The distributed denial-of-service (DDoS) which knocked KrebsOnSecurity offline for days cost owners of devices unwittingly involved in the attack upwards of $300,000, researchers suggest.
The DDoS attack took place in 2016 and was made possible through the Mirai botnet, a network of enslaved Internet of Things (IoT) devices including routers, surveillance cameras, and smart home systems.
Non-existent or poor security practices, including the use of hardcoded and factory passwords, allowed the operators of the botnet to scour the web for the means to hook up and enslave these devices, providing the bandwidth necessary to launch an attack able to smash the KrebsOnSecurity domain and prevent legitimate traffic from getting through.
The access disruption was an annoyance for visitors and a severe headache for Akamai, which used to host the renowned security expert's blog pro bono.
The cost of the attack to the cloud security provider in fending off the 620 Gbps DDoS assault, which could have eventually reached millions of dollars, led to Google's Project Shield offering to take on the blog.
However, there was another cost and not one that would necessarily be immediately apparent --the owners of devices enslaved by Mirai were the ones paying for the threat actor's power usage and bandwidth consumption in launching the DDoS attack.
According to a new study into the direct cost of such IoT-fueled attacks by researchers from the University of California, Berkeley School of Information, dubbed Project rIoTM, the Krebs DDoS cost device owners an estimated $323,973.75.
The attack lasted 77 hours and was powered by 24,000 insecure IoT devices, which was only a fraction of the firepower the Mirai operators had to hand. According to Brian Krebs, this portion of the botnet was rented out to a customer for several hundred dollars.
Berkeley researchers based their estimates on devices tested with a sandboxed version of Mirai. The DDoS onslaught cost device owners an average of $0.42 per hour in power, based on the distribution of devices in low, medium, and high-cost electricity zones.
The cost of bandwidth was more difficult to estimate, owing to low, medium, and high-cost zones, in addition to Wi-Fi and Ethernet options. However, as an aggregated amount, Berkeley researchers believe the Mirai-fueled DDoS attack cost $4,207.03 per hour.
On average, each device involved in the attack is estimated to have cost individual owners $13.50 per product.
"The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine," Krebs noted. "That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that."
"Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks," the security expert added.
This may be unnoticeable to many especially when there are no bandwidth caps in place, but the operating costs of fending off Mirai attacks and similar botnets can be crippling to individual businesses, cloud services, and the enterprise at large.
According to Kaspersky Lab, the cost of successful DDoS attacks against SMBs is, on average, $120,000. Large enterprise firms can face a bill of up to $2 million.