DDoS attacks are cheaper and easier to carry out than ever before

The sheer amount on insecure devices out there – particularly IoT products – means it's simple for cyber criminals to create botnets and lease them out.
Written by Danny Palmer, Senior Writer

DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.

Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.

The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.

SEE: Network security policy (TechRepublic Premium)

And now causing disruption with DDoS attacks is easier than ever before, even for less technically skilled cyber criminals, because according to researchers at Digital Shadows, the cyber criminals are offering DDoS services starting at an average cost of just $7 for disruption that can last for anything from a few minutes to a couple of hours – if the buyer wants the attack to last longer they'd need to pay more.
But a starting price of $7 is down from an average of $25 in 2017, suggesting that the supply of DDoS-as-a-Service has notably increased over the past few years.

One of the reasons that DDoS attacks have become cheaper and easier to carry out is because of the proliferation of Internet of Things (IoT) devices. Large numbers of IoT products come with default usernames and passwords that aren't reset, meaning it's easy for hackers to take control of the them.

While a small handful of IoT devices won't have much traffic-generating power, if attackers can compromise tens or hundreds of thousands of insecure IoT products, that traffic can help take down targets.

Owners of the devices are likely to be unaware that they've been compromised and that the traffic they generate is being used to help take the target of the cyber attackers offline.

DDoS for hire services have become popular as not only can they provide a simple way for cyber criminals to make money, the nature of the service means the individual or group can launch DDoS attacks while making it harder for them to be tracked down.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"This trend will likely increase in the future, thus making DDoS attacks a job that low-skilled criminals can do with professional threat actors' efficiency," said Stefano De Blasi, intelligence collection analyst at Digital Shadows.

However, it's possible for organisations to protect against the potential impact of a DDoS attack by being aware of what their most critical assets are and to prepare contingency plans if their DDoS mitigation service somehow fails.

In addition to this, vendors and users can play a part in reducing the potential for DDoS attacks by avoiding the use of default passwords, so it isn't easy for hackers to hijack devices to make them part of a botnet in the first place.


Editorial standards