Q4 DDoS report 2017: From bad to worse

When a horrible thing happens to a company there is, at the very least, that bright shining moment when the horrible thing has come to an end. When the incident is officially over and everyone gets to take a deep breath and feel the relief flood in as the intense anxiety and stress of the incident finally begins to dissipate. A worst-case scenario occurred, but it’s over, and you survived. For many companies, however, those worst-case scenarios come in the form of DDoS attacks, and according to the attack stats from the fourth quarter of 2017, any relief that’s felt when an attack releases its hideous grip is likely to be short-lived. If there’s one main takeaway from the final three months of 2017, it’s that DDoS pain is persistent.

Agony ad nauseam

According to the Q4 2017 Global DDoS Threat Landscape Report from DDoS protection specialists Imperva Incapsula, there are a number of reasons for businesses to adopt a pessimistic worldview when it comes to distributed denial of service attacks, with sophisticated application layer attacks being on the rise and attacks lasting longer chief among them. Those familiar with the havoc a DDoS attack wreaks on its target will find no stat quite so unsettling as the uptick in attack persistence, though.

See also: The governance, risk and compliance landscape is changing

Per the Incapsula report, a stunning 67.4% of DDoS attack targets were blasted with more than one attack. This is an increase of 9.7% from the Q3 report. That 67.4% breaks down to 31.9% of targets that had between two and five assaults aimed at them, 6.5% that attracted between six and nine attack attempts, and a truly unfortunate 29% that were targeted over ten times. This all averages out to 8.7 attack attempts per target over the course of the quarter.

Since these numbers come from DDoS protection specialists, there’s no need to shed tears for the companies from which those statistics were derived. Their services and operations went uninterrupted. Save those tears instead for the companies that do not have leading distributed denial of service protection for woe has surely befallen them, again and again.

Financial ramifications on repeat

Incapsula notes that it’s most likely to be large organisations subject to repeated DDoS assaults courtesy of their competitors or professional attackers skilled in the art of extortion. It’s also large organisations likely to be stuck with DDoS attack costs of between $20,000 and $100,000 per hour.

These are the costs incurred dealing directly with the attack, which can include on-boarding a DDoS protection service and/or diverting IT and other staff to mitigation as well as remediation and communication efforts, investing in an offline or backup system to attempt to reduce attack fallout, and replacing any hardware or software damaged in the onslaught.

>See also: Implementing a three lines of defence approach to risk management

In terms of unquantifiable costs, businesses will also find themselves losing out on revenue while their services are unavailable, losing productivity while systems and networks are down, and losing the loyalty of customers who may no longer be able to trust the affected business. This is a risk made all the more potent by a large number of DDoS attacks that are used as a distraction for data theft attempts.

Multiply all of that by an average of 8.7 attacks per quarter, and these are financial consequences that could be crippling.

Goodbye bright side

The saying has always been the bigger they are, the harder they fall, and while this remains true, it would seem something needs to be said for how frequently they fall as well. Organisations across a huge range of industries are being hammered by repeated DDoS attacks from high-level attackers who know just how much damage they’re doing even if IT staff is lucky enough to minimise website downtime. Companies can no longer even look on the bright side by trying to feel relieved when a DDoS attack has ended because they know there’s another one in the barrel. The time for professional DDoS protection came, well, years ago, but the time where there is no more room for not having airtight mitigation is now.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics