Some companies lose tens of thousands of dollars for every minute of a DDoS attack.
Internet outages continued into Friday afternoon, with major websites seeming to flicker an and off for internet users across the United States.
The cause was a major, ongoing distributed denial of service attack—when hackers flood a website with traffic so it can’t handle visits from ordinary web users—on critical web infrastructure.
Among the major sites that had trouble staying online or functioning properly: The New York Times, Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, EA and the Playstation network. Aside from the inconvenience to those attempting to visit those sites, there’s the question of how an attack like this affects the companies who run those sites. System outages—even seemingly brief ones—can have huge repercussions on the bottom line.
For more than one-third of companies, a single hour of a DDoS attack can cost up to $20,000, according to a 2014 report by the security firm Imperva Incapsula. (For some companies, the cost of an attack can exceed $100,000 per hour.) Given that the majority of attacks continue for more than six hours, these losses add up quickly. In a particularly stark example, the airline Virgin Blue lost $20 million in period of IT outages that spanned 11 days in 2010.
Other estimates have been even more dramatic. One 2012 study, by the Ponemon Institute, a security and data protection researcher, found the average company’s cost for every minute of downtime during a DDoS attack was $22,000. (“However, the cost can range from as little as $1 to more than $100,000 per minute of downtime,” the report said.)
Businesses under attack often lose revenue from reduced web traffic, and end up having to spend money on hardware and software replacements after the fact. They also suffer losses in productivity and, in some cases intellectual property. Then there are the losses that are more difficult to quantify, like the loss of customer trust—especially since many DDoS attacks are linked with customer data theft.
On top of all that, attackers often attempt to maximize financial damage in planning when to launch an attack. And the cost of waging an attack seems to be inversely proportionate to the cost of suffering one. In other words, it’s easy to wreak havoc on the cheap. Imperva Incapsula found it’s possible to hire someone online to carry out a DDoS attack for as little as $5.
“The impact of distributed denial of service (DDoS) attacks gets bigger and harder to ignore every year,” Imperva Incapsula wrote in its 2014 report. Often, larger companies face the worst losses—in part because companies with 500 or more employees are particularly vulnerable to attack.
All the more concerning is the fact DDoS attacks are on the rise, the attacks themselves are getting much bigger, and the companies who are targeted are often hit multiple times. The internet infrastructure company Akamai found DDoS attacks were up 129 percent in the second quarter of 2016 compared with the same period last year, and that the websites that were targeted were hit an average of 27 times.
“There is no indication that we will see any reduction in the frequency or count of attacks any time in the near future,” Akamai wrote. In fact, the company stressed, the greatest lesson from the past year may be that the number of attacks will grow—and keep growing for some time. If widespread attacks like today do indeed become the norm, losses could increase precipitously.