So since I’ve semi-officially been granted the title of “The DDoS Kid” after some of the incident response, analysis, and talks that I’ve done, I’m starting to get asked a lot about how much the average DDoS costs the targeted organization. I have some ideas on this, but the simplest way is to recycle Business Continuity/Disaster Recovery figures but with some small twists.
- Plan on a 4-day attack. A typical attack duration is 2-7 days.
- Consider an attack on the “main” (www) site and anything else that makes money (shopping cart, product pages)
- Downtime: one day’s worth of downtime for both peak times (for most eCommerce sites, that’s Thanksgiving to January 5th) and low-traffic times x (attack duration).
- Bandwidth: For services that charge by the bit or CPU cycle such as cloud computing or some ISP services, the direct cost of the usage bursting. The cost per bit/cpu/$foo is available from the service provider, multiply your average rate for peak times by 1000 (small attack) or 10000 (large attack) x (attack duration) worth of usage. This is the only big difference in cost from BCP/DR data.
- Mitigation Services: Figure $5K to $10K for a DDoS mitigation service x (duration of attack).
- Increased callcenter load: A percentage (10% as a starting guess) of user calls to the callcenter x (average dollar cost per call) x (attack duration).
- Increased physical “storefront” visits: A percentage (10%) of users now have to go to a physical location x (attack duration).
- Customer churn: customer loss due to frustration. Figure 2-4% customer loss x (attack duration).
Brand damage, these vary from industry to industry and attack to attack:
- Increased marketing budget: Percentage increase in marketing budget. Possible starting value is 5%.
- Increased customer retention costs: Percentage increase in customer retention costs. Possible starting value is 10%.
Note that it’s reasonably easy to create example costs for small, medium, and large attacks and do planning around a medium-sized attack.
However we recycle BCP/DR figures for an outage, mitigation of the attack is different:
- For high-volume attacks, you will need to rely on service providers for mitigation simply because of their capacity.
- Fail-over to a secondary site means that you now have two sites that are overwhelmed.
- Restoration of service after the attack is more like recovering from a hacking attack than resuming service at the primary datacenter.