How much surplus do you have in your operating budget?
If you aren’t suitably protected against a DDoS attack, current figures from a multitude of sources (jump to sources sections at bottom of the blog) give a range of $350K-$4.8 million for both losses and response costs thanks to a single DDoS attack.
Every individual and every company live with the general dread that they will fall victim to a cyberattack. Millions of dollars are spent to prevent it. No matter what the investment, cyberattacks are really more of a when, not an if, whether DDoS, spear-phishing or vulnerability exploitation.
DDoS attacks are highly organized attacks against a specific organization with a specific reason for the attack, be it economic or political, versus attacks on individuals which are generally more of a spray and pray approach.
Sources vary regarding the very first DDoS attack. A few cite David Dennis, a high school student in Champaign, Illinois, who, in 1974, at the age of 13, attacked the Computer-Based Education Research Laboratory (CERL) at the University of Illinois Urbana-Champaign. He found out about the “external” (EXT) command that could be run on the CERL’s shared learning system terminals that would allow an external device to be attached. If an external device wasn’t attached after the command was initiated, the terminal would lock up, requiring a restart to regain functionality. So he sent an “EXT” command to every machine – essentially locking the system up and requiring a complete restart on every machine.
*Other sources cite Khan C. Smith in 1997 as part of a DefCon event.
In the early years, DDoS attacks happened infrequently enough that they were noticed and noted. In August of 1999, a single University of Minnesota computer was brought down for two days via an attack from more than 225 systems.
In February of 2000, Yahoo was attacked, with its portal inaccessible for three hours. A few days later, Amazon, Buy.com, CNN, and eBay were attacked – all by a 16-year-old boy in Canada.
Since then, the frequency and scope of DDoS attacks are such that they are seldom reported on.
The reporting rule of thumb – “if it bleeds, it leads” – and its corollary, “Dog bites man is not news. Man bites dog is,” means that we only hear about notable DDoS attacks, like:
- 2002 – The Domain Name Servers root servers were attacked, in an attempt to disrupt the entire Internet
- 2007 – Politically motivated attacks by Russian nationalists against Estonia, completely disrupting its governmental operations, as the country was an early adopter of electronic government
- 2008 – The first broad scale appearance of “Anonymous” against the Church of Scientology
- Q3 2012- to Q1 2013- Bank of America, Capital One, Chase, Citibank, PNC Bank, and Wells Fargo underwent DDoS bank attacks in retaliation for sanctions on Iran.
The Mirai botnet of 2016 gets a special mention because it demonstrated the ubiquity of connected devices in our lives and how those devices can easily be used as additional sources of computing power to support attacks. Mirai is also noted for its power: a large attack used to be 10-20 Gigibits per second; Mirai hit 901 Gbps.
The Mirai attack targeted Internet infrastructure (DNS provider Dyn), so as a secondary effect, it brought down Amazon, PayPal, Netflix, Twitter, Reddit, Netflix, French webhost OVH, and AirBnB. It was also used to target Brian Krebs personally, one of the leading cybersecurity reporters.
One under-reported Mirai attack was a long-term attack against Rutgers University, which ultimately cost the school more than $1.3 million – and led to increases in tuition and fees. One of the writers of the original botnet code was a 21-year-old Rutgers student who was trying to sell the university DDoS protection technology he developed.
Mirai’s creators posted their code online to try to evade capture. Now, the code is available to anyone who wants to improve the code for even more comprehensive attacks.
GitHub, the coding site, was attacked in early March of 2018, with the world’s largest DDoS attack of 1.35Tbps at its peak.
As with any cyberattack, your DDoS attack is coming. It’s really just a matter of when. Are you prepared? Are your systems ready? Can you really afford it? Maybe you should check to make sure…
MazeBolt can help.
Knowledge is power. Download MazeBolt's Top 10 DDoS Attacks to get a clearer perspective on the types of attacks you can expect.