear about being attacked? (Survey reveals customer service is most feared potential impact of attacks.)By a wide margin, respondents most feared the potential impact of attacks on customer service. After all, when online service slows or ceases the result is usually chaos. Customers flood your call centers. Hold times stack up. Your support team may end up taking calls for weeks after the attack has ended.

According to the American Express 2011 Global Customer Service Barometer, degraded customer service has even longer-term effects. In today’s leaner economy, customers demand more for their hard-earned cash and have no tolerance for poor service. Some 60% will switch brands on the basis of service alone, with over 20% refusing to settle for anything less than excellence.

Customer service goes hand in hand with the other top concerns, brand reputation and online revenues. In industries that rely heavily on online sales—namely, travel and retail—loss of sales was the number-two fear. In IT, finance and telecom, brand image was more of a worry. For companies in these industries, an image of security and stability is a competitive must. Only in IT, where technical skill is paramount, does potential job loss appear as a concern.

Length of DDoS Attacks

Over a third of all companies experiencing attacks dealt with them for days, with one in 10 under barrage longer than a week. Why so many longer attacks? We believe that many targets aren’t prepared to block attacks properly. For example, one-third of retailers under attack had to mitigate for over a day. With an effective emergency plan and DDoS solution in place, they very well could have responded in minutes. Unfortunately, as the last set of answers will illustrate, most respondents are under-prepared.

Key Industries: Attacks Lasting More Than 24 Hours (When asked how long the attacks lasted, 35% said more than 24 hours and 11% said more than a week.)

Types of DDoS Mitigation Used

Seventy-five percent claimed to have some type of protection. The key question: Is it up to the task? For example, over 50% of respondents said they rely on firewalls, routers or switchers to block DDoS attacks. Another 11% place their bets on an intrusion detection system (IDS). However, experts point out that during DDoS attacks these “defenses” become part of the problem. They quickly become bottlenecks, helping achieve an attacker’s goal of slowing or shutting you down. Moreover, firewalls won’t repel attacks on the application layer, an increasingly popular DDoS vector.

Only 3% of respondents use some type of DDoS mitigation hardware—that is, a solution crafted specifically to combat DDoS attacks. In expert hands, such equipment can be very effective. However, it does the job only if your staff has the right expertise. With attacks becoming more sophisticated—mixing brute-force bandwidth assaults and surgical strikes on applications—in-depth knowledge and experience make a huge difference. There is no “magic box” that can out-think attackers on its own.

What type of DDoS protection do you use? (Only 3% of respondents use some type of DDoS mitigation hardware – a solution crafted specifically to combat DDoS attacks.)

Conclusions

Overall, the responses paint a picture of uncertainty and risk. Over 300 respondents have experienced an attack, though few have reacted by implementing a specialized protection solution. Over 20% said website outages cost more than $50,000 an hour. Nearly 70% of retailers report that website outages cause revenue losses of over $100,000 an hour, totaling millions per day. DDoS-related costs include the impact on customer service and brand reputation, not only loss of revenue.

Respondents said their number one fear surrounding DDoS attacks is the threat to customer service. Of those attacked, 35% have seen attacks lasting more than a day; for certain industries, the percentage is even higher. Seventy-five percent of respondents claimed to have DDoS protection, though tools range from firewalls, switches and routers to purpose-built solutions such as on-premise hardware and cloud-based services.

In short, respondents perceive the dangers as real and acknowledge serious risks, though few have taken strong action to protect their brand and bottom line.