The Cost of DDOS Attacks

by on July 8, 2009 · 21 comments

Over the July 4th weekend, websites in the United States and South Korea were under heavy assault.  As the New York Times reported:

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, The A.P. reported, citing officials inside and outside the American government.

The Washington Post, which was also attacked over the weekend, reported that 26 government and commercial sites were targeted in attacks that the National Intelligence Service are calling “elaborately prepared and executed at the level of a group or a state.” Officially, no one is pointing their finger at North Korea, but the targets of the attacks and other recent provocations from the North make it a very likely suspect.

But what’s truly scary isn’t who is attacking US computers, but how. The only real cost of an attack such as this one is writing an effective bit of malware that can spread itself around, compromise tens of thousands of machines, and allow an attacker to call on this army of unwilling silicon conscripts whenever it wishes.  When viewed from the hundred-billion-dollar heights of nation-state budgets, this cost is essentially zero.

Despite my reservations about Chris Anderson’s Free, I will say that this attack and future attacks of the same kind can be best understood as a unique twist on Anderson’s theme.  Anderson believe the challenge of the future of tech is to “manage for abundance” rather than to concern ourselves with scarcity—after all, tech prices are plummeting.

This is a novel and perhaps thrilling idea when it comes to the falling costs of publishing and otherwise spreading ideas, bu it’s a very chilling notion when we consider that the price of cyber-warfare is also plummeting.  Even when DDOS attacks don’t involve a simultaneous effort to pilfer private data, they can still represent huge losses for countries subjected to them—the cost of lost sales, interruptions in the transfer of funds, and hobbled productivity could easily cost billions of dollars, while the attacker pays very little.

There already is a Moore’s Law of sorts for cyber security, or more accurately, cyber-security failure.  Citing the AP again (they do of lot of that these days), the Times relayed that the number of known breaches of American government computers doubled between 2006 and 2008 to over 5,000 compromised machines.  Moreover, the July 4th attacks utilized only 22,000 computers—a big number, but not as big as it could have been.  Moore’s Law would seem to dictate that the next round could easily involve 100,000 or 500,000 machines—many running faster than current generation of recruits.

DDOS attacks are a cheap (hijacking is free), relatively hard to trace, and very effective way for a state or non-state actor to inflict meaningful economic losses on others.  Combine this with a more sophisticated efforts to steal data, and it becomes even more worthwhile.

In short, with the cost of cyberwarfare approaching free, we should consider how to “manage for abundance.”

Previous post:

Next post: