Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Anyone can launch distributed denial-of-service attacks for as little as US$38 an hour. Photo: Reuters

Price of website disabling DDoS attacks fall to US$38 per hour as botnets proliferate in China, Vietnam

It is becoming easier than ever to launch a potentially ruinously expensive, server disabling assault against any website as criminal organisations offer distributed denial-of-service (DDoS) attacks at cut price rates.

According to a new report (pdf) by cybersecurity firm Incapsula, the cost of launching a DDoS attack has plummeted as botnets have grown and proliferated around the world.

"Assaults against network infrastructures continue to grow in size and duration," the report said.

"The upshot for organisations of all sizes is that simply weathering the storm is no longer a viable strategy—the impact will be big, durable, and likely recurring."

Botnets are vast networks of computers and machines which have been infected by malware (often without the knowledge of their owners) allowing a hacker to control them, using the machines to send masses of spam email or launch DDoS attacks.

More than half (56 per cent) of all botnet traffic in the second quarter of 2015 emerged from China, Vietnam, the US, Brazil and Thailand, according to Incapsula. Nearly 15 per cent of application layer attacks – where a botnet targets a specific function on a website with the purpose of disabling it – originated in China, followed closely by Vietnam (13.8 per cent).

"Many machines in China and Vietnam are running older versions of Windows, [which] are likely not getting any security patches to protect against becoming part of a botnet," said Bryce Boland, Asia Pacific chief technology officer for cybersecurity firm FireEye.

"Microsoft goes to great lengths to shut down some botnets, and releases security updates to remove malicious software. But if these updates don’t get installed, the only way these botnets get taken down is with the collaborative efforts of the authorities, ISPs and security companies."

According to the report, "the growing botnet-for-hire industry offers the option to execute rudimentary DDoS attacks to anyone willing to pay for such a service".

Incapsula found that many botnets even offered a subscription scheme for those wanting to launch small-scale attacks on a regular basis, with prices running as low as US$38 per month for a one hour DDoS attack against a target of the user's choice.

This low price of launching a DDoS attack is in marked contrast to the large cost of dealing with one. While there are methods for dealing with such attacks, like investing in more bandwidth, particularly on cloud servers which can spread the load more easily, the cost can be prohibitive, particularly for smaller sites and businesses.

Doing nothing is not an option either however, with Incapsula estimating that "the real-world cost of an unmitigated attack is US$40,000 per hour".

"Implications reach far beyond lost revenues to include loss of consumer trust, data theft, intellectual property loss, and more. Today, with a substantial percentage of attacks lasting for days, and half of all targets being repeatedly hit, a worst-case scenario entails losses of hundreds of thousands—if not millions—of dollars."

During the Occupy Central pro-democracy demonstrations in 2014, there were numerous DDoS attacks launched against websites supportive of the protests, including that of the Apple Daily newspaper and the unofficial referendum Popvote. Government sites were also targeted by groups claiming to be associated with the Anonymous "hacktivist" collective.