DDoS Planning: Business Continuity with a Twist

Posted August 17th, 2011 by

So since I’ve semi-officially been granted the title of “The DDoS Kid” after some of the incident response, analysis, and talks that I’ve done, I’m starting to get asked a lot about how much the average DDoS costs the targeted organization.  I have some ideas on this, but the simplest way is to recycle Business Continuity/Disaster Recovery figures but with some small twists.


  • Plan on a 4-day attack.  A typical attack duration is 2-7 days.
  • Consider an attack on the “main” (www) site and anything else that makes money (shopping cart, product pages)


  • Downtime: one day’s worth of downtime for both peak times (for most eCommerce sites, that’s Thanksgiving to January 5th) and low-traffic times x  (attack duration).
  • Bandwidth: For services that charge by the bit or CPU cycle such as cloud computing or some ISP services, the direct cost of the usage bursting.  The cost per bit/cpu/$foo is available from the service provider, multiply your average rate for peak times by 1000 (small attack) or 10000 (large attack) x (attack duration) worth of usage.  This is the only big difference in cost from BCP/DR data.
  • Mitigation Services:  Figure $5K to $10K for a DDoS mitigation service x (duration of attack).


  • Increased callcenter load: A percentage (10% as a starting guess) of user calls to the callcenter x (average dollar cost per call) x (attack duration).
  • Increased physical “storefront” visits: A percentage (10%) of users now have to go to a physical location x (attack duration).
  • Customer churn: customer loss due to frustration.  Figure 2-4% customer loss x (attack duration).

Brand damage, these vary from industry to industry and attack to attack:

  • Increased marketing budget: Percentage increase in marketing budget.  Possible starting value is 5%.
  • Increased customer retention costs: Percentage increase in customer retention costs.  Possible starting value is 10%.

Note that it’s reasonably easy to create example costs for small, medium, and large attacks and do planning around a medium-sized attack.

However we recycle BCP/DR figures for an outage, mitigation of the attack is different:

  • For high-volume attacks, you will need to rely on service providers for mitigation simply because of their capacity.
  • Fail-over to a secondary site means that you now have two sites that are overwhelmed.
  • Restoration of service after the attack is more like recovering from a hacking attack than resuming service at the primary datacenter.

Similar Posts:

Posted in DDoS, Risk Management, Technical | No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: