The cost of business vs the cost of crime…
If you live in The Netherlands you probably noticed that a series of DDoS attacks caused quite some uproar in our little corner of the world. One of the questions I get asked regularly is why we still cannot deal with these types of attacks.
We are at un unfair disadvantage, or more accurately phrased, the criminals have an unfair advantage. The cost, in terms of money, time, lost functionality, etc., of preventing a crime or attack are often higher than those the criminal or attacker needs to make to actually commit his deed.
So, let’s run a thought experiment with regards to DDoS attacks. We have two players, let’s call them Alice and Bob. Alice runs an online business that does not require too much bandwidth (say a 10mbps transit commitment). And Bob runs a DDoS facility with the capability to generate up to 60 Gbps attack traffic.
In order to keep the scope of the experiment limited, I will focus exclusively on the cost of bandwidth (transit), cost of the physical connection to the transit provider (port costs) and the cost of the router and its yearly maintenance.
If Alice did not have to take into account Bob’s DDoS, running here business would cost her a one-time fee of about € 3,000.- for a router and monthly fees of around €325,- per month for port, bandwidth and the maintenance contract on the router.
If Alice wants to beef up her infrastructure to be able to withstand a 60 Gbps attack, she will need to buy faster ports and a faster router. Provided she doesn’t get attacked very often, she does not need a lot more bandwidth, because a single attack will not hurt her monthly average. Her costs will go up considerably. A router that can handle this kind of traffic may cost as much as € 60,000 . Her monthly fees go up as well, the maintenance contract on the router alone will be around € 2500 monthly and she will need to spend € 1000 a month on a 100 Gbps ports. Alternatively, she could use a DDoS scrubbing center for around € 4,000 per month.
So, being able to deal with Bob’s attack capacity costs Alice € 57,000 and € 3,175 monthly or € 4,000 monthly using a scrubbing center.
So how does this compare to Bob’s cost? Well if Bob would operate legally he too would need a € 60,000 router, € 2,500 maintenance contract, € 1,000 port and he would need to buy bandwidth for € 15k to € 20k a month. So Bob’s cost would be significantly higher, IF he would run his operation legally. And this is where the attackers unfair advantage comes into play.
One way for Bob to lower his bandwidth cost is to take advantage of the property that certain protocols generate much more traffic when they reply to a request then the traffic required to generate the request. An example is a so-called DNS amplification attack. E.g. when you request the DKIM key for my home domain, you need 60 bytes for the request, but the answer is 830 bytes long more than 13 times as much as the request. With this technique Bob only needs have a 5 Gbps connection to generate 60Gbps. Effectively stealing somebody else’s traffic. Assuming Bob will do his utmost to cut cost, he will use hacked computer to even generate this initial 5 Gbps traffic and it is safe to assume his monthly cost will be on par with Alice’s cost if she did not have to take into account Bob’s attack.
Now all this assumes that Bob has started his service exclusively to perform a DDoS against Alice. Notihing is stopping Bob from renting out his DDoS capability to others. If you take this into account the claim that these attacks can be purchased for less than €50,- don’t seem incredible anymore.
