Why do the Bad Guys try to take down our websites?
In my (admittedly limited) experience with hacking, the main result of a denial of service attack seems to be annoyance on a wide scale. Blameless users simply trying to accomplish a routine task (such as order a product or read a blog) are unable to proceed due to a denial of service attack (often referred to as a “DoS” or “DDoS” attack).
In my naiveté, I often assumed—without really giving it much thought—that denial of service attacks were undertaken by bored geeks who had tired of online gaming and moved onto hacking. I imagined a sort of high-tech “pissing contest,” in which each hacker sought to establish his or her superiority. I never imagined there could be a more sinister motivation, nor did I consider the devastating consequences that bringing down a website could have on a business owner.
According to a study from Neustar, it takes an average of 10 hours before a company can even begin to resolve a DDoS attack. When a service outage costs an average of $100,000 per hour, the cost of that downtime adds up quickly, and can decimate smaller businesses that rely on their website. (Neustar has created a 2014 infographic with some startling statistics on denial of service attacks.)
As it turns out, I was half right. Kevin Mitnick’s book Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
I’m with the judge on this one. “Just for fun” isn’t a sufficient explanation when mitigating the impact of a denial of service attack can cost a company $1,000,000 even before their efforts start to work.
The business behind hacking
But not every hacker is in it for the fun. Some do have a monetary motivation, even if their path to profit isn’t clear to those of us unschooled in the art of hacking.
Some hackers extort legitimate businesspeople, threatening a denial of service attack if money is not forthcoming.
Others use the denial of service attack as a “smokescreen” while they insert malware or a virus into the code of the target site. One attack created a diversion while the hackers obtained bank customers’ credentials and stole $9,000,000 from ATMs in a period of 48 hours.
Denial of service attacks can also be used to thwart competition. Companies might pay hackers to execute a denial of service attack on a competitor’s website. In some cases, hackers will execute a denial of service attack on a website because they disagree with something the site owner has said (on the site or on another channel).
Fighting back
Given the massive cost of mitigating such an attack, the idea that someone might do this can have a chilling effect on speech and the free expression of ideas, which ultimately harms society as a whole. There are some ways to protect your site against a denial of service attack. Ironically, the most common measures taken—firewalls and intrusion prevention systems—are not designed to stave off this type of attack.
- Keep an eye on your analytics. Knowing your baseline for traffic will help you to identify when a denial of service attack is underway, so you can get a jump start on mitigating its effects.
- Contact your ISP and ask what services they offer to help mitigate denial of service attacks.
- Create a “whitelist” of IPs that get priority access during an attack. Include your biggest clients or customers.
- Implement “purpose-built DDoS protection” (cloud, hybrid and hardware), rather than relying on measures not specifically designed to prevent denial of service attacks.
There is more you can do, depending on your staff and budget, to protect yourself. Whatever you do, take action now, especially if you’ve already been the victim of a denial of service attack: 87% of companies attacked were hit multiple times. And remember Neustar’s pithy observation: “Hope is not a strategy.”
Kerry O’Shea Gorgone is a writer, lawyer, speaker and educator. She’s also Instructional Design Manager, Enterprise Training, at MarketingProfs. Kerry hosts the weekly Marketing Smarts podcast. Find Kerry on Google+ and Twitter.
Illustration courtesy Flickr CC and Mikael Altmark
Book link is an affiliate link