Sceaf Berry is a product management consultant with a background in tech and financial markets.
How much does it cost to orchestrate a cyber attack in 2022? Truthfully, not a lot. For less than $100, you can probably subscribe to a lifetime’s supply of cyber attacks on the targets of your choosing. Really.
Better still, the sign-up process couldn’t be simpler these days. All you’ll need is an email address and a payment card (or cryptocurrency). No dark web, balaclavas and voice-changers, nor direct human interaction with criminals required.
Specifically, we’re talking about DDoS here — distributed denial of service attacks. These aim to shut down a website or online resource by overwhelming it with bandwidth-bursting requests, so that legitimate users can’t get access. Although a relatively primitive weapon, DDoS attacks have taken down a number of different high-profile targets in recent years, including forcing the New Zealand stock exchange NZX offline in 2020.
Clearly, I should point out that DDoS attacks are illegal in a number of ways in a number of different countries, and are a poor way of making friends in today’s digital economy. However, offering stress testing of DDoS protection services is completely legal.
As a result there’s been a proliferation in companies offering DDoS “stress testing” to anyone who wants it, without everyone necessarily thoroughly verifying that the person conducting the “stress test” is in fact whoever owns the website or online service being tested.
All you’ll need to operate an out-of-the-box DDoS service is to have the target’s IP address — which can easily be acquired by having an employee of the target visit a website, for example. As a sign of how unaware the mainstream (regulators, banks etc) is of these “stress testing services”, some of the sites I visited offer quite mainstream payment solutions, such as PayPal and Skrill.
The number one problem with running online black market sites has always been taking payment from customers. Historically, banks and payment networks like Visa and Mastercard have called the shots on whether you get to operate or not. This is why cryptocurrency has been such a massive facilitator of shady online activity. But frankly, I’ve seen sites for trading video game items that are better regulated than some of these DDoS providers.
The next question might be why. Why has the price and availability of DDoS attacks become so cheap? Has DDoS been through an extended bear market due to an outbreak of global peace in cyber space?
Well, not quite. The prevailing reason appears to be supply. Unlike legitimate cloud services — such as website hosting or application stack services which are best operated at scale via a smaller number of fungible servers — DDoS benefits from being (per the name) distributed.
A few million smaller devices each sending ten requests a minute will be much harder to stop than billions of requests all coming from the same place, as that former bears more resemblance to legitimate human traffic. And, happily, it turns out that there’s been a Cambrian explosion in small, internet-connected, easy-to-hack devices with minimal security and software patching.
I’m talking about Internet of Things devices. The reality is that for all their advantages, smart devices are also a botnetter’s dream.
And while I’m not directly suggesting that your IoT doorbell/home sound system/baby monitor is spying on you and your family, it may well be up to other unsavoury online activity (more generally, please don’t buy an internet-connected child monitors or jacuzzis, and please note that some IoT doorbell providers do sell or pass on the footage they collect).
Our original intention was to plot the price over time of DDoS alongside the recent explosion in global quantity of IoT connected devices. This proved tricky.
Not only are there varying methods as well as grades (bandwidth/second or requests/second) of DDoS, but the prices have in the last five years gotten so cheap that “stress testing” companies have simply started offering all-you-can-hack subscription packages instead.
While the services that I found (by my own judgment of what a 10 minute multi-vector DDoS attack of moderately low bandwidth/rate would be capable of) wouldn’t overly trouble a larger target with enterprise-level protection, it wouldn’t be a stretch to assume that the price of the more powerful and sophisticated attacks have also gotten a lot cheaper in the last decade.
Ultimately though, I didn’t inquire about the enterprise pricing, and declined to sample the free tier (which would likely be enough to take out any unprotected site for a short period).
There are multiple websites offering DDoS protection as well of course. And while the commoditisation, SaaSification and yassification of DDoS protection providers continues, the range of different attack methods and the statistics involved tip the price of protection towards being higher when compared to the price of orchestrating an attack.
Allowing through legitimate human traffic while blocking malicious attacks — particularly when those attacks coming from legitimate-looking locations from legitimate-looking devices — carries the same problem as creating preventive medicine. If 0.5 per cent of all the traffic you block is legitimate, that could represent a sizeable proportion or even a majority of the site’s legitimate users.
DDoS protection services use multiple methods to avoid this, and some even acknowledge the proliferation of Internet of Things devices as being a contributing factor to rising global DDoS attacks.
There is good news. The recent global shortage of semiconductor chips has meant that IoT devices have been more expensive to manufacture over the last couple of years, and DDoS protection has also become cheaper in recent years.
In less good news, however, a greater variety of devices are being connected to the internet, ranging from the innocuous (IoT salt shakers) to the unusual (IoT toilets) to the possibly-risky (IoT cars, anyone?). Enjoy the ride!