OVERWHELMING the bandwidth of a certain web site via a denial-of-service (DDoS) attack may cost $7 an hour only, according to Kaspersky Lab ZAO.
Our “experts were also able to calculate that an attack using a cloud-based botnet of a thousand desktops is likely to cost the providers about $7 per hour,” the Russian cyber-security firm said in a statement.
The group that deploys DDoS attack can make around $18 an hour in profit, Kaspersky Lab explained on March 29.
“There is, however, yet another scenario that offers greater profitability for cyber-criminals. It involves the attackers demanding a ransom from a target in return for not launching a DDoS attack, or to call off an ongoing attack,” the cyber-security firm said. “The ransom can be the bitcoin equivalent of thousands of dollars, meaning the profitability of a single attack can exceed 95 percent.”
In some instances, the attackers do not require an actual assault to overwhelm the bandwidth of a certain web site, Kaspersky Lab noted. By blackmailing a target, the attackers can get a ransom without deploying DDoS attack.
The duration of the attack, which is measured in second, hours and day, and the client’s location are taken into consideration in the cost.
“DDoS attacks on English-language web sites, for example, are usually more expensive than similar attacks on Russian-language sites,” Kaspersky Lab said. “The level of service involved when arranging a DDoS attack on the black market is not very different from that of a legal business,” the firm said. “The only difference is that there’s no direct contact between the provider and the customer.”
The attackers have a web site on which customers can choose and pay for the service they need, Kaspersky Lab said. Through the web site, the customers receive updates on the DDoS attack.
“In some cases, there is even a customer loyalty program, with clients receiving rewards or bonus points for each attack,” the firm said.
The costs of assaults on highly protected web sites, however, are more expensive.
For instance, on one DDoS-as-a-service web site, the cost of an attack on an unprotected web site ranges from $50 to $100, while an attack on a protected site costs $400 or more, Kaspersky Lab explained.
This could mean deploying an assault may cost between $5 for a 300-second attack, to $400 for 24 hours, the firm explained. Around $25 per hour could be the average price.
“Cybercriminals are constantly on the lookout for new and cheaper ways of organizing botnets, as well as coming up with ever more ingenious attack scenarios that security solutions will have difficulty dealing with,” Denis Makrushin, Kaspersky Lab security researcher, was quoted in the statement as saying. “That’s why, as long as there are vulnerable servers, computers and Internet of things devices connected to the Internet, and many companies prefer not to invest in security against DDoS attacks, we can expect the profitability of DDoS attacks to continue growing, along with their complexity and frequency.”